CSRF Vulnerability in SimplCommerce NewsItemApiController
CVE-2026-9591

8.3HIGH

Key Information:

Vendor: Simplcommerce
Status: Simplcommerce
Vendor: CVE Published:; 17 June 2026

🔔 Create Simplcommerce Vulnerability Alert

What is CVE-2026-9591?

A critical security flaw exists in the NewsItemApiController of SimplCommerce, which enables an unauthenticated remote attacker to create or alter news items if they exploit this vulnerability. The lack of anti-CSRF protection allows attackers to submit forged forms to the /api/news-items endpoint, imitating legitimate administrator actions. This can lead to unauthorized changes within the application, posing a significant risk to data integrity and user trust.

Affected Version(s)

SimplCommerce 0

References

https://github.com/simplcommerce/SimplCommerce/pull/1150

https://github.com/simplcommerce/SimplCommerce/commit/623...

patch

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-9591 Data

JSON