CVE-2026-40174

Name of the Vulnerable Software and Affected Versions Masa CMS versions prior to 7.2.10 Masa CMS versions prior to 7.3.15 Masa CMS versions prior to 7.4.10 Masa CMS versions prior to 7.5.3

Description The cUsers.updateAddress() function fails to properly validate anti-CSRF (Cross-Site Request Forgery) tokens during user address management operations. This allows an attacker to trick an authenticated administrator into submitting a forged request to add, modify, or delete user address records, such as email addresses and phone numbers. This could lead to the corruption of user directory data and the redirection of organizational communications.

Recommendations Update to version 7.2.10. Update to version 7.3.15. Update to version 7.4.10. Update to version 7.5.3. Restrict access to the administrative backend. Use browser isolation for administrative sessions. Deploy filtering rules to block forged requests to the affected endpoint.