Description

InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.

INFO

Published Date :

2026-03-09T22:13:24.662Z

Last Modified :

2026-03-10T14:33:49.843Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28281 vulnerability.

Vendors Products
Instantcms
  • Icms2
  • Instantcms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28281.

URL Resource
https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact