CVE-2026-9591

Published June 17th, 2026

View on NVD ↗

CVSS v3

N/A

CVSS v2

N/A

Affected

PROJECT

Description

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.

simplcommerce/SimplCommerce

A simple, cross platform, modulith ecommerce system built on .NET

GitHub

4.41K