CVE-2026-40326

Source
https://cve.org/CVERecord?id=CVE-2026-40326
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40326.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40326
Aliases
  • GHSA-622v-h7vf-w4gm
Published
2026-05-06T19:57:03.567Z
Modified
2026-07-08T08:13:14.738987952Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Masa CMS CSRF in site bundle creation allows unauthorized site data export
Details

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in csettings.cfc does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-352"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40326.json"
}
References

Affected packages

Git / github.com/masacms/masacms

Affected ranges

Type
GIT
Repo
https://github.com/masacms/masacms
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.2.10"
        },
        {
            "introduced": "7.3.0"
        },
        {
            "fixed": "7.3.15"
        },
        {
            "introduced": "7.4.0"
        },
        {
            "fixed": "7.4.10"
        },
        {
            "introduced": "7.5.0"
        },
        {
            "fixed": "7.5.3"
        }
    ]
}

Affected versions

5.*
5.5
6.*
6.2.6161
6.2.6527
7.*
7.0.6919
7.0.6930
7.0.6967
7.1.107
7.1.110
7.1.111
7.1.117
7.1.123
7.1.124
7.1.131
7.1.142
7.1.161
7.1.163
7.1.164
7.1.177
7.1.178
7.1.189
7.1.190
7.1.204
7.1.241
7.1.250
7.1.257
7.1.264
7.1.280
7.1.281
7.1.310
7.1.322
7.1.323
7.1.333
7.1.341
7.1.343
7.1.344
7.1.348
7.1.353
7.1.363
7.1.383
7.1.389
7.1.393
7.1.408
7.1.415
7.1.426
7.1.427
7.1.428
7.1.431
7.1.432
7.1.433
7.1.435
7.1.457
7.1.464
7.1.472
7.1.496
7.1.75
7.1.79
7.1.83
7.1.84
7.1.85
7.1.89
7.1.92
7.1.96
7.2.0
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.2.7
7.2.8
7.2.9
7.3
7.3.1
7.3.10
7.3.11
7.3.12
7.3.13
7.3.14
7.3.2
7.3.3
7.3.4
7.3.5
7.3.6
7.3.7
7.3.8
7.3.9
7.4.0
7.4.1
7.4.2
7.4.3
7.4.4
7.4.6
7.4.7
7.4.8
7.4.9
7.5.0
7.5.1
7.5.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40326.json"