Open Redirect in Masacms

CVE-2026-40332

Masa CMS is affected by an Open Redirect vulnerability due to improper handling of scheme-relative URLs. The application incorrectly interprets paths beginning with double slashes (//) as internal paths, failing to validate the redirect ta…

Vulnerability class: Open Redirect

EPSS: 0.001 (23.5th percentile) — read the EPSS interpretation.

Affected products

Masacms — versions < 7.2.10, >= 7.3.0, < 7.3.15, >= 7.4.0, < 7.4.10

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-xw99-h3mw-wj47 (x_refsource_CONFIRM)