Vulnerability Description
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-40309?
CVE-2026-40309 is a documented vulnerability. Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can...
How severe is CVE-2026-40309?
CVSS scoring is not yet available for CVE-2026-40309. Check NVD for updates.
Is there a patch for CVE-2026-40309?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.