CVE-2016-20053

Redaxo CMS 5.2 Cross-Site Request Forgery via users endpoint

CVSS 6.9 MEDIUMEPSS 0.1%CWE-352

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 6.9EPSS 0.1%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

04 Apr 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the users endpoint with hidden fields containing admin credentials and account parameters to add new administrator accounts without user consent.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

Affected products

Redaxo · Redaxo CMS

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/40708unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.exploit-db.com/exploits/40708 https://www.vulncheck.com/advisories/redaxo-cms-cross-site-request-forgery-via-users-endpoint