Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
InstantCMS: Unprotected Access to Moderator Features
CVE-2026-28281
Summary
InstantCMS versions before 2.18.1 have a security flaw that lets attackers take control of user accounts, perform actions on their behalf, and access sensitive features. This is a serious issue that requires updating to the latest version, 2.18.1, to fix. Update InstantCMS to the latest version to protect your site.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| instantcms | instantcms | <= 2.18.1 | – |
Original title
InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute schedu...
Original description
InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.
nvd CVSS3.1
7.1
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026