Skip to main content

Simplcommerce

2 CVEs product

Monthly

CVE-2026-9591 MEDIUM PATCH This Month

Cross-site request forgery in SimplCommerce's NewsItemApiController allows remote attackers to coerce an authenticated administrator's browser into creating or modifying news items via the `/api/news-items` endpoint, due to a disabled anti-forgery filter prior to commit 6233d73e. The CVSS 4.0 score of 8.3 reflects high integrity impact extending to subsequent systems (the admin's session), and no public exploit identified at time of analysis, though Checkmarx has published reference material describing the issue.

CSRF Simplcommerce
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-11975 MEDIUM PATCH This Month

Stored XSS in SimplCommerce's news module allows an authenticated administrator to persist arbitrary JavaScript via the ShortContent and FullContent fields of NewsItemApiController, which are stored without HTML sanitization and rendered unencoded through Razor's @Html.Raw() method. Any site visitor who subsequently loads an affected news page will execute the injected script in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available at commit 6142d3b5 per Checkmarx's disclosure.

XSS Simplcommerce
NVD GitHub
CVSS 4.0
6.2
EPSS
0.3%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-site request forgery in SimplCommerce's NewsItemApiController allows remote attackers to coerce an authenticated administrator's browser into creating or modifying news items via the `/api/news-items` endpoint, due to a disabled anti-forgery filter prior to commit 6233d73e. The CVSS 4.0 score of 8.3 reflects high integrity impact extending to subsequent systems (the admin's session), and no public exploit identified at time of analysis, though Checkmarx has published reference material describing the issue.

CSRF Simplcommerce
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Stored XSS in SimplCommerce's news module allows an authenticated administrator to persist arbitrary JavaScript via the ShortContent and FullContent fields of NewsItemApiController, which are stored without HTML sanitization and rendered unencoded through Razor's @Html.Raw() method. Any site visitor who subsequently loads an affected news page will execute the injected script in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available at commit 6142d3b5 per Checkmarx's disclosure.

XSS Simplcommerce
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy