Primary

Context

MuraCMS CSRF Vulnerability Allowing Permanent Deletion of Trashed Content

Vulnerability

Patched

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in MuraCMS versions through 10.1.10. This vulnerability allows attackers to permanently delete all content in the trash system by exploiting the cTrash.empty function, which lacks proper CSRF token validation. When an authenticated administrator visits a crafted webpage, their browser automatically submits a hidden form that empties the trash without any validation or user consent. The exploitation of this vulnerability could lead to significant data loss within the MuraCMS system.

Impact

Exploitation of this vulnerability results in irreversible deletion of all trashed content, causing potentially catastrophic data loss in the MuraCMS system.

Added: Mar 18, 2026, 4:43 PM

Updated: Mar 18, 2026, 4:43 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.4

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.4

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MuraCMS CSRF Vulnerability Allowing Permanent Deletion of Trashed Content

Vulnerability

Impact

Affected Products

MuraCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating