CVE-2026-28281

HIGH 7.1

InstantCMS has Multiple CSRF Vulnerabilities

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.

CWE	CWE-352
Vendor	instantsoft
Product	icms2
Published	Mar 9, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for instantsoft icms2

Be the first to know when new high vulnerabilities affecting instantsoft icms2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Affected Versions

instantsoft / icms2

< 2.18.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m