Improper CSRF Protection in Masa CMS Leads to Data Loss
CVE-2026-40309

7.2HIGH

Key Information:

Vendor: Masacms
Status: Masacms
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-40309?

Masa CMS suffers from a vulnerability where the cTrash.empty function fails to validate anti-CSRF tokens in versions 7.5.2 and earlier. This flaw allows malicious actors to exploit the system by tricking a logged-in administrator into submitting a forged request that empties the trash, leading to the irreversible deletion of crucial content. As a result, recovery of mistakenly deleted items becomes significantly challenging. To mitigate this risk, users are urged to upgrade to the latest versions (7.2.10, 7.3.15, 7.4.10, and 7.5.3), restrict access to the admin backend, employ browser isolation for admin sessions, and regularly back up their databases.

Affected Version(s)

MasaCMS < 7.2.10 < 7.2.10

MasaCMS >= 7.3.0, < 7.3.15 < 7.3.0, 7.3.15

MasaCMS >= 7.4.0, < 7.4.10 < 7.4.0, 7.4.10

References

https://github.com/MasaCMS/MasaCMS/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40309 Data

JSON

Masacms

What is CVE-2026-40309?

Affected Version(s)

References

CVSS V4

Timeline