CSRF Vulnerability in Masa CMS Affects User Address Management
CVE-2026-40174

7.1HIGH

Key Information:

Vendor

Masacms

Status
Masacms
Vendor
CVE Published:
6 May 2026

What is CVE-2026-40174?

In Masa CMS versions 7.5.2 and earlier, the cUsers.updateAddress function lacks proper validation for anti-CSRF tokens. This flaw permits an attacker to trick a logged-in administrator into sending a malicious request, which can lead to the unauthorized addition, modification, or deletion of user address records. This can affect sensitive information like email addresses and phone numbers, potentially redirecting communications and compromising user directory data. To mitigate this issue, users are advised to restrict access to the administrative backend and implement protective measures such as browser isolation during administrative tasks and filtering rules to block potential forged requests.

Affected Version(s)

MasaCMS < 7.2.10 < 7.2.10

MasaCMS >= 7.3.0, < 7.3.15 < 7.3.0, 7.3.15

MasaCMS >= 7.4.0, < 7.4.10 < 7.4.0, 7.4.10

References

https://github.com/MasaCMS/MasaCMS/security/advisories/GH...
x_refsource_CONFIRM

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.