EUVD-2026-28156CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion.
AnalysisAI
Cross-Site Request Forgery in Masa CMS trash management allows remote attackers to permanently delete all trashed content through a logged-in administrator. An attacker tricks an authenticated admin into visiting a malicious page that submits a forged trash-emptying request, bypassing CSRF protections and causing irreversible data loss across all pending-deletion content. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all Masa CMS instances in your environment and document administrator access patterns; notify CMS administrators of the attack vector and implement mandatory security awareness briefing on CSRF attack techniques. Within 7 days: Implement network-level controls restricting administrator access to trusted networks only and enforce multi-factor authentication for all CMS administrative accounts. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today