Which versions of Masa CMS are affected by CVE-2026-40174?

Masa CMS versions 7.5.2 and earlier contain a CSRF vulnerability in the address management function that allows attackers to manipulate administrator-controlled user contact records without explicit…. A patch is available.

How to fix or mitigate CVE-2026-40174?

Within 24 hours: Inventory all Masa CMS deployments and identify instances running versions 7.5.2 or earlier. Within 7 days: Upgrade to patched versions (7.2.10, 7.3.15, 7.4.10, or 7.5.3 depending on current branch). Within 30 days: Conduct audit of user address records modified during the vulnerability window to detect unauthorized changes; validate change logs for the cUsers.updateAddress function.

Masa CMS CVE-2026-40174

Q: What is the CVSS score of CVE-2026-40174?

CVE-2026-40174 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-28154 HIGH

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-05-06 security-advisories@github.com

CSRF

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch available

May 06, 2026 - 21:03 EUVD

Analysis Generated

May 06, 2026 - 20:31 vuln.today

CVE Published

May 06, 2026 - 20:16 nvd

HIGH 7.1

DescriptionNVD

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations.

An attacker can induce a logged-in administrator to submit a forged request that adds, modifies, or deletes user address records, including email addresses and phone numbers. This can be used to alter contact information, redirect organizational communications, and corrupt address data in the user directory. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, or deploy filtering rules to block forged requests to the affected endpoint

AnalysisAI

Cross-site request forgery (CSRF) in Masa CMS 7.5.2 and earlier allows remote attackers to manipulate user address records through forged requests when authenticated administrators interact with malicious content. The cUsers.updateAddress function lacks proper anti-CSRF token validation, enabling unauthorized addition, modification, or deletion of email addresses, phone numbers, and other contact data. …

RemediationAI

Within 24 hours: Inventory all Masa CMS deployments and identify instances running versions 7.5.2 or earlier. Within 7 days: Upgrade to patched versions (7.2.10, 7.3.15, 7.4.10, or 7.5.3 depending on current branch). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40174 vulnerability details – vuln.today

Back

Masa CMS CVE-2026-40174

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Masa CMS CVE-2026-40174

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code