Cross-site Request Forgery (CSRF) Affecting silverstripe/framework package, versions <3.1.17-rc2>=3.2.0-beta1, <3.2.2-rc2>3.3.0-beta1, <3.3.0-rc3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-SILVERSTRIPEFRAMEWORK-17400361
- published22 Jun 2026
- disclosed19 Jun 2026
- creditUnknown
Introduced: 19 Jun 2026
New CVE NOT AVAILABLE CWE-352 (opens in a new tab)How to fix?
Upgrade silverstripe/framework to version 3.1.17-rc2, 3.2.2-rc2, 3.3.0-rc3 or higher.
Overview
silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via insufficient CSRF protection in GridField. An attacker can cause authenticated CMS users to perform unintended actions by inducing them to submit crafted requests from external websites. Because gridFieldAlterAction submissions are not consistently validated using the SecurityID token, state-changing operations involving CMS-managed objects such as groups, users, and permissions may be performed without the user's intent.