VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 17, 2026· Updated Jun 17, 2026

Cross-Site Request Forgery (CSRF) in SimplCommerce News Module

CVE-2026-9591

Description

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to /api/news-items, due to missing anti-CSRF protection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing anti-CSRF token validation on the `/api/news-items` endpoint allows unauthenticated cross-site request forgery."

Attack vector

An unauthenticated remote attacker crafts a malicious HTML form that submits a POST request to `/api/news-items`. Because the endpoint had no anti-CSRF token validation, the browser automatically includes the victim administrator's session cookie, allowing the attacker to create or modify news items on behalf of the admin. This is a classic cross-site request forgery (CSRF) attack. [ref_id=1]

Affected code

The `NewsItemApiController` in SimplCommerce lacked anti-CSRF protection on its `/api/news-items` endpoint. The patch re-introduces the `CookieOnlyAutoValidateAntiforgeryTokenAuthorizationFilter` class and registers it as a global MVC filter in `AddCustomizedMvc`, ensuring that state-changing API requests are validated for an anti-forgery token. [patch_id=6466994]

What the fix does

The patch uncomments and re-implements the `CookieOnlyAutoValidateAntiforgeryTokenAuthorizationFilter` class, which validates anti-forgery tokens on non-GET requests to `/api` paths when the user is authenticated via the `Identity.Application` cookie scheme. It then registers this filter globally in `AddCustomizedMvc` via `options.Filters.Add<...>()`. This ensures that any state-changing API request (POST, PUT, DELETE, etc.) must include a valid anti-forgery token, blocking forged cross-origin submissions. [patch_id=6466994]

Preconditions

  • authThe victim must be logged into SimplCommerce as an administrator with an active session cookie.
  • inputThe attacker must trick the victim into visiting a crafted HTML page that submits a form to `/api/news-items`.
  • configThe target SimplCommerce instance must be running a version prior to commit 6233d73e.

Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.