CVE-2026-40325
Received Received - Intake
CSRF in Masa CMS Content Restoration

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the `cTrash.restore` function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request that restores deleted items from the trash and places them at an attacker-controlled location in the site structure through the parentid parameter. This can restore previously deleted malicious or outdated content, expose sensitive documents by moving them into publicly accessible locations, and disrupt site structure or content integrity. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and regularly empty the trash to reduce the amount of content available for unauthorized restoration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-18
AI Q&A
2026-05-07
EPSS Evaluated
2026-05-11
NVD
CVE-2026-40325
EUVD
EUVD-2026-28158
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
masa_cms masa_cms to 7.5.3 (exc)
masa_cms masa_cms 7.2.10
masa_cms masa_cms 7.3.15
masa_cms masa_cms 7.4.10
masa_cms masa_cms 7.5.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an attacker to restore previously deleted malicious or outdated content and expose sensitive documents by moving them into publicly accessible locations. This exposure of sensitive documents could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require the protection of sensitive personal or health information.

Additionally, the disruption of site structure or content integrity caused by this vulnerability may affect the reliability and security controls expected under these standards.


Can you explain this vulnerability to me?

The vulnerability exists in Masa CMS versions 7.5.2 and earlier, specifically in the cTrash.restore function. This function does not properly validate anti-CSRF tokens when restoring deleted content. As a result, an attacker can trick a logged-in administrator into submitting a forged request that restores deleted items from the trash.

The attacker can manipulate the parentid parameter to place restored content at an attacker-controlled location within the site structure.


How can this vulnerability impact me? :

This vulnerability can have several impacts:

  • Restoration of previously deleted malicious or outdated content.
  • Exposure of sensitive documents by moving them into publicly accessible locations.
  • Disruption of the site structure or content integrity.

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should restrict access to the administrative backend to trusted users only.

Use browser isolation techniques for administrative sessions to reduce the risk of CSRF attacks.

Regularly empty the trash to minimize the amount of content that can be restored by an attacker.

Additionally, upgrade Masa CMS to one of the fixed versions: 7.2.10, 7.3.15, 7.4.10, or 7.5.3 as soon as possible.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart