PT-2026-38227 · Masacms · Masacms
Highguustnieuwenhuis
·
Published
2026-05-06
·
Updated
2026-05-07
·
CVE-2026-40309
CVSS v4.0
7.2
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Masa CMS versions prior to 7.2.10
Masa CMS versions prior to 7.3.15
Masa CMS versions prior to 7.4.10
Masa CMS versions prior to 7.5.3
Description
The
cTrash.empty() function fails to validate anti-CSRF (Cross-Site Request Forgery) tokens for trash management requests. This allows an attacker to trick an authenticated administrator into submitting a forged request that empties the trash, resulting in the permanent deletion of all deleted content and irreversible data loss.Recommendations
Update to version 7.2.10.
Update to version 7.3.15.
Update to version 7.4.10.
Update to version 7.5.3.
Restrict access to the administrative backend.
Use browser isolation for administrative sessions.
Maintain current database backups to recover from unauthorized deletion.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Masacms