VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2026-39170

CVE-2026-39170

Description

SEMCMS 5.0 and earlier is vulnerable to Cross-Site Request Forgery (CSRF) in the user management module, allowing attackers to perform unintended actions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SEMCMS 5.0 and earlier is vulnerable to Cross-Site Request Forgery (CSRF) in the user management module, allowing attackers to perform unintended actions.

Vulnerability

SEMCMS versions 5.0 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability within the administrative user management module. The application fails to implement anti-CSRF token validation for user management operations, making it susceptible to malicious requests [1].

Exploitation

An attacker can exploit this vulnerability by tricking an authenticated administrator into executing unintended actions via a crafted malicious request. This is achieved by leveraging the lack of anti-CSRF token validation in the user management module, specifically targeting POST requests to /admin/semcms_user.php [1].

Impact

Successful exploitation allows an attacker to perform unintended actions on behalf of an authenticated administrator. This could lead to unauthorized modifications or deletions of user data, or other administrative actions that the administrator might not intend to perform, due to the CSRF vulnerability [1].

Mitigation

SEMCMS versions 5.0 and earlier are affected. Information regarding a fixed version or specific mitigation steps beyond preventing user interaction with malicious requests is not yet disclosed in the available references [1].

References
  1. SEMCMS <= 5.0 Sensitive Information Disclosure via Hidden Form Fields CVE-2026-39170

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.