CSRF in Masacms
CVE-2026-40326
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a…
Vulnerability class: CSRF (Cross-Site Request Forgery)
EPSS: 0.000 (9.9th percentile) — read the EPSS interpretation.
Affected products
- Masacms — versions < 7.2.10, >= 7.3.0, < 7.3.15, >= 7.4.0, < 7.4.10
Weakness classification (CWE)
References
- https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-622v-h7vf-w4gm (x_refsource_CONFIRM)