CVE-2026-40309

Masa CMS CSRF in trash management allows unauthorized permanent deletion of deleted content

Assigner: GitHub_M
Reserved: 10.04.2026 Published: 06.05.2026 Updated: 06.05.2026

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	MasaCMS
Product	MasaCMS
Versions	Version < 7.2.10 is affected Version >= 7.3.0, < 7.3.15 is affected Version >= 7.4.0, < 7.4.10 is affected Version >= 7.5.0, < 7.5.3 is affected

Vendor

MasaCMS

Product

MasaCMS

Versions

Version < 7.2.10 is affected
Version >= 7.3.0, < 7.3.15 is affected
Version >= 7.4.0, < 7.4.10 is affected
Version >= 7.5.0, < 7.5.3 is affected

References

Problem Types

CWE-352: Cross-Site Request Forgery (CSRF) CWE

CVE-2026-40309 PUBLISHED

Masa CMS CSRF in trash management allows unauthorized permanent deletion of deleted content

Metrics

Product Status

References

Problem Types