Vulnerability Description
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-40326?
CVE-2026-40326 is a documented vulnerability. Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle crea...
How severe is CVE-2026-40326?
CVSS scoring is not yet available for CVE-2026-40326. Check NVD for updates.
Is there a patch for CVE-2026-40326?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.