Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion.
AnalysisAI
Cross-Site Request Forgery in Masa CMS trash management allows remote attackers to permanently delete all trashed content through a logged-in administrator. An attacker tricks an authenticated admin into visiting a malicious page that submits a forged trash-emptying request, bypassing CSRF protections and causing irreversible data loss across all pending-deletion content. The vulnerability affects default administrative interfaces without requiring special configuration. No active exploitation confirmed at time of analysis, though the attack technique is well-documented for CSRF vulnerabilities. EPSS data not available.
Technical ContextAI
Masa CMS is a content management system forked from Mura CMS, written in CFML (ColdFusion Markup Language). The cTrash.empty function handles permanent deletion of content items stored in the trash - typically a staged deletion area allowing content recovery before final removal. This vulnerability stems from CWE-352 (Cross-Site Request Forgery), where state-changing administrative operations lack synchronizer token validation. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:P) indicates network-accessible exploitation with low complexity requiring no attacker authentication, but dependent on user interaction (the administrator must trigger the forged request). The VI:H/VA:H ratings reflect high integrity and availability impact - permanent data destruction affecting content recoverability. CSRF attacks exploit the browser's automatic inclusion of session cookies with cross-origin requests, allowing attackers to piggyback on legitimate administrative sessions.
RemediationAI
Upgrade to patched versions immediately: 7.2.10, 7.3.15, 7.4.10, or 7.5.3 depending on current branch. The vendor has released fixes across all maintained versions, eliminating the missing token validation in cTrash.empty. See GitHub security advisory GHSA-9f35-q62j-vm5j at https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-9f35-q62j-vm5j for complete patch details. If immediate patching is not feasible, implement these specific compensating controls: restrict administrative backend access via IP allowlisting to known administrator networks (trade-off: reduces remote administration flexibility), enforce browser isolation or dedicated administrative workstations that never access untrusted content (trade-off: operational overhead and user training required), and verify database backup frequency meets recovery point objectives for content restoration (trade-off: backups provide recovery but not prevention). Deploy web application firewall rules to detect and block unusual POST requests to trash management endpoints from cross-origin sources, though this may cause false positives with legitimate administrative workflows. These mitigations reduce but do not eliminate risk - patching remains the only complete remediation.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28156