CVE-2025-55046 - Vulnerability Details

Description

MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent.

Published: 2026-03-18

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing CSRF token validation in the cTrash.empty function permits attackers to craft a malicious webpage that, when visited by an authenticated administrator, causes the browser to automatically submit a hidden form and permanently empty the entire trash system. The loss is irreversible and can be catastrophic for the CMS, as all deleted content is permanently removed without confirmation or user consent. This flaw is categorized as Cross‑Site Request Forgery (CWE‑352).

Affected Systems

All installations of MuraCMS up to and including version 10.1.10 are affected. The Vendor is MuraSoftware and the product is MuraCMS. Users should verify their version and consider upgrading if they are running 10.1.10 or older.

Risk and Exploitability

The vulnerability carries a high CVSS score of 8.1 and a low EPSS probability of less than 1%, and it has not been registered in the CISA KEV catalog. Exploitation requires that an attacker convince an authenticated administrator to visit a malicious page; no special system permissions are needed beyond the administrator’s credentials. An attacker can trigger the deletion by simply loading the crafted page, making the risk substantial for any site with logged‑in admins. The impact is confined to the CMS’s deleted‑content area, but the loss of data is permanent and could compromise business continuity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Murasoftware

Mura Cms

80%

Version	Status	Scheme	Platform
`[0,10.1.10]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to MuraCMS version 10.1.14 or later to eliminate the CSRF flaw.

Generated by OpenCVE AI on March 20, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://docs.murasoftware.com/v10/release-notes/#section-version-1014
https://www.murasoftware.com

History

Fri, 20 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:murasoftware:mura_cms:-:::::::*

Thu, 19 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-352
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Mar 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Murasoftware Murasoftware mura Cms
Vendors & Products		Murasoftware Murasoftware mura Cms

Wed, 18 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent.
References		https://docs.murasoftware.com/v10/release-notes/#section-version-1014 https://www.murasoftware.com

Subscriptions

Murasoftware Mura Cms

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-18T00:00:00.000Z

Updated: 2026-03-19T13:56:51.272Z

Reserved: 2025-08-06T00:00:00.000Z

Link: CVE-2025-55046

Vulnrichment

Updated: 2026-03-19T13:56:44.757Z

NVD

Status : Analyzed

Published: 2026-03-18T16:16:23.790

Modified: 2026-03-20T18:10:09.260

Link: CVE-2025-55046

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:54:09Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object