Is Instantcms affected by CVE-2026-28281?

InstantCMS installations running version 2.18.1 or earlier are vulnerable to cross-site request forgery (CSRF) attacks that could allow attackers to perform unauthorized administrative actions on behalf of authenticated users.

CVE-2026-28281

HIGH

2026-03-10 [email protected]

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Mar 10, 2026 - 17:38 nvd

HIGH 7.1

Description

InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.

Analysis

InstantCMS is a free and open source content management system. versions up to 2.18.1 is affected by cross-site request forgery (csrf) (CVSS 7.1).

Remediation

Within 24 hours: Identify all InstantCMS instances in your environment and document current versions. Within 7 days: Subscribe to InstantCMS security advisories and monitor for patch availability; implement compensating controls listed below. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

CVE-2026-28281 vulnerability details – vuln.today

Back

CVE-2026-28281

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-28281

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code