CVE-2026-9591

EUVD-2026-37710
Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/simplcommerce/SimplCommerce/commit/6233d73e134c887fc3f3308d20710bec096d45e3
https://github.com/simplcommerce/SimplCommerce/pull/1150