Skip to main content

Masa CMS CVE-2026-40325

| EUVDEUVD-2026-28158 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-06 security-advisories@github.com
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
May 06, 2026 - 21:03 EUVD
Analysis Generated
May 06, 2026 - 20:32 vuln.today
CVE Published
May 06, 2026 - 20:16 nvd
HIGH 8.7

DescriptionGitHub Advisory

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.restore function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request that restores deleted items from the trash and places them at an attacker-controlled location in the site structure through the parentid parameter. This can restore previously deleted malicious or outdated content, expose sensitive documents by moving them into publicly accessible locations, and disrupt site structure or content integrity.

This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and regularly empty the trash to reduce the amount of content available for unauthorized restoration.

AnalysisAI

Cross-site request forgery (CSRF) in Masa CMS 7.5.2 and earlier allows remote attackers to restore deleted content through administrator sessions. By tricking an authenticated administrator into clicking a malicious link, attackers can restore previously deleted items from trash and relocate them anywhere in the site structure via the parentid parameter. This enables exposure of sensitive documents by moving them to public areas, restoration of malicious content, or disruption of site integrity. Fixed versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3 are available. EPSS data not available; no confirmed active exploitation (CISA KEV) at time of analysis.

Technical ContextAI

Masa CMS is a Java-based content management system forked from Mura CMS. The vulnerability resides in the cTrash.restore function, which handles restoration of deleted content items from the CMS trash. The function fails to implement proper anti-CSRF token validation (CWE-352), allowing state-changing operations to be triggered via forged cross-site requests. The parentid parameter controls where restored content is placed in the site hierarchy, giving attackers control over content location. This is a classic CSRF weakness where privileged administrative actions lack synchronizer tokens or other origin verification mechanisms. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:P) indicates network-accessible exploitation with low complexity, requiring no attacker privileges but requiring user interaction (administrator must click malicious link or visit attacker-controlled page while authenticated).

RemediationAI

Primary fix: Upgrade to patched versions based on your current branch - 7.2.10, 7.3.15, 7.4.10, or 7.5.3. Download from the official Masa CMS GitHub repository and follow standard upgrade procedures, testing content restoration functionality post-upgrade to verify CSRF token enforcement. If immediate patching is not feasible, implement these compensating controls: (1) Restrict administrative backend access to specific IP addresses or VPN-only access, reducing attacker opportunity to target authenticated sessions - trade-off: operational friction for remote admins; (2) Enforce browser isolation for all administrative sessions using separate browsers or profiles never used for general web browsing, preventing cross-site attacks from untrusted sites - trade-off: requires admin training and discipline; (3) Regularly empty CMS trash to minimize restorable content available for abuse - trade-off: limits legitimate content recovery options; (4) Implement web application firewall (WAF) rules to detect and block requests to cTrash.restore lacking valid session tokens, though effectiveness depends on WAF capability to track application-level state. Vendor advisory at https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-3mpf-gq73-crxf provides additional context. None of these mitigations are as effective as patching - upgrade should be prioritized within standard patch cycle.

Share

CVE-2026-40325 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy