CVE-2026-9591

Vulnerability Description

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.

Vulnerability Details

Published Date

June 17, 2026

Last Modified

June 17, 2026

CWE ID

CWE-352

Source

NVD

External References

https://github.com/simplcommerce/SimplCommerce/commit/6233d73e134c887fc3f3308d20710bec096d45e3
https://github.com/simplcommerce/SimplCommerce/pull/1150

CVE-2026-9591

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment