Cross-Site Request Forgery Vulnerability in Masa CMS by Masa
CVE-2026-40325

8.7HIGH

Key Information:

Vendor: Masacms
Status: Masacms
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-40325?

Masa CMS is impacted by a security flaw where the cTrash.restore function inadequately verifies anti-CSRF tokens for restoration requests of deleted content. This could allow attackers to manipulate a logged-in administrator into submitting a malicious request, restoring deleted items to unintended locations within the site's structure. As a consequence, sensitive data could be exposed or manipulated, and the integrity of website content could be compromised. The vulnerability affects Masa CMS versions 7.5.2 and earlier, necessitating upgrades or strict access controls to mitigate risks.

Affected Version(s)

MasaCMS < 7.2.10 < 7.2.10

MasaCMS >= 7.3.0, < 7.3.15 < 7.3.0, 7.3.15

MasaCMS >= 7.4.0, < 7.4.10 < 7.4.0, 7.4.10

References

https://github.com/MasaCMS/MasaCMS/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40325 Data

JSON

Masacms

What is CVE-2026-40325?

Affected Version(s)

References

CVSS V4

Timeline