SimplCommerce
CVE-2026-9591
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network CSRF requires no attacker privileges but needs a logged-in admin to load attacker content (UI:R); abuse of the admin's session crosses authority boundaries (S:C); only integrity is impacted.
Primary rating from Vendor (Checkmarx).
CVSS VectorVendor: Checkmarx
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to /api/news-items, due to missing anti-CSRF protection.
AnalysisAI
Cross-site request forgery in SimplCommerce's NewsItemApiController allows remote attackers to coerce an authenticated administrator's browser into creating or modifying news items via the /api/news-items endpoint, due to a disabled anti-forgery filter prior to commit 6233d73e. The CVSS 4.0 score of 8.3 reflects high integrity impact extending to subsequent systems (the admin's session), and no public exploit identified at time of analysis, though Checkmarx has published reference material describing the issue.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the SimplCommerce instance to be running a build prior to commit 6233d73e with the disabled `CookieOnlyAutoValidateAntiforgeryTokenAuthorizationFilter`, (2) an administrator account holding a live `Identity.Application` cookie at the moment of attack, and (3) that administrator to be induced to load attacker-controlled web content (UI:A in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-high but conditional. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a malicious page or sends a phishing link to a SimplCommerce administrator known to be logged in; the page auto-submits a hidden form to `https://victim-store.example/api/news-items` with attacker-chosen content. Because the antiforgery filter is disabled, the admin's browser-attached session cookie is accepted as authorization and a fraudulent news item is created or an existing one is modified - usable to plant scam content, defacement, or SEO-poisoned links on the storefront. |
| Remediation | Upstream fix available (commit 6233d73e via PR #1150); released patched version not independently confirmed, so operators tracking `main` should update to a build that includes this commit and verify that `CookieOnlyAutoValidateAntiforgeryTokenAuthorizationFilter` is registered in `ServiceCollectionExtensions.AddModules`. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all SimplCommerce deployments and confirm installed version against vendor security advisory for CVE-2026-9591. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Simplcommerce
View allSame weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today