← Back

CVE-2026-28281

nvd nist
Published: Mar 10, 2026Modified: Mar 13, 2026

JSON object

Loading...
7.1
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Exploitability: 2.8 / Impact: 4.2
Source: security-advisories@github.com (Secondary)

Description

InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.

Affected (1)

Instantcms
1 product
Instantcms
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Instantcms
Before 2.18.1

Related CWEs

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (1)

Source: security-advisories@github.com
ExploitMitigationVendor Advisory

Timeline

No history available yet.