CVE-2026-40326

UNKNOWN 0.0

Masa CMS CSRF in site bundle creation allows unauthorized site data export

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions.

CWE	CWE-352
Vendor	masacms
Product	masacms
Published	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for masacms masacms

Be the first to know when new unknown vulnerabilities affecting masacms masacms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

MasaCMS / MasaCMS

< 7.2.10 >= 7.3.0, < 7.3.15 >= 7.4.0, < 7.4.10 >= 7.5.0, < 7.5.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-622v-h7vf-w4gm