22246 matches found
CVE-2026-15005
The CVE-2026-15005 issue affects the WordPress Loco Translate plugin (versions up to and including 2.8.5). Root cause: missing or incorrect nonce validation in execTemplate enables a CSRF that can bypass path validation and pass a php://filter URI to the include sink via a forged request. This ca...
CVE-2026-11866
The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the...
CVE-2026-11866 LatePoint < 5.6.3 - Multiple Privileged Actions via CSRF
The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the...
CVE-2026-12409
The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.3.6. This is due to missing or incorrect nonce validation on the ulpbadminajax function. Thi...
CVE-2026-12409 Landing Page Builder <= 1.5.3.6 - Cross-Site Request Forgery to ulpb_admin_data AJAX Action
The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.3.6. This is due to missing or incorrect nonce validation on the ulpbadminajax function. Thi...
EUVD-2026-44843
A Cross-Site Request Forgery CSRF vulnerability exists in the xxl-job-admin web application v.3.0.0 that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitrary HTTP methods via a permissive...
CVE-2026-26718
A Cross-Site Request Forgery CSRF vulnerability exists in the xxl-job-admin web application v.3.0.0 that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitrary HTTP methods via a permissive...
CVE-2026-20296
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.7, 10.3.2512.16, 10.2.2510.18, and 10.1.2507.24, an attacker could trick a user that holds a role with the listdeploymentserver capability into running arbitrary...
CVE-2026-20296
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.7, 10.3.2512.16, 10.2.2510.18, and 10.1.2507.24, an attacker could trick a user that holds a role with the listdeploymentserver capability into running arbitrary...
CVE-2026-47158 Vaultwarden: CSRF in SSO Authorization Flow
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO authorization flow did not bind the OAuth state parameter accepted by /connect/authorize to the initiating browser session, allowed attacker-controlled PKCE parameters, and left SsoAuth records intact...
CVE-2026-15747
A flaw was found in Mojolicious. This vulnerability exposes a stable representation of the session Cross-Site Request Forgery CSRF token to a BREACH compression oracle. When a web server response containing the token is gzip-compressed and also echoes attacker-controlled input, an attacker can us...
CVE-2026-26718
A Cross-Site Request Forgery CSRF vulnerability exists in the xxl-job-admin web application v.3.0.0 that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitrary HTTP methods via a permissive...
CVE-2026-26718
CVE-2026-26718 – xxl-job-admin 3.0.0 CSRF flaw . A Cross-Site Request Forgery exists in the xxl-job-admin web application (v3.0.0) that enables an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitra...
PT-2026-60330
Name of the Vulnerable Software and Affected Versions xxl-job-admin version 3.0.0 Description A Cross-Site Request Forgery CSRF issue exists in the web application. This occurs because a specific endpoint lacks proper CSRF token validation and accepts arbitrary HTTP methods through a permissive...
📄 xxl-job Cross Site Request Forgery
xxl-job versions prior to 3.4.0 suffer from a cross site request forgery vulnerability. Description Summary A Cross-Site Request Forgery CSRF vulnerability exists in the xxl-job-admin web application that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The...
CVE-2026-52100
Cross Site Request Forgery vulnerability in andreimarcu linux-server v.1.0 through v.2.3.8 allows a remote attacker to execute arbitrary code via the uploadPutHandler function...
CVE-2026-58477
SIP (Sustainable Irrigation Platform) up to version 5.2.16 contains a mass assignment flaw where the value-setting interface copies every HTTP parameter into internal settings without whitelisting. This enables unauthenticated attackers to overwrite sensitive configuration such as the passphrase ...
CVE-2026-58476
Sustainable Irrigation Platform (SIP) 5.2.16 is affected by a CSRF vulnerability that allows a remote attacker to trigger state-changing administrative actions by enticing a logged-in administrator to visit a malicious page. The issue arises because HTTP GET requests lack CSRF token validation or...
CVE-2026-11563
The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full...
PT-2026-58293
Name of the Vulnerable Software and Affected Versions Mojolicious versions 4.59 through 9.47 Description The software exposes a stable representation of the session CSRF token to a BREACH compression oracle. This occurs because the csrf token function generates and caches one token per session,...