CVE-2026-46620 e107inc CVE debrief

Who should care

Organizations running e107 CMS versions prior to 2.3.5, particularly those with comment functionality enabled and multiple administrators or moderators. Web application security teams should prioritize this for content management platforms with public-facing comment systems.

Technical summary

The e107 CMS `session_handler::check()` method contains a logic flaw where CSRF token validation is only performed when a token is present in the request. If no token is supplied, the validation is skipped entirely rather than rejecting the request. This allows attackers to craft state-changing requests (specifically comment moderation actions) without valid CSRF tokens, exploiting the trust relationship between the browser and the authenticated administrator session. The vulnerability requires user interaction (administrator clicking a malicious link) and network access, but no authentication bypass is needed as the victim's session is leveraged.

Defensive priority

medium

Recommended defensive actions

• Upgrade e107 CMS to version 2.3.5 or later to remediate this vulnerability
• Review and audit custom modifications to session handling code for similar CSRF validation weaknesses
• Implement defense-in-depth by adding SameSite cookie attributes and verifying Referer headers for sensitive administrative actions
• Monitor access logs for suspicious comment moderation activity that may indicate attempted or successful CSRF exploitation
• Consider implementing additional confirmation steps for destructive comment moderation operations

Evidence notes

Official GitHub Security Advisory confirms the vulnerability exists in e107 CMS prior to 2.3.5, with CVSS 3.1 score of 6.5 (MEDIUM). The advisory identifies CWE-285 (Improper Authorization) and CWE-352 (Cross-Site Request Forgery) as the underlying weaknesses. NVD record reflects deferred status with same CVSS vector.

Official resources