CVE-2025-55046HIGH 8.1EPSS p2.5%

CVE-2025-55046CVE-2025-55046

Description

MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS0.12% probability of exploitation · percentile 2.5% · 2026-06-19T12:03:05Z
Published2026-03-18
Last modified2026-03-20

Underlying weaknesses· 1

CWE-352

References

  1. https://docs.murasoftware.com/v10/release-notes/#section-version-1014
  2. https://www.murasoftware.com

1

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-55044
CVE
CVE-2025-55040
CVE
CVE-2025-55041
CVE
CVE-2026-8411
CVE
CVE-2026-8410
CVE
CVE-2025-25967
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.