Home

Description

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.

PUBLISHED Reserved 2026-05-26 | Published 2026-06-17 | Updated 2026-06-18 | Assigner Checkmarx




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-352 Cross-Site request forgery (CSRF)

Product status

Default status
affected

Any version before 6233d73e
affected

References

github.com/simplcommerce/SimplCommerce/pull/1150

github.com/...ommit/6233d73e134c887fc3f3308d20710bec096d45e3 patch

cve.org (CVE-2026-9591)

nvd.nist.gov (CVE-2026-9591)

Download JSON