Description
Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.
Published: 2026-06-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw in SimplCommerce's NewsItemApiController that permits an unauthenticated attacker to send crafted POST requests to the /api/news-items endpoint. If the victim is an administrator, the malicious request creates or modifies news items without any user interaction. The flaw results from missing anti‑CSRF protection, enabling the attacker to exploit an admin’s active session tokens. The impact is a breach of data integrity and potential confidentiality if sensitive content is involved.

Affected Systems

Any instance of SimplCommerce running a version prior to commit 6233d73e is affected. The news module of SimplCommerce contains the vulnerable endpoint. No specific version range is documented; the fix is provided in the referenced commit.

Risk and Exploitability

The CVSS score of 6.9 signals moderate severity. The EPSS score of <1% indicates a low, but not zero, probability of exploitation. The vulnerability is not listed in CISA KEV. The likely attack vector is inferred: an unauthenticated attacker induces an administrator to visit a malicious site that submits a crafted POST to /api/news-items. Because the endpoint lacks anti‑CSRF protection, the transaction can be carried out without user interaction, effectively turning an unprivileged user into a means to privilege‑escalate within the application.

Generated by OpenCVE AI on June 18, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch introduced in commit 6233d73e or upgrade SimplCommerce to a downstream version that incorporates the fix
  • Enforce anti‑CSRF tokens on all state‑changing endpoints, or add a firewall rule that blocks unauthenticated POST requests to /api/news-items
  • Restrict the /api/news-items endpoint to authenticated users with the administrator role only and audit access logs for unusual activity

Generated by OpenCVE AI on June 18, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:simplcommerce:simplcommerce:*:*:*:*:*:*:*:*
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Simplcommerce
Simplcommerce simplcommerce
Vendors & Products Simplcommerce
Simplcommerce simplcommerce

Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.
Title Cross-Site Request Forgery (CSRF) in SimplCommerce News Module
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N'}


Subscriptions

Simplcommerce Simplcommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Checkmarx

Published:

Updated: 2026-06-18T13:46:21.749Z

Reserved: 2026-05-26T13:36:23.358Z

Link: CVE-2026-9591

cve-icon Vulnrichment

Updated: 2026-06-17T15:02:03.251Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:45:03Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)