CSRF in Masacms

CVE-2026-40309

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to su…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.000 (7.4th percentile) — read the EPSS interpretation.

Affected products

  • Masacms — versions < 7.2.10, >= 7.3.0, < 7.3.15, >= 7.4.0, < 7.4.10

Weakness classification (CWE)

References