CVE-2026-9591
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
The NewsItemApiController in SimplCommerce prior to commit 6233d73e is vulnerable to cross-site request forgery (CSRF), allowing an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.
Risk Assessment
This vulnerability could lead to unauthorized changes to news content, potentially impacting the organization's reputation and user trust.
Recommendation
It is recommended to implement CSRF protection in the application and update to the latest version of SimplCommerce to mitigate this vulnerability.
Original NVD description (English source)
Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.

