CVE-2026-28281
Published: 10 March 2026
Summary
CVE-2026-28281 is a high-severity CSRF (CWE-352) vulnerability in Instantcms Instantcms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing CMS directly enables remote exploitation of the web app (T1190) delivered via attacker-crafted links/pages requiring user interaction (T1566.002, T1204.001); successful abuse permits unauthorized account changes such as privilege grants (T1098).
NVD Description
InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf…
more
of the user. This vulnerability is fixed in 2.18.1.
Deeper analysisAI
CVE-2026-28281 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting InstantCMS, a free and open source content management system. In versions prior to 2.18.1, the software fails to validate CSRF tokens, enabling unauthorized actions when a victim is tricked into performing a state-changing operation. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N), indicating network accessibility, low attack complexity, no privileges required, user interaction needed, low confidentiality impact, high integrity impact, and no availability impact.
Unauthenticated attackers can exploit this remotely by crafting malicious web pages or links that, when visited by an authenticated InstantCMS user, trigger forged requests lacking valid CSRF tokens. This allows attackers to perform actions on the victim's behalf, such as granting moderator privileges to arbitrary users, executing scheduled tasks, moving posts to trash, and accepting friend requests.
The vulnerability is addressed in InstantCMS version 2.18.1, which implements proper CSRF token validation. Additional details on the issue and patch are available in the GitHub security advisory at https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m.
Details
- CWE(s)