CVE-2026-46620

Source
https://cve.org/CVERecord?id=CVE-2026-46620
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46620.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46620
Aliases
  • GHSA-m4hh-m278-jwg5
Published
2026-05-26T15:04:32.092Z
Modified
2026-07-08T08:13:39.008319848Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
e107: CSRF in comment.php moderation endpoints via token-optional validation in session_handler::check()
Details

e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing request, it only validates the token if one happens to be present. If there is no token at all, the check is skipped entirely. This vulnerability is fixed in 2.3.5.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46620.json",
    "cwe_ids": [
        "CWE-285",
        "CWE-352"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/e107inc/e107

Affected ranges

Type
GIT
Repo
https://github.com/e107inc/e107
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.5"
        }
    ]
}

Affected versions

v2.*
v2.0-beta1
v2.0alpha
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.3.0
v2.3.0-rc1
v2.3.1
v2.3.2
v2.3.3
v2.3.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46620.json"