CVE-2026-40325
Received Received - Intake

CSRF in Masa CMS Content Restoration

Vulnerability report for CVE-2026-40325, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the `cTrash.restore` function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request that restores deleted items from the trash and places them at an attacker-controlled location in the site structure through the parentid parameter. This can restore previously deleted malicious or outdated content, expose sensitive documents by moving them into publicly accessible locations, and disrupt site structure or content integrity. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and regularly empty the trash to reduce the amount of content available for unauthorized restoration.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-07-06
AI Q&A
2026-05-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
masa_cms masa_cms to 7.5.3 (exc)
masa_cms masa_cms 7.2.10
masa_cms masa_cms 7.3.15
masa_cms masa_cms 7.4.10
masa_cms masa_cms 7.5.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to restore previously deleted malicious or outdated content and expose sensitive documents by moving them into publicly accessible locations. This exposure of sensitive documents could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require the protection of sensitive personal or health information.

Additionally, the disruption of site structure or content integrity caused by this vulnerability may affect the reliability and security controls expected under these standards.

Executive Summary

The vulnerability exists in Masa CMS versions 7.5.2 and earlier, specifically in the cTrash.restore function. This function does not properly validate anti-CSRF tokens when restoring deleted content. As a result, an attacker can trick a logged-in administrator into submitting a forged request that restores deleted items from the trash.

The attacker can manipulate the parentid parameter to place restored content at an attacker-controlled location within the site structure.

Impact Analysis

This vulnerability can have several impacts:

  • Restoration of previously deleted malicious or outdated content.
  • Exposure of sensitive documents by moving them into publicly accessible locations.
  • Disruption of the site structure or content integrity.
Mitigation Strategies

To mitigate this vulnerability immediately, you should restrict access to the administrative backend to trusted users only.

Use browser isolation techniques for administrative sessions to reduce the risk of CSRF attacks.

Regularly empty the trash to minimize the amount of content that can be restored by an attacker.

Additionally, upgrade Masa CMS to one of the fixed versions: 7.2.10, 7.3.15, 7.4.10, or 7.5.3 as soon as possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40325. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart