CVE-2026-31016
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
A Cross-Site Request Forgery (CSRF) vulnerability has been found in Squidex CMS version 7.21.0 and earlier. An attacker can exploit the IdentityServer account profile endpoint to escalate privileges without the victim's knowledge.
Risk Assessment
The risk involves potential account takeover or privilege escalation by tricking an authenticated user into performing unintended actions. This could lead to full compromise of the CMS system.
Recommendation
Immediately upgrade Squidex CMS to a version later than 7.21.0 that includes the CSRF fix. Additionally, implement CSRF protection mechanisms such as anti-CSRF tokens.
Original NVD description (English source)
Cross Site Request Forgery vulnerability in Squidex.io Squidex CMS v.7.21.0 and before allows a remote attacker to escalate privileges via the IdentityServer account profile endpoint

