← volver
CVE-2026-28281

InstantCMS has Multiple CSRF Vulnerabilities

CVSS 7.1 HIGHEPSS 0.1%CWE-352
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 7.1EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
09 mar 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Productos afectados
instantsoft · icms2

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m