CVE-2026-9591 PUBLISHED

Cross-Site Request Forgery (CSRF) in SimplCommerce News Module

Assigner: Checkmarx
Reserved: 26.05.2026 Published: 17.06.2026 Updated: 17.06.2026

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to /api/news-items, due to missing anti-CSRF protection.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N
CVSS Score: 8.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	simplcommerce
Product	SimplCommerce
Versions	Default: affected affected from 0 to 6233d73e (excl.)

References

Problem Types

CWE-352 Cross-Site request forgery (CSRF) CWE