CVE-2026-28281

Name of the Vulnerable Software and Affected Versions InstantCMS versions prior to 2.18.1

Description InstantCMS does not properly validate Cross-Site Request Forgery (CSRF) tokens. This allows attackers to perform actions on behalf of a user without their knowledge. Specifically, an attacker could grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests.

Recommendations Update to InstantCMS version 2.18.1 or later.