Improper Validation in Masa CMS CreateBundle Method Exposes Sensitive Data
CVE-2026-40326
What is CVE-2026-40326?
Masa CMS, which is derived from Mura CMS, contains a vulnerability in the createBundle method within the csettings.cfc file. In versions 7.5.2 and earlier, this method fails to adequately validate anti-CSRF tokens when processing site bundle creation requests. As a result, an attacker can exploit this oversight by crafting a malicious webpage or link that, when accessed by an administrator, initiates an unauthorized generation of a site bundle. This bundle is stored in a publicly accessible directory, allowing an unauthenticated attacker to easily retrieve sensitive content, including site data, user accounts, password hashes, email lists, and configuration information. The issue has been remediated in subsequent versions (7.2.10, 7.3.15, 7.4.10, and 7.5.3). To mitigate the risk, it is advised to delete unexpected bundle files from public directories, restrict access to the vulnerable endpoint, and safeguard administrative session exposure.
Affected Version(s)
MasaCMS < 7.2.10 < 7.2.10
MasaCMS >= 7.3.0, < 7.3.15 < 7.3.0, 7.3.15
MasaCMS >= 7.4.0, < 7.4.10 < 7.4.0, 7.4.10