CVE-2026-40326 in Masathông tin

Tóm tắt

Bởi MITRE • 06/05/2026

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

chịu trách nhiệm

GitHub M

Đặt trước

10/04/2026

Tiết lộ

06/05/2026

Kiểm duyệt

được chấp nhận

EPSS

0.00033

KEV

không

Các hoạt động

thấp

ngành

Agriculture, Lawfirm, ...

Nguồn

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-40326
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-40326
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-40326/

TrướcTổng QuanTiếp theo

Want to know what is going to be exploited?

We predict KEV entries!