Which versions of Masa CMS are affected by CVE-2026-40326?

Masa CMS versions 7.5.2 and earlier contain a cross-site request forgery vulnerability that allows unauthenticated attackers to manipulate administrators into exporting site bundles containing…. A patch is available.

How to fix or mitigate CVE-2026-40326?

Within 24 hours: Inventory all Masa CMS deployments and identify installed versions (7.5.2 or earlier are vulnerable). Within 7 days: Upgrade to patched versions-7.5.x deployments to 7.5.3, 7.4.x to 7.4.10, 7.3.x to 7.3.15, or 7.2.x to 7.2.10. Within 30 days: Audit bundle export directories for any exported bundles created since deployment; rotate all administrative credentials; review access logs for unauthorized bundle downloads; implement access controls restricting bundle directory exposure.

Masa CMS CVE-2026-40326

Q: What is the CVSS score of CVE-2026-40326?

CVE-2026-40326 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-28161 HIGH

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-05-06 security-advisories@github.com

CSRF

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch available

May 06, 2026 - 21:03 EUVD

Analysis Generated

May 06, 2026 - 20:32 vuln.today

CVE Published

May 06, 2026 - 20:16 nvd

HIGH 7.1

DescriptionNVD

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in csettings.cfc does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions.

AnalysisAI

Cross-Site Request Forgery in Masa CMS allows unauthenticated attackers to force logged-in administrators to create site bundles containing sensitive data including password hashes, user accounts, and configuration details. The bundles are saved to predictable public directories where any unauthenticated attacker can download them. …

RemediationAI

Within 24 hours: Inventory all Masa CMS deployments and identify installed versions (7.5.2 or earlier are vulnerable). Within 7 days: Upgrade to patched versions-7.5.x deployments to 7.5.3, 7.4.x to 7.4.10, 7.3.x to 7.3.15, or 7.2.x to 7.2.10. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40326 vulnerability details – vuln.today

Back

Masa CMS CVE-2026-40326

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Masa CMS CVE-2026-40326

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code