43375 matches found
CVE-2026-49215
The CVE-2026-49215 issue affects symfony/ux-live-component in Symfony UX. The vulnerability stems from isLiveComponentRequest() gating #[LiveAction] based on Accept: application/vnd.live-component+html, a CORS-safelisted header that can be set cross-origin without preflight, allowing forged cross...
DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution
DedeCMS 5.7SP2 is susceptible to cross-site request forgery with a corresponding impact of arbitrary code execution because the partcode parameter in a tagtestaction.php request can specify a runphp field in conjunction with PHP code. id: CVE-2018-7700 info: name: DedeCMS 5.7SP2 - Cross-Site...
MAGMI - Cross-Site Request Forgery
MAGMI Magento Mass Importer is vulnerable to cross-site request forgery CSRF due to a lack of CSRF tokens. Remote code execution via phpcli command is also possible in the event that CSRF is leveraged against an existing admin session. id: CVE-2020-5776 info: name: MAGMI - Cross-Site Request...
CVE-2026-15005 Loco Translate <= 2.8.5 - Cross-Site Request Forgery to Remote Code Execution via 'template' Parameter
The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on...
EUVD-2026-44871
The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the...
CVE-2026-11866
The CVE-2026-11866 entry describes a CSRF vulnerability in the WordPress plugin “Appointment Booking Plugin” (LatePoint) before version 5.6.3. The central request dispatcher does not validate a CSRF nonce on several state-changing actions, enabling an attacker to perform privileged actions agains...
CVE-2026-12409
Technical details about CVE-2026-12409 are not publicly available in the provided documents. No connected sources with affected products, versions, impact, or fixes are present. Monitor for updates from official feeds.
CVE-2026-20296
The provided records identify CVE-2026-20296 as a CSRF-based bypass in Splunk Deployment Server within Splunk Enterprise and Splunk Cloud Platform. Affected versions are Splunk Enterprise below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform below 10.5.2605.0, 10.4.2604.7, 10.3.2512...
PT-2026-60233
Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 10.4.1 Splunk Enterprise versions prior to 10.2.5 Splunk Enterprise versions prior to 10.0.8 Splunk Enterprise versions prior to 9.4.13 Splunk Cloud Platform versions prior to 10.5.2605.0 Splunk Cloud Platfo...
CVE-2026-52100
Cross Site Request Forgery vulnerability in andreimarcu linux-server v.1.0 through v.2.3.8 allows a remote attacker to execute arbitrary code via the uploadPutHandler function...
EUVD-2026-43067
Cross-Site Request Forgery CSRF vulnerability in Drupal Salesforce Suite allows Cross Site Request Forgery. This issue affects Salesforce Suite versions: from 0.0.0 to 5.1.3...
EUVD-2026-42784
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inje...
CVE-2026-15070 Salon Booking System <= 10.30.32 - Cross-Site Request Forgery to Remote Code Execution via 'value' Parameter
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inje...
CVE-2026-4275
CVE-2026-4275 affects the Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress up to version 4.2.3. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw arising from using __return_true as the permission_callback for the /install_plugin and /activate_plugin REST...
CVE-2026-9731
The Wp Js Detect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.9. This is due to missing or incorrect nonce validation on the pluginsettings function. This makes it possible for unauthenticated attackers to update the plugin's...
PT-2026-56394
Name of the Vulnerable Software and Affected Versions Smash Balloon Social Photo Feed – Easy Social Feeds Plugin versions prior to 6.11.2 Description Cross-Site Request Forgery occurs due to missing or incorrect nonce validation in the maybe connection data function. This allows unauthenticated...
CVE-2026-58315
Cross-site request forgery vulnerability exists in SEIKO EPSON Web Config. If a user views a malicious page while logged into Web Config, unintended operations may be performed...
CVE-2026-59713 Leantime - OIDC Login CSRF via Unconditional State Verification Stub
Leantime contains an OIDC login CSRF vulnerability in the verifyState method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the...
CVE-2026-59520 WordPress CrawlWP SEO plugin <= 3.0.16 - Cross Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability in properfraction CrawlWP SEO allows Cross Site Request Forgery. This issue affects CrawlWP SEO: from n/a through 3.0.16...
WordPress WorkScout-Core plugin <= 1.7.08 - Cross Site Request Forgery (CSRF) to Broken Authentication vulnerability
Cross Site Request Forgery CSRF to Broken Authentication vulnerability discovered by Phat RiO in WordPress Plugin WorkScout-Core versions = 1.7.08...