Description
A vulnerability was found in newbee-ltd newbee-mall up to a069069b07027613bf0e7f571736be86f431faee. Affected is an unknown function of the component Multiple Endpoints. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Patch
AI Analysis

Impact

A vulnerability was discovered in the Multiple Endpoints component of Newbee‑ltd Newbee‑mall that allows an attacker to perform Cross‑Site Request Forgery (CSRF) by manipulating an unknown function. The flaw permits remote exploitation, enabling a malicious website or script to trigger state‑changing actions on the target application without the victim’s knowledge. The reported CVE lists a CVSS score of 5.3, indicating a moderate impact if the victim is logged in or holds privileged permissions. The weakness is classified as CWE‑352 (CSRF) and CWE‑862 (Missing Authorization).

Affected Systems

The vendor affected is Newbee‑ltd, with the product Newbee‑mall. Versions up to the commit a069069b07027613bf0e7f571736be86f431faee are known to contain the vulnerable component. Because the project uses a rolling‑release model, no explicit release numbers are available, and the vendor has not yet announced a fix. Users must therefore inspect their current commit or release hash to determine whether they are running a vulnerable instance.

Risk and Exploitability

The CVSS Base score of 5.3 reflects a moderate exploitability, while the EPSS score of less than 1 % shows that, in the present data, exploitation likelihood is low. The vulnerability is not listed in the CISA KEV catalog, suggesting no active, widespread attacks are documented. Attackers can trigger the flaw remotely by issuing a crafted HTTP request to the affected endpoint, leveraging the absence of proper CSRF validation. If the user is an authenticated session, the attacker could perform actions such as changing user data, ordering items, or modifying application state.

Generated by OpenCVE AI on April 17, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy any new release of Newbee‑mall that contains the CSRF fix, verifying that the commit hash is newer than a069069b07027613bf0e7f571736be86f431faee.
  • Add server‑side CSRF protection to all state‑changing endpoints, such as requiring a valid anti‑CSRF token or checking the Origin/SameSite header for sensitive requests.
  • Temporarily disable or restrict access to the vulnerable Multiple Endpoints routes until the vendor releases a confirmed patch.

Generated by OpenCVE AI on April 17, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Newbee-ltd
Newbee-ltd newbee-mall
Vendors & Products Newbee-ltd
Newbee-ltd newbee-mall

Wed, 18 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in newbee-ltd newbee-mall up to a069069b07027613bf0e7f571736be86f431faee. Affected is an unknown function of the component Multiple Endpoints. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Title newbee-ltd newbee-mall Multiple Endpoints cross-site request forgery
Weaknesses CWE-352
CWE-862
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Newbee-ltd Newbee-mall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:18:21.367Z

Reserved: 2026-02-18T06:55:12.547Z

Link: CVE-2026-2658

cve-icon Vulnrichment

Updated: 2026-02-18T17:59:45.705Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T18:24:34.400

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses