CVE-2026-28281

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28281

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28281.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28281

Aliases

GHSA-pp43-262q-h73m

Published

2026-03-09T22:13:24.662Z

Modified

2026-03-15T13:45:25.824067Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator

Summary

InstantCMS has Multiple CSRF Vulnerabilities

Details

InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.

Database specific

{
    "cwe_ids": [
        "CWE-352"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28281.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/instantsoft/icms2

Affected ranges

Type: GIT
Repo: https://github.com/instantsoft/icms2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6e3ed9696cd9a77abd00aa36177ef9ad7ca98796

Affected versions

2.*

2.10.0

2.10.1

2.11.0

2.12.0

2.12.1

2.12.2

2.13.0

2.13.1

2.14.0

2.14.1

2.14.2

2.14.3

2.15.0

2.15.1

2.15.2

2.16.0

2.16.1

2.16.2

2.17.0

2.17.1

2.17.2

2.17.3

2.18.0

2.3.0

2.4.0

2.5.0

2.5.1

2.6.0

2.6.1

2.7.0

2.7.1

2.7.2

2.8.0

2.8.1

2.8.2

2.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28281.json"