CVE-2026-9591

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.
CVSS

No CVSS.

Configurations

No configuration.

History

18 Jun 2026, 14:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-17 14:18

Updated : 2026-06-18 14:17


NVD link : CVE-2026-9591

Mitre link : CVE-2026-9591

CVE.ORG link : CVE-2026-9591


JSON object : View

Products Affected

No product.

CWE
CWE-352

Cross-Site Request Forgery (CSRF)