Lucene search
+L

10336 matches found

Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.18 views

PT-2026-41312

Name of the Vulnerable Software and Affected Versions Turborepo versions prior to 2.9.14 Description Turborepo is a high-performance build system for JavaScript and TypeScript codebases. The self-hosted login and SSO browser flows fail to validate a CSRF Cross-Site Request Forgery state value on...

6.5CVSS5.8AI score0.00124EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/14 8:18 p.m.12 views

Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation

Summary An application-wide Cross-Site Request Forgery CSRF vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this...

4.6CVSS5.8AI score0.00165EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2026/05/13 8:16 p.m.48 views

CVE-2026-44364

MISP modules are autonomous modules that can be used to extend MISP for new services. In 3.0.7 and earlier, a Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerabili...

9.3CVSS0.00185EPSS
Exploits0References1
F5 Networks
F5 Networks
added 2026/05/13 12:27 p.m.13 views

K35544022: BIG-IP Configuration utility CSRF vulnerability CVE-2026-40703

Security Advisory Description A cross-site request forgery CSRF vulnerability exists in the dashboard of the BIG-IP Configuration utility. CVE-2026-40703 Impact A remote, unauthenticated attacker may exploit this vulnerability by causing an authenticated user to send a crafted request to the BIG-...

5.4CVSS5.6AI score0.00104EPSS
Exploits0Affected Software11
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.13 views

Flight 安全漏洞

Flight is a PHP microframework developed by Mike Cao. Versions of Flight prior to 3.18.1 contained security vulnerabilities. These vulnerabilities stemmed from the unconditional acceptance of the X-HTTP-Method-Override header and the$REQUESTmethod parameter by the Request::getMethod method. This...

7.5CVSS5.8AI score0.0031EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 9:16 a.m.17 views

CVE-2026-7616

The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyiadminpage function. This makes it possible for unauthenticated attackers to update the plugin's...

4.3CVSS0.00128EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/11 12:0 a.m.39 views

CVE-2026-38566

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...

0.00168EPSS
Exploits1References3
CVE
CVE
added 2026/05/10 12:12 p.m.12 views

CVE-2022-50955

CVE-2022-50955 affects the WordPress plugin Curtain 1.0.2. The issue is a cross-site request forgery (CSRF) that lets attackers toggle maintenance mode by crafting requests to options-general.php with curtain parameters, bypassing valid nonce validation. Impact is the ability to activate/deactiva...

5.3CVSS5.7AI score0.0013EPSS
Exploits0References3
CVE
CVE
added 2026/05/07 10:20 a.m.31 views

CVE-2026-27415

The CVE-2026-27415 entry documents a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress BEAR plugin, affecting BEAR versions from n/a up to 1.1.5. The issue is described as CSRF in PluginUs.Net BEAR. The provided metrics indicate a CVSS v3.1 base score of 4.3 (Medium) with attack ve...

4.3CVSS5.8AI score0.00095EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/07 9:25 a.m.11 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the process handling incoming requests. An attacker can perform unauthorized actions on behalf of an authenticated user by tricking them into submitting a crafted request. Remediation Upgrade...

5.4CVSS5.8AI score0.00092EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/06 7:42 p.m.6 views

CVE-2026-40309

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanent...

7.2CVSS5.7AI score0.00165EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.21 views

PT-2026-38273

Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1 Description The getMethod function unconditionally honors the X-HTTP-Method-Override header and the method parameter within the $ REQUEST variable on any HTTP verb, including safe verbs like GET. This occurs...

7.5CVSS5.8AI score0.0031EPSS
Exploits0References6
NVD
NVD
added 2026/05/05 3:16 a.m.41 views

CVE-2026-6702

The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated attackers t...

6.1CVSS0.0012EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/05 2:26 a.m.3 views

CVE-2026-6700

The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settingspagebuild function. This makes it possible for unauthenticated attackers to trick a logged-in...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.12 views

PT-2026-36959

Name of the Vulnerable Software and Affected Versions addfreespace plugin for WordPress versions prior to 0.1.4 Description The addfreespace plugin for WordPress is susceptible to Cross-Site Request Forgery CSRF, a flaw where an attacker tricks a victim into performing actions they did not intend...

4.3CVSS5.7AI score0.00158EPSS
Exploits0References17
EUVD
EUVD
added 2026/05/01 11:18 a.m.6 views

EUVD-2026-26496

The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handlemoduleactions' function. This makes it possible for unauthenticated attackers to toggle plugin...

4.3CVSS5.7AI score0.00151EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/30 12:0 a.m.5 views

CVE-2026-36956

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An...

5.5AI score0.00163EPSS
Exploits1References2
Packet Storm
Packet Storm
added 2026/04/30 12:0 a.m.77 views

📄 SolarEdge 3.0-2021 Cross Site Request Forgery / Out-Of-Bounds Access

SolarEdge version 3.0-2021 suffers from cross site request forgery and out-of-band injection vulnerabilities. Titles: solaredge-CSRF-OOB-Injection 3.0-2021 web portal Author: nu11secur1ty Date: 2026-04-26 Vendor: SolarEdge Technologies Ltd. Software: SolarEdge Monitoring Platform - Framework...

5.1AI score
Exploits0
Snyk
Snyk
added 2026/04/29 8:36 p.m.5 views

Cross-site Request Forgery (CSRF)

Overview ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online a...

6.1CVSS5.7AI score0.00124EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/29 8:36 p.m.10 views

CKAN has CSRF exemption primed by anonymous requests

Views can be marked as exempt from CSRF protection Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect, which was stored as a module level variable in the flaskapp...

6.1CVSS5.8AI score0.00124EPSS
Exploits0References6Affected Software1
Rows per page
Query Builder