Description
Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=add_user endpoint with POST requests containing username and password parameters to create new administrative accounts without explicit user consent.
Published: 2026-05-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Easy2Pilot 7 implements a cross‑site request forgery flaw that allows an attacker to create new administrative accounts. The vulnerability is triggered by a malicious page that submits a POST request to the admin.php?action=add_user endpoint with a username and password payload. An authenticated administrator who is tricked into visiting that page will inadvertently create a privileged user account, potentially granting the attacker full control over the system.

Affected Systems

All installations of Easy2Pilot 7 are affected. The vulnerability is present in the Easy2Pilot product; no specific version numbers are provided beyond the major release 7. Administrators using this version should verify their local configuration and consider upgrades or mitigations.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity rating, and the EPSS score is not available. The vulnerability is listed as not in CISA KEV, suggesting it is not known to be exploited in the wild yet. The attack vector requires social engineering of an authenticated administrator; exploitation is possible through crafted forms or links delivered via email or another channel. Despite the moderate score, the impact of enabling unauthorized admin access warrants prompt action.

Generated by OpenCVE AI on May 13, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Easy2Pilot to the latest release that implements CSRF protection for the add_user endpoint
  • Restrict access to admin.php to trusted IP ranges or a secure network segment
  • Educate administrators to avoid clicking suspicious links or visiting untrusted sites while authenticated
  • If a patch cannot be applied immediately, consider disabling the add_user functionality or requiring additional authentication for that action

Generated by OpenCVE AI on May 13, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Easy2pilot
Easy2pilot easy2pilot
Vendors & Products Easy2pilot
Easy2pilot easy2pilot

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=add_user endpoint with POST requests containing username and password parameters to create new administrative accounts without explicit user consent.
Title Easy2Pilot 7 Cross-Site Request Forgery via admin.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Easy2pilot Easy2pilot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:13.257Z

Reserved: 2026-05-13T13:38:45.714Z

Link: CVE-2020-37217

cve-icon Vulnrichment

Updated: 2026-05-13T18:18:52.343Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T16:16:33.013

Modified: 2026-05-13T17:07:21.030

Link: CVE-2020-37217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:23Z

Weaknesses