CVE-2026-9591

UNKNOWN 0.0

Cross-Site Request Forgery (CSRF) in SimplCommerce News Module

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.

CWE	CWE-352
Vendor	simplcommerce
Product	simplcommerce
Published	Jun 17, 2026
Last Updated	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for simplcommerce simplcommerce

Be the first to know when new unknown vulnerabilities affecting simplcommerce simplcommerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

simplcommerce / SimplCommerce

0 < 6233d73e

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/simplcommerce/SimplCommerce/pull/1150 github.com: https://github.com/simplcommerce/SimplCommerce/commit/6233d73e134c887fc3f3308d20710bec096d45e3