Skip to main content

SimplCommerce CVE-2026-9591

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-17 Checkmarx
6.9
CVSS 4.0 · Vendor: Checkmarx
Share

Severity by source

Vendor (Checkmarx) PRIMARY
6.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

Network CSRF requires no attacker privileges but needs a logged-in admin to load attacker content (UI:R); abuse of the admin's session crosses authority boundaries (S:C); only integrity is impacted.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (Checkmarx).

CVSS VectorVendor: Checkmarx

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Severity Changed
Jun 18, 2026 - 14:22 NVD
HIGH MEDIUM
CVSS changed
Jun 18, 2026 - 14:22 NVD
8.3 (HIGH) 6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 17, 2026 - 14:22 vuln.today
Analysis Generated
Jun 17, 2026 - 14:22 vuln.today

DescriptionCVE.org

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to /api/news-items, due to missing anti-CSRF protection.

AnalysisAI

Cross-site request forgery in SimplCommerce's NewsItemApiController allows remote attackers to coerce an authenticated administrator's browser into creating or modifying news items via the /api/news-items endpoint, due to a disabled anti-forgery filter prior to commit 6233d73e. The CVSS 4.0 score of 8.3 reflects high integrity impact extending to subsequent systems (the admin's session), and no public exploit identified at time of analysis, though Checkmarx has published reference material describing the issue.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify SimplCommerce admin target
Delivery
Host malicious CSRF page
Exploit
Phish admin to visit page
Execution
Browser auto-submits forged POST to /api/news-items
Persist
Server accepts cookie-authenticated request
Impact
Malicious news item created on storefront

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the SimplCommerce instance to be running a build prior to commit 6233d73e with the disabled `CookieOnlyAutoValidateAntiforgeryTokenAuthorizationFilter`, (2) an administrator account holding a live `Identity.Application` cookie at the moment of attack, and (3) that administrator to be induced to load attacker-controlled web content (UI:A in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-high but conditional. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious page or sends a phishing link to a SimplCommerce administrator known to be logged in; the page auto-submits a hidden form to `https://victim-store.example/api/news-items` with attacker-chosen content. Because the antiforgery filter is disabled, the admin's browser-attached session cookie is accepted as authorization and a fraudulent news item is created or an existing one is modified - usable to plant scam content, defacement, or SEO-poisoned links on the storefront.
Remediation Upstream fix available (commit 6233d73e via PR #1150); released patched version not independently confirmed, so operators tracking `main` should update to a build that includes this commit and verify that `CookieOnlyAutoValidateAntiforgeryTokenAuthorizationFilter` is registered in `ServiceCollectionExtensions.AddModules`. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all SimplCommerce deployments and confirm installed version against vendor security advisory for CVE-2026-9591. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9591 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy