CVE-2025-13970

OpenPLC_V3 (CVE-2025-13970) is reported across multiple sources to be vulnerable to a cross-site request forgery (CSRF) due to missing CSRF validation. The vulnerability allows an unauthenticated attacker to lure a logged-in administrator into visiting a malicious link, potentially enabling unaut...

EUVD-2025-201708

Some endpoints in vulnerability-lookup that modified application state e.g. changing database entries, user data, configurations, or other privileged actions may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site...

CVE-2025-42616

CVE-2025-42616 concerns Vulnerability-Lookup prior to 2.18.0 where certain endpoints could change state (e.g., database entries, user data, configurations) via HTTP GET requests without CSRF protection. This allowed CSRF-style abuse under an authenticated session, potentially enabling privilege e...

Building Distributed Apps? Akamai and Fermyon Are Changing the Game.

...

GHSA-58C5-G7WP-6W37 Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client

The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery XSRF token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol...

CVE-2025-6670 Cross-Site Request Forgery (CSRF) in Multiple WSO2 Products via HTTP GET in Admin Services

A Cross-Site Request Forgery CSRF vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation...

CVE-2025-6670

Summary: CVE-2025-6670 describes a CSRF vulnerability in multiple WSO2 products due to using HTTP GET for state-changing admin service operations in the Carbon console event processor. Despite SameSite=Lax mitigation, the cookie attribute is ineffective for cross-origin top-level navigations, all...

PT-2025-47301

Name of the Vulnerable Software and Affected Versions WSO2 products affected versions not specified Description A Cross-Site Request Forgery CSRF issue exists in multiple WSO2 products. This is due to the use of the HTTP GET method for state-changing operations within admin services, specifically...

EUVD-2025-150405

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation. This is due to the plugin not properly validating a user's identity prior to allowing them to modify their own role via the REST API. The permission check in the...

MAL-2025-188838 Malicious code in process-simulate-parse-integer-wind (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6f595e875d8be76b910f8b5812d7c40c89b52395acb636de9b3c68cd19dc6f4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-187034 Malicious code in fornax-materialize-sails-dactyl (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e47cd906f3eac5ef7031e9e276accc0a01baa2d72f585d855e5404f4ed629f8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in flights-lutuig-alakan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02de15831d7faf87cfd4cacfd7d21fc794b099c4ed525fa2df645e539d8d32bd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in teate-thy-sonic-awhaw (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a9a18eb358677f65c442b92bf599580b7a14b2225af394f41994bbd92f5d0e6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in diva-banubo-imba (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 739a5157fdd84b9f1b7b0b76ab116ecbdfa38e26636f159eba9c200f7f5c63f7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in koko-poke7 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dccf2e5b7cdabb75311e140b32617df533ec3a06199860b7b0a96251f32b0237 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-173967 Malicious code in diva-tuai-inj (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 40416b778b3a2fd88171e779ea85f66c500d9c210126954fd6f9420be63c6c8b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-172515 Malicious code in verts-otigo-nafgfgoaa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d514d1323748fbdf510d588c651f7dba7770ec509b96e4eeb6937f66c941738c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in idreesafzal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b38ec514435dd7fdfef1b82e354c0a321c2608952bccc5862dbcb663f962a99c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in polymedr-minus-buipenajar (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d64dc301f17098e80e67d7afbe583d3d9fee7a32aec85178a16ab694631a2788 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in tehah-nutawadr-adf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4d785f05bfab38c79b240e88a0dd09626c623281bfa91df55392ee76ccdd7396 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...