CVE-2025-26206

CVE-2025-26206 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting Selldone Storefront version 1.0. The flaw resides in the index.html component and enables a remote attacker to escalate privileges. Published on 2025-03-03, it carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, requirement for low privileges and user interaction, and high impacts across confidentiality, integrity, and availability with a changed scope.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network by crafting a malicious webpage or request that tricks an authenticated user into submitting a forged request to the vulnerable index.html component. User interaction (UI:R) is required, such as clicking a link or loading a page, but successful exploitation allows privilege escalation, potentially granting the attacker elevated access and enabling further compromise with high-impact effects due to the changed scope (S:C).

Advisories and additional details on mitigation are referenced in the Selldone Storefront GitHub repository at https://github.com/selldone/storefront/blob/main/index.html and a dedicated CVE repository at https://github.com/xibhi/CVE-2025-26206. Security practitioners should review these sources for patch information or workarounds specific to the affected component.