CVE-2016-20054: Nodcms contains a cross-site request forgery vulnerability

April 4, 2026 (updated April 16, 2026)

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/user_manipulate and admin/settings/generall endpoints to create users or modify application settings without explicit consent.

References

github.com/advisories/GHSA-3qcm-pj6q-w4c5
github.com/khodakhah/nodcms
nvd.nist.gov/vuln/detail/CVE-2016-20054
www.exploit-db.com/exploits/40707

Code Behaviors & Features

Detect and mitigate CVE-2016-20054 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →