Cyber Resilience

CVE-2026-28281

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
EPSS Score 0.0003 8.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28281 is a high-severity CSRF (CWE-352) vulnerability in Instantcms Instantcms. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28281 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting InstantCMS, a free and open source content management system. In versions prior to 2.18.1, the software fails to validate CSRF tokens, enabling unauthorized actions when a victim is tricked into performing a state-changing operation. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N), indicating network accessibility, low attack complexity, no privileges required, user interaction needed, low confidentiality impact, high integrity impact, and no availability impact.

Unauthenticated attackers can exploit this remotely by crafting malicious web pages or links that, when visited by an authenticated InstantCMS user, trigger forged requests lacking valid CSRF tokens. This allows attackers to perform actions on the victim's behalf, such as granting moderator privileges to arbitrary users, executing scheduled tasks, moving posts to trash, and accepting friend requests.

The vulnerability is addressed in InstantCMS version 2.18.1, which implements proper CSRF token validation. Additional details on the issue and patch are available in the GitHub security advisory at https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m.

EU & UK References

Vulnerability details

InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf…

more

of the user. This vulnerability is fixed in 2.18.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

CSRF in public-facing CMS directly enables remote exploitation of the web app (T1190) delivered via attacker-crafted links/pages requiring user interaction (T1566.002, T1204.001); successful abuse permits unauthorized account changes such as privilege grants (T1098).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2013-10051Same product: Instantcms Instantcms
CVE-2024-47100Shared CWE-352
CVE-2025-26963Shared CWE-352
CVE-2026-38566Shared CWE-352
CVE-2025-25154Shared CWE-352
CVE-2025-23577Shared CWE-352
CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352

Affected Assets

instantcms
instantcms
≤ 2.18.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that state-changing requests include valid CSRF tokens before granting moderator rights or executing tasks on behalf of a user.

prevent

Requires validation of CSRF tokens on all inputs to reject forged requests that lack authentic origin confirmation.

prevent

Protects session authenticity so that cross-site requests cannot be accepted as originating from the legitimate authenticated user.

References