CVE-2026-32816

Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the delete, activate, and deactivate modes in modules/groups-roles/groupsroles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF...

Admidio is Missing CSRF Protection on Role Membership Date Changes

Summary The savemembership action in modules/profile/profilefunction.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stopmembership and removeformermembership against the CSRF token but omits savemembership from that...

CVE-2020-37106

The CVE-2020-37106 issue affects Business Live Chat Software 1.0 and is described as a cross-site request forgery (CSRF) vulnerability. A remote attacker can craft a malicious HTML form that sends a POST to the user creation endpoint with administrative access parameters to change user account ro...

EUVD-2020-31038

Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without...

GHSA-VM6G-8R4H-22X8 Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)

Summary A typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. Impact An attacker can bypass Qwik City’s Origin-based CSRF protections and perform forged form submissions, potentially causing unauthorized state changes...

CVE-2025-10309

The PayPal Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the form creation and management functions. This makes it possible for unauthenticated attackers to create new PayPal forms and...

CVE-2024-6254

The Brizy – Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing or incorrect nonce validation on form submissions. This makes it possible for unauthenticated attackers to submit forms intended for public...

CVE-2022-24434

This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes...

CSRF Vulnerability in AITO Website Builder System

AITU Network Technology Co., Ltd. is an information IT service company dedicated to website construction, portal, talent recruitment system development, software design, system development, and e-commerce applications. There is a CSRF vulnerability in the Love Road Network website builder system,...