CVE Catalog

CVE-2026-9591

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

The NewsItemApiController in SimplCommerce prior to commit 6233d73e is vulnerable to cross-site request forgery (CSRF), allowing an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.

Risk Assessment

This vulnerability could lead to unauthorized changes to news content, potentially impacting the organization's reputation and user trust.

Recommendation

It is recommended to implement CSRF protection in the application and update to the latest version of SimplCommerce to mitigate this vulnerability.

Original NVD description (English source)

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS