CSRF Vulnerability in e107 CMS Prior to Version 2.3.5
CVE-2026-46620

6.5MEDIUM

Key Information:

Vendor: E107inc
Status: E107
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-46620?

The e107 content management system (CMS) has a vulnerability that fails to properly enforce CSRF token validation for comment moderation actions in versions prior to 2.3.5. The session_handler::check() method allows state-changing requests to bypass token validation unless a token is explicitly present in the request. This oversight can lead to unauthorized actions being taken without the user's consent, exposing the system to various attacks. The issue has been addressed in e107 CMS version 2.3.5, where proper CSRF token validation is enforced for all applicable requests.

Affected Version(s)

e107 < 2.3.5

References

https://github.com/e107inc/e107/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 15, 2026

CVE-2026-46620 Data

JSON

E107inc

What is CVE-2026-46620?

Affected Version(s)

References

CVSS V3.1

Timeline