CVE-2026-9591

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 17, 2026

Vendor unknown

Description

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.

References

https://github.com/simplcommerce/SimplCommerce/commit/6233d73e134c887fc3f3308d20710bec096d45e3
https://github.com/simplcommerce/SimplCommerce/pull/1150