CVE-2026-46620
Deferred Deferred - Pending Action
CSRF Bypass in e107 CMS Comment Moderation

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: GitHub, Inc.

Description
e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing request, it only validates the token if one happens to be present. If there is no token at all, the check is skipped entirely. This vulnerability is fixed in 2.3.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-46620
EUVD
EUVD-2026-31851
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
e107inc e107 to 2.3.5 (exc)
e107inc e107 2.3.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to perform unauthorized state-changing actions, such as deleting or approving comments, without proper CSRF token validation. This can lead to manipulation of comment data integrity.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to alter data without authorization could potentially impact compliance with regulations that require data integrity and protection against unauthorized changes.

Organizations using affected versions of e107 CMS should consider this vulnerability as a risk to data integrity controls, which are important in many regulatory frameworks.

Impact Analysis

This vulnerability can impact you by allowing attackers to silently delete any comment or approve pending comments, including spam or malicious content, without your consent.

Such unauthorized actions can manipulate the comment sections on your site, potentially damaging your site's integrity and reputation.

Attackers only need a logged-in moderator or administrator to visit a crafted malicious link for the attack to succeed.

The primary impact is on data integrity, as attackers can alter comment states in the database.

Executive Summary

CVE-2026-46620 is a Cross-Site Request Forgery (CSRF) vulnerability in the e107 content management system (CMS) versions up to 2.3.4.

The issue arises because the session_handler::check() function only validates CSRF tokens if they are present, and skips the check entirely if no token is provided.

This flaw allows attackers to perform state-changing actions, such as deleting or approving comments, on behalf of logged-in administrators or moderators without their knowledge.

An attacker can exploit this by hosting a malicious webpage that sends a cross-origin POST request without a CSRF token, which is then processed by the vulnerable endpoints.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unexpected state-changing POST requests to the comment.php moderation endpoints, specifically those that delete or approve comments without a valid CSRF token.

You can inspect web server logs for POST requests to comment.php endpoints that lack CSRF tokens or originate from suspicious sources.

Commands to help detect such activity might include:

  • Using grep to find POST requests to comment.php in web server logs: grep 'POST /comment.php' /var/log/apache2/access.log
  • Checking for absence of CSRF tokens in request parameters or headers by searching for requests missing expected token parameters.
  • Using network monitoring tools like tcpdump or Wireshark to capture and analyze HTTP POST requests to the affected endpoints.
Mitigation Strategies

Immediate mitigation steps include upgrading e107 CMS to version 2.3.5 or later, where the CSRF token validation is properly enforced.

Until the upgrade can be performed, restrict access to the comment.php moderation endpoints to trusted users only.

Alternatively, disable AJAX comment moderation to prevent exploitation via cross-origin POST requests.

If you use forks or plugins that call deleteComment() or approveComment(), ensure they are updated to include valid CSRF tokens.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46620. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart