CVE-2026-46620 MEDIUM

CVE-2026-46620: e107: CSRF in comment.php moderation endpoints via token-optional validation in session_handler::check()

Vendor E107Inc

Product e107

Weakness CWE-285

Published May 26, 2026

Last update May 27, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

Description

e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing request, it only validates the token if one happens to be present. If there is no token at all, the check is skipped entirely. This vulnerability is fixed in 2.3.5.

Key dates

Disclosure timeline

May 26, 2026 CVE published

May 27, 2026 Record updated