CVE-2026-40326

EPSS 0.16%
Veröffentlicht 06.05.2026 20:16:32
Zuletzt bearbeitet 06.05.2026 21:22:50
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Masa CMS CSRF in site bundle creation allows unauthorized site data export

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerMasaCMS

≫

Produkt MasaCMS

Version < 7.2.10

Status affected

Version >= 7.3.0, < 7.3.15

Status affected

Version >= 7.4.0, < 7.4.10

Status affected

Version >= 7.5.0, < 7.5.3

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.05

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-622v-h7vf-w4gm

https://nvd.nist.gov/vuln/detail/CVE-2026-40326

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40326

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40326

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40326