Plattform
php
Komponente
icms2
Behoben in
2.18.2
CVE-2026-28281 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in InstantCMS, a free and open-source content management system. This flaw allows attackers to perform actions on behalf of authenticated users without their consent, potentially leading to unauthorized modifications and privilege escalation. The vulnerability affects versions of InstantCMS prior to 2.18.1, and a patch is available in version 2.18.1.
The CSRF vulnerability in InstantCMS allows an attacker to craft malicious requests that, when triggered by a victim, can execute actions as that user. Specifically, an attacker could grant moderator privileges to arbitrary users, execute scheduled tasks within the CMS, move posts to the trash, and accept friend requests. This can lead to significant data manipulation, unauthorized content publishing, and potential compromise of the entire CMS instance. The impact is amplified if the attacker can target users with elevated privileges, such as administrators.
CVE-2026-28281 was publicly disclosed on 2026-03-09. No public proof-of-concept exploits are currently known. The EPSS score is likely low to medium, given the reliance on social engineering to trigger the CSRF attack and the availability of a straightforward patch. It has not been added to the CISA KEV catalog as of this writing.
Organizations and individuals using InstantCMS versions prior to 2.18.1 are at risk. This includes websites and applications relying on InstantCMS for content management, particularly those with a large user base or sensitive data. Shared hosting environments using InstantCMS are also at increased risk due to the potential for cross-tenant exploitation.
• php / web:
curl -I <your_instantcms_url> | grep -i 'csrf-token'• php / web: Examine the source code for missing or improperly validated CSRF tokens in forms and sensitive actions. • generic web: Monitor access logs for unusual requests originating from different IP addresses than the user's typical location. • generic web: Check for suspicious POST requests containing unexpected parameters or actions.
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28281 is to upgrade InstantCMS to version 2.18.1 or later, which includes the necessary CSRF token validation. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, review and restrict user permissions to minimize the potential impact of successful exploitation. After upgrading, confirm the fix by attempting to trigger a sensitive action (e.g., granting moderator privileges) through a crafted URL; the action should be rejected if CSRF protection is properly implemented.
Aktualisieren Sie InstantCMS auf Version 2.18.1 oder höher. Diese Version behebt die CSRF-Schwachstellen, die es Angreifern ermöglichen, nicht autorisierte Aktionen im Namen von Benutzern durchzuführen. Das Update ist entscheidend, um Ihre Website vor potenziellen Angriffen zu schützen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28281 is a Cross-Site Request Forgery vulnerability affecting InstantCMS versions before 2.18.1, allowing attackers to perform actions as authenticated users.
You are affected if you are using InstantCMS version 2.18.1 or earlier. Upgrade to 2.18.1 to resolve the vulnerability.
Upgrade InstantCMS to version 2.18.1. Consider implementing a Content Security Policy (CSP) as an interim measure.
As of the public disclosure date, there are no confirmed reports of active exploitation, but monitoring is advised.
Refer to the official InstantCMS website and security advisories for the latest information and updates regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.