Masa CMS CSRF in trash management allows unauthorized permanent deletion...

7.2 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion.

Basic Information

ID CVE-2026-40309

Source GitHub_M

Published May 6, 2026 at 19:42

Affected Product

Vendor MasaCMS

Product MasaCMS

Version < 7.2.10

Affected Versions MasaCMS MasaCMS < 7.2.10
MasaCMS MasaCMS >= 7.3.0, < 7.3.15
MasaCMS MasaCMS >= 7.4.0, < 7.4.10
MasaCMS MasaCMS >= 7.5.0, < 7.5.3

CWE Classification

CWE-352

References

github.com /MasaCMS/MasaCMS/security/advisories/GHSA-9f35-q62j-vm5j

{
    "lastseen": "",
    "description": "Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion.",
    "published": "2026-05-06T19:42:23.704Z",
    "modified": "2026-05-06T19:42:23.704Z",
    "type": "cve",
    "title": "Masa CMS CSRF in trash management allows unauthorized permanent deletion of deleted content",
    "source": "GitHub_M",
    "references": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-9f35-q62j-vm5j",
    "id": "CVE-2026-40309",
    "bulletinFamily": "",
    "cwe": [
        "CWE-352"
    ],
    "cvelist": null,
    "sourceData": "MasaCMS MasaCMS < 7.2.10\nMasaCMS MasaCMS >= 7.3.0, < 7.3.15\nMasaCMS MasaCMS >= 7.4.0, < 7.4.10\nMasaCMS MasaCMS >= 7.5.0, < 7.5.3",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MasaCMS",
    "version": "< 7.2.10",
    "vendor": "MasaCMS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Masa CMS CSRF in trash management allows unauthorized permanent deletion of deleted content_CVE-2026-40309