Is there a patch available for CVE-2026-40332?

Yes, a patch is available for CVE-2026-40332. Update the affected software to the latest version immediately.

Masa CMS CVE-2026-40332

Q: What is the CVSS score of CVE-2026-40332?

CVE-2026-40332 has a CVSS 4.0 base score of 5.3 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-28216 MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-05-06 GitHub_M

Information Disclosure Open Redirect

5.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch available

May 06, 2026 - 22:03 EUVD

Analysis Generated

May 06, 2026 - 21:32 vuln.today

CVSS changed

May 06, 2026 - 21:22 NVD

5.3 (MEDIUM)

CVE Published

May 06, 2026 - 20:13 nvd

MEDIUM 5.3

DescriptionNVD

Masa CMS is affected by an Open Redirect vulnerability due to improper handling of scheme-relative URLs. The application incorrectly interprets paths beginning with double slashes (//) as internal paths, failing to validate the redirect target before processing. The application treats these values as internal paths and processes them without confirming that the redirect target remains on the local site.

An attacker can craft a URL on the trusted Masa CMS domain that redirects a victim to an external attacker-controlled site. This can be used for phishing and, in some authentication flows, may expose tokens or other sensitive data to the external site. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, reject or rewrite redirect parameters that begin with // and consider disabling forceDirectoryStructure if compatible with the deployment.

AnalysisAI

Open redirect vulnerability in Masa CMS allows unauthenticated remote attackers to craft malicious URLs on trusted Masa CMS domains that redirect victims to attacker-controlled sites via improper validation of scheme-relative URLs (paths beginning with //). This can be exploited for phishing attacks and potential token exposure in certain authentication flows. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40332 vulnerability details – vuln.today

Back

Masa CMS CVE-2026-40332

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

Masa CMS CVE-2026-40332

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code