CVE-2026-39170: SemCms 5.0 CSRF Vulnerability in Admin User Management
SemCms 5.0 contains a cross-site request forgery (CSRF) vulnerability in its user administration interface. An attacker can craft a malicious webpage or email that, when visited by a logged-in administrator, silently performs unauthorized actions on the SemCms instance—such as creating new admin accounts, modifying permissions, or deleting users. The vulnerability requires an authenticated admin to be tricked into visiting the attacker's content, but no additional user interaction (like clicking a button) is needed once they arrive.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-352
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
SemCms 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the /admin/semcms_user.php endpoint, which accepts POST requests without proper CSRF token validation. An attacker can construct a forged POST request that leverages the implicit authentication of a logged-in admin session. Because the endpoint lacks synchronizer token patterns or SameSite cookie controls, the browser automatically includes session cookies when the admin visits a malicious site, allowing the attacker to perform state-changing operations. The CVSS 3.1 score of 6.3 (MEDIUM) reflects the requirement for prior authentication and limited scope, though impact spans confidentiality, integrity, and availability of user records.
Business impact
Compromised administrative functions can lead to unauthorized account creation, privilege escalation, user deletion, or data exposure within the CMS. An attacker with CSRF access can effectively obtain administrative control without cracking passwords. For organizations running SemCms 5.0 to manage content or user roles, this creates a pathway to insider-equivalent threats. Reputational risk increases if administrators are tricked into defacing content or leaking sensitive data stored in the CMS.
Affected systems
SemCms version 5.0 is confirmed vulnerable. The /admin/semcms_user.php endpoint is explicitly at risk. Organizations running SemCms 5.0 in any deployment—whether internet-facing or internal—should assume this vulnerability applies if the admin console is accessible and administrators regularly authenticate. Patch availability and scope for earlier or later versions should be verified against the SemCms project advisories.
Exploitability
Exploitation requires a low level of technical skill: an attacker crafts an HTML form or JavaScript payload embedded in a webpage or phishing email, targeting a known SemCms admin. The bar for triggering the vulnerability is low because no user interaction beyond visiting the malicious page is required (PR:L, UI:N in the CVSS vector). However, the attack is not remotely exploitable without social engineering; the admin must be logged in and must be tricked into visiting attacker-controlled content. Public exploit code availability is unknown; this is not listed in the CISA KEV catalog.
Remediation
Apply a patch from the SemCms project that adds CSRF token validation to the /admin/semcms_user.php endpoint. Verify the specific patch version against official SemCms release notes. In the interim, implement network-level controls: restrict admin console access to trusted IP ranges, enforce VPN for administrative access, and educate administrators about phishing and suspicious links. Monitor session logs for unexpected admin actions.
Patch guidance
Check the SemCms project repository or security advisory site for a patched version of 5.0 or upgrade to the next stable release that includes CSRF mitigations. Apply patches to all instances running SemCms 5.0. After patching, clear all active admin sessions to prevent exploitation via pre-existing tokens. Validate the fix by reviewing the patched /admin/semcms_user.php code to confirm the presence of CSRF token generation and validation logic.
Detection guidance
Look for POST requests to /admin/semcms_user.php originating from external or unusual referrer headers—particularly requests that lack expected CSRF tokens in form data or headers. Monitor admin session logs for unexpected account creation, permission changes, or user deletions that lack corresponding audit trails. Implement HTTP response header inspection to detect missing or weak SameSite cookie policies. Consider deploying a Web Application Firewall (WAF) rule that flags POST requests to admin endpoints without a valid referrer or CSRF token.
Why prioritize this
Although rated MEDIUM severity, this vulnerability warrants prompt patching because it directly enables administrative impersonation. The requirement for prior login reduces the attack surface compared to unauthenticated flaws, but administrators are frequently targeted by phishing. The vulnerability's presence in a user management endpoint amplifies risk: a successful exploit grants control over account creation and permissions. Organizations hosting multi-user CMS instances should prioritize this fix over lower-impact flaws.
Risk score, explained
CVSS 3.1 score of 6.3 (MEDIUM) reflects: (1) network-accessible endpoint (AV:N), (2) low attack complexity—no special conditions beyond a crafted POST (AC:L), (3) requirement for low-privilege login (PR:L), (4) no additional user interaction required beyond visiting the site (UI:N), and (5) impact limited to a single user context (S:U). Confidentiality, integrity, and availability are each affected by unauthorized account or permission changes. The score does not assume widespread exploitation; actual risk depends on exposure of the admin console and administrator vigilance.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires the target to already be logged in as an administrator. An attacker cannot directly access the admin interface; they must trick a logged-in admin into visiting a malicious webpage or clicking a link in a phishing email.
Is this vulnerability publicly exploited or tracked by CISA?
As of the vulnerability's publication, it is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation in the wild. However, organizations should not rely on this as a reason to delay patching.
What immediate steps should we take if we cannot patch immediately?
Implement network segmentation to restrict access to the /admin/ directory to trusted IP addresses or require VPN authentication. Enforce regular session timeouts for admin accounts, disable session persistence across browsers, and conduct user awareness training on CSRF and phishing tactics. Monitor admin action logs closely for anomalies.
How do we verify that a patch is effective?
After applying a patch, review the patched /admin/semcms_user.php source code to confirm the presence of CSRF token generation (e.g., unique session-bound tokens in forms) and server-side token validation. Perform functional testing of admin user management features to ensure legitimate actions still work. Consider penetration testing to validate the fix.
This analysis is based on published vulnerability data current as of June 2026. Patch version numbers and availability should be verified directly with the SemCms project advisory. CVSS score reflects base metrics; organizational risk may differ based on deployment, network exposure, and admin practices. SEC.co does not host or endorse exploit code. This document is for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessments and consult with security vendors regarding their specific environments. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2026-10553MEDIUMjQuery Hover Footnotes CSRF & Stored XSS Vulnerability
- CVE-2026-11020MEDIUMChrome Extension XML Cross-Origin Data Leak – Patch to 149.0.7827.53
- CVE-2026-11083MEDIUMChrome Password Manager Cross-Origin Data Leak Vulnerability
- CVE-2026-11084MEDIUMChrome Password Manager Cross-Origin Data Leak (v149.0.7827.53)
- CVE-2026-11106MEDIUMCross-Origin Data Leak in Google Chrome Media Component