VYPR
← All advisories
Medium severityNVD Advisory· Published Mar 6, 2026· Updated Apr 27, 2026

CVE-2026-1468

CVE-2026-1468

Description

QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with victim's privileges. This software does not implement any protection against this type of attack. All forms available in this software are potentially vulnerable.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

QuickCMS 6.8 is vulnerable to Cross-Site Request Forgery (CSRF) across multiple endpoints, allowing attackers to perform actions on behalf of an administrator.

CVE-2026-1468 is a Cross-Site Request Forgery (CSRF) vulnerability in QuickCMS version 6.8 [2]. The application lacks any CSRF protection mechanisms, making all forms potentially exploitable [1].

An attacker can craft a malicious website that, when visited by an authenticated administrator, automatically sends a POST request to the QuickCMS server. For example, it can create a new product with attacker-defined content without the administrator's consent [1]. No authentication bypass is needed as the attacker leverages the victim's existing session.

Successful exploitation allows an attacker to perform any action available through the application's forms, such as creating, modifying, or deleting content, with the privileges of the victim administrator [1]. This could lead to unauthorized changes to the website's content or configuration.

The vendor was notified but did not provide details on vulnerable version range or a patch. Only version 6.8 was confirmed vulnerable; other versions may also be affected [1]. Users are advised to consider implementing CSRF tokens or other protections, or to restrict access to the admin interface.

References
  1. Podatność w oprogramowaniu QuickCMS
  2. free CMS script written in PHP

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.