CVE-2026-28281 - Vulnerability Details - OpenCVE

InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Instantcms	Icms2

No data.

No data.

References

Link	Providers
https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m

History

Tue, 10 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Instantcms Instantcms icms2
Vendors & Products		Instantcms Instantcms icms2

Mon, 09 Mar 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.
Title		InstantCMS has Multiple CSRF Vulnerabilities
Weaknesses		CWE-352
References		https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-09T22:13:24.662Z

Updated: 2026-03-10T14:33:49.843Z

Reserved: 2026-02-26T01:52:58.734Z

Link: CVE-2026-28281

Vulnrichment

Updated: 2026-03-10T14:33:47.178Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28281", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.734Z", "datePublished": "2026-03-09T22:13:24.662Z", "dateUpdated": "2026-03-10T14:33:49.843Z"}, "containers": {"cna": {"title": "InstantCMS has Multiple CSRF Vulnerabilities", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m"}], "affected": [{"vendor": "instantsoft", "product": "icms2", "versions": [{"version": "< 2.18.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:13:24.662Z"}, "descriptions": [{"lang": "en", "value": "InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1."}], "source": {"advisory": "GHSA-pp43-262q-h73m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:33:44.185664Z", "id": "CVE-2026-28281", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:33:49.843Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28281", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T14:33:44.185664Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:33:47.178Z"}}], "cna": {"title": "InstantCMS has Multiple CSRF Vulnerabilities", "source": {"advisory": "GHSA-pp43-262q-h73m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "instantsoft", "product": "icms2", "versions": [{"status": "affected", "version": "< 2.18.1"}]}], "references": [{"url": "https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m", "name": "https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-09T22:13:24.662Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28281", "state": "PUBLISHED", "dateUpdated": "2026-03-10T14:33:49.843Z", "dateReserved": "2026-02-26T01:52:58.734Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-09T22:13:24.662Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}