How is CVE-2026-9591 exploited?

Network reachability (required): The attacker must be able to reach the target SimplCommerce instance over the network in order to serve the crafted form to a victim. Authentication (not-required): The attacker needs no credentials; the exploit relies on the authenticated administrator's existing session rather than any account held by the attacker. Victim interaction (required): The attacker must socially engineer an administrator into loading or submitting a crafted form, for example by luring them to a malicious page while they are logged in. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental factors beyond getting the victim to interact.

What is the impact of CVE-2026-9591?

The attacker can create or modify news items through the `/api/news-items` endpoint using the administrator's session, injecting arbitrary content into the site. Integrity of the SimplCommerce news catalog is fully compromised, with no authentication barrier protecting write operations. Downstream or integrated systems that consume SimplCommerce news data are also affected, as the CVSS vector notes high integrity impact on scope-changed components.

Back to search

HIGHCVE-2026-9591Published 2026-06-17Modified 2026-06-17CNA Checkmarx

CVE-2026-9591: Cross-Site Request Forgery (CSRF) in SimplCommerce News Module

Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.

CVSS v4.0: 8.3
Severity: HIGH
Fixed in: 6233d73e
Affected Products: 1

HarborGuard Analysis

Synopsis

Cross-site request forgery (CSRF) affects the News module API controller in SimplCommerce prior to commit 6233d73e. An unauthenticated remote attacker can exploit this by tricking an administrator into submitting a crafted form, requiring no credentials of their own. Successful exploitation lets the attacker create or modify news items with administrator-level privileges, and also affects systems that depend on SimplCommerce data. A patched-image rebuild at commit 6233d73e is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle SimplCommerce, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at 8.3 HIGH using the CVSS v4.0 vector and weights it against each environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild based on commit 6233d73e is available on HarborGuard for images that include an affected version of SimplCommerce. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the target SimplCommerce instance over the network in order to serve the crafted form to a victim.
AuthenticationNot required
The attacker needs no credentials; the exploit relies on the authenticated administrator's existing session rather than any account held by the attacker.
Victim interactionRequired
The attacker must socially engineer an administrator into loading or submitting a crafted form, for example by luring them to a malicious page while they are logged in.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental factors beyond getting the victim to interact.

Blast Radius

The attacker can create or modify news items through the `/api/news-items` endpoint using the administrator's session, injecting arbitrary content into the site.
Integrity of the SimplCommerce news catalog is fully compromised, with no authentication barrier protecting write operations.
Downstream or integrated systems that consume SimplCommerce news data are also affected, as the CVSS vector notes high integrity impact on scope-changed components.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9591 is active across all scanning environments, matching images that include SimplCommerce versions prior to commit 6233d73e. A patched-image rebuild at the fix commit is available. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding appears in the priority queue with CVSS score, affected image list, and a diff linking to the upstream fix commit. As a compensating control before patching, network policy rules that restrict which internal roles can reach the `/api/news-items` endpoint reduce the window during which an administrator session can be hijacked by a CSRF payload.

See how HarborGuard automates this

Fix available

6233d73e

Patch commits

github.com

Affected packages

simplcommerce / SimplCommerce
< 6233d73e (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available