Description
InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.
Published: 2026-03-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via CSRF
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a cross‑site request forgery flaw that arises because InstantCMS does not validate CSRF tokens on several privileged actions. A malicious site can trick a logged‑in user into performing actions such as granting moderator rights, executing scheduled tasks, trashing posts, or accepting friend requests, thereby elevating the attacker’s privileges without changing the user’s password.

Affected Systems

InstantCMS versions prior to 2.18.1 distributed by instantsoft:icms2 are affected. The issue exists in all 2.x releases before the 2.18.1 patch, including older stable releases.

Risk and Exploitability

The vulnerability has a CVSS base score of 7.1, indicating moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers must first obtain a victim session, then craft a forged request; CSRF is the inferred attack vector, as the flaw is linked to missing token validation on user‑controlled actions.

Generated by OpenCVE AI on April 16, 2026 at 10:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade InstantCMS to version 2.18.1 or later, which includes CSRF token validation.
  • Verify that CSRF protection is enabled for all forms and that proper token validation is implemented in the updated code.
  • Restrict moderator creation to authenticated administrators and enforce least‑privilege policies to limit the impact of any future privilege‑escalation attempts.

Generated by OpenCVE AI on April 16, 2026 at 10:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Instantcms instantcms
CPEs cpe:2.3:a:instantcms:instantcms:*:*:*:*:*:*:*:*
Vendors & Products Instantcms instantcms

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Instantcms
Instantcms icms2
Vendors & Products Instantcms
Instantcms icms2

Mon, 09 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.
Title InstantCMS has Multiple CSRF Vulnerabilities
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N'}

Subscriptions

Instantcms Icms2 Instantcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:33:49.843Z

Reserved: 2026-02-26T01:52:58.734Z

Link: CVE-2026-28281

cve-icon Vulnrichment

Updated: 2026-03-10T14:33:47.178Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T17:38:39.103

Modified: 2026-03-13T16:19:38.573

Link: CVE-2026-28281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses