ByteOS Network

NVD Vulnerability Details :

CVE-2026-28281

Analyzed

Source-security-advisories@github.com

Published At-10 Mar, 2026 | 17:38

Updated At-13 Mar, 2026 | 16:19

InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	7.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Type: Secondary

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CPE Matches

instantcms>>instantcms>>Versions before 2.18.1(exclusive)

cpe:2.3:a:instantcms:instantcms:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-352	Primary	security-advisories@github.com

CWE ID: CWE-352

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m	security-advisories@github.com	Exploit Mitigation Vendor Advisory

Hyperlink: https://github.com/instantsoft/icms2/security/advisories/GHSA-pp43-262q-h73m

Source: security-advisories@github.com

Resource:

Exploit

Mitigation

Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History