Open Redirect Vulnerability in Masa CMS by Masa Technologies
CVE-2026-40332

5.3MEDIUM

Key Information:

Vendor: Masacms
Status: Masacms
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-40332?

Masa CMS suffers from an Open Redirect vulnerability that arises from improper handling of scheme-relative URLs. When an attacker crafts a URL that starts with double slashes (//), the application misinterprets these as internal paths. As a consequence, the redirect target isn’t validated before processing, allowing attackers to redirect users to malicious sites under their control. This flaw can facilitate phishing attacks and may inadvertently expose sensitive information, such as authentication tokens. Mitigation strategies include rejecting or rewriting redirect parameters starting with // and optionally disabling the forceDirectoryStructure feature if it aligns with deployment requirements.

Affected Version(s)

MasaCMS < 7.2.10 < 7.2.10

MasaCMS >= 7.3.0, < 7.3.15 < 7.3.0, 7.3.15

MasaCMS >= 7.4.0, < 7.4.10 < 7.4.0, 7.4.10

References

https://github.com/MasaCMS/MasaCMS/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40332 Data

JSON

Masacms

What is CVE-2026-40332?

Affected Version(s)

References

CVSS V4

Timeline