anonhaven
Ad

CVE-2025-55046

HIGH CVSS 3.1: 8.1 EPSS 0.02%
Updated Mar 20, 2026
N/A
Parameter Value
CVSS 8.1 (HIGH)
Type CWE-352 (Cross-Site Request Forgery (CSRF))
Vendor N/A
Public PoC No

MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system.

When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-352 Cross-Site Request Forgery (CSRF)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Murasoftware Mura_Cms
cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*

References 2

https://docs.murasoftware.com/v10/release-notes/#section-version-1014
cve@mitre.org
https://www.murasoftware.com
cve@mitre.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-6978

N/A

5.1

CVE-2026-6951

N/A

9.2

CVE-2026-6561

N/A

5.1

CVE-2025-70797

Limesurvey

6.1

CVE-2025-63238

PHP

6.1