Description
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the `cTrash.restore` function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request that restores deleted items from the trash and places them at an attacker-controlled location in the site structure through the parentid parameter. This can restore previously deleted malicious or outdated content, expose sensitive documents by moving them into publicly accessible locations, and disrupt site structure or content integrity.

This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and regularly empty the trash to reduce the amount of content available for unauthorized restoration.
Published: 2026-05-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw in the content restoration feature of Masa CMS. Because the restoration endpoint does not validate anti‑CSRF tokens, an attacker can trick a logged‑in administrator into submitting a forged request that restores deleted items. Restored content can be placed at an attacker‑controlled location via the parentid parameter, allowing the attacker to re‑introduce previously removed malicious or outdated content, expose sensitive documents in publicly accessible locations, and disrupt the site structure or content integrity. This weakness corresponds to CWE‑352.

Affected Systems

Affected product is MasaCMS MasaCMS. Versions 7.5.2 and earlier are vulnerable. The flaw was addressed in 7.2.10, 7.3.15, 7.4.10, and 7.5.3.

Risk and Exploitability

The exploit requires an administrator to be logged in and a forged request to be sent from a web browser. A separate phishing or social engineering attack may be used to coerce the admin into accepting the request. Because the vulnerability is not network‑bypassable and relies on victim interaction, the EPSS score is not available and the vulnerability is not listed in CISA KEV. Nevertheless, the CVSS score of 8.7 indicates a high severity, and the presence of the CSRF weakness suggests the vulnerability can be abused by attackers with access to the victim’s browser or via targeted phishing.

Generated by OpenCVE AI on May 6, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch by upgrading to MasaCMS 7.5.3 or later to fix the CSRF validation flaw
  • Restrict access to the administrative backend using firewall rules, VPN or IP whitelisting
  • Use browser isolation or enforce authentication over secure, isolated environments for administrative sessions
  • Regularly empty the trash to reduce the pool of restorables items

Generated by OpenCVE AI on May 6, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Masacms
Masacms masacms
Vendors & Products Masacms
Masacms masacms

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the `cTrash.restore` function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request that restores deleted items from the trash and places them at an attacker-controlled location in the site structure through the parentid parameter. This can restore previously deleted malicious or outdated content, expose sensitive documents by moving them into publicly accessible locations, and disrupt site structure or content integrity. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and regularly empty the trash to reduce the amount of content available for unauthorized restoration.
Title Masa CMS CSRF in content restoration allows unauthorized restoration of deleted content
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Masacms Masacms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T12:38:59.301Z

Reserved: 2026-04-10T21:41:54.505Z

Link: CVE-2026-40325

cve-icon Vulnrichment

Updated: 2026-05-07T12:38:54.097Z

cve-icon NVD

Status : Deferred

Published: 2026-05-06T20:16:32.273

Modified: 2026-05-06T21:22:50.760

Link: CVE-2026-40325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:30:17Z

Weaknesses