Description
Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/user_manipulate and admin/settings/generall endpoints to create users or modify application settings without explicit consent.
Published: 2026-04-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery that lets attackers perform unauthorized administrative actions
Action: Patch Immediately
AI Analysis

Impact

NodCMS has a vulnerable cross‑site request forgery flaw that allows an attacker to cause authenticated administrators to execute privileged actions via crafted forms. This flaw can lead to creation of new administrative users, alteration of system configuration, and potentially additional compromise of the application. The weakness is classified as CWE‑352 and is also related to CWE‑79.

Affected Systems

The vulnerability affects all publicly documented nodCMS releases from version 1.0 through 3.4.1, as enumerated by the CPE identifiers in the advisory. Administrators of any of these installations are at risk if the application lacks CSRF protections on the affected admin endpoints.

Risk and Exploitability

The CVSS base score is 5.3, representing moderate severity, and the EPSS score is below 1%, indicating a low probability of active exploitation as of the latest data. The vulnerability is not listed in the CISA KEV catalogue. Exploitation requires a user with administrative privileges who has logged into the system; an attacker can entice such a user to submit a malicious form or embed a crafted request, thereby causing the target to perform privileged operations without their knowledge. The attack vector is likely through web‑based phishing or socially engineered content that leverages the trusted session of the administrator.

Generated by OpenCVE AI on April 14, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nodCMS to the latest available release that contains the CSRF fix or apply the vendor’s patch for CVE-2016-20054.
  • Add CSRF tokens to all administrative forms and enforce SameSite cookie attributes to reduce the risk of unauthorized requests.
  • Restrict access to the admin/user_manipulate and admin/settings/generall endpoints by IP whitelisting or VPN only access.
  • Enable detailed logging of administrative actions and regularly review logs for anomalous activity.
  • Train administrators to recognize and avoid submitting unknown forms or clicking on suspicious links.

Generated by OpenCVE AI on April 14, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3qcm-pj6q-w4c5 Nodcms contains a cross-site request forgery vulnerability
References
Link Providers
https://www.exploit-db.com/exploits/40707 cve-icon cve-icon
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/user_manipulate and admin/settings/generall endpoints to create users or modify application settings without explicit consent.
Title Nodcms Cross Site Request Forgery via admin endpoints
First Time appeared Nodcms
Nodcms nodcms
Weaknesses CWE-79
CPEs cpe:2.3:a:nodcms:nodcms:1.0:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:2.0:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.0:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.1:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.2.2:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.3.0:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.3.1:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.4.0:*:*:*:*:*:*:*
cpe:2.3:a:nodcms:nodcms:3.4.1:*:*:*:*:*:*:*
Vendors & Products Nodcms
Nodcms nodcms
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Nodcms Nodcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:38:39.346Z

Reserved: 2026-04-04T13:34:39.170Z

Link: CVE-2016-20054

cve-icon Vulnrichment

Updated: 2026-04-06T15:38:34.772Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T20:16:15.940

Modified: 2026-04-14T16:15:22.450

Link: CVE-2016-20054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses