Lucene search
+L

648 matches found

NVD
NVD
added 2026/05/06 8:16 p.m.10 views

CVE-2026-40309

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanent...

7.2CVSS0.00165EPSS
Exploits0References1
NVD
NVD
added 2026/05/06 8:16 p.m.8 views

CVE-2026-40174

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds,...

7.1CVSS0.00165EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/06 7:54 p.m.10 views

CVE-2026-40325

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.restore function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request that restores deleted...

8.7CVSS5.7AI score0.00151EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/06 7:42 p.m.9 views

EUVD-2026-28156

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanent...

7.2CVSS5.7AI score0.00165EPSS
Exploits0References1
CVE
CVE
added 2026/05/06 7:40 p.m.13 views

CVE-2026-40174

Masa CMS CSRF in user address management (cUsers.updateAddress) affects versions 7.5.2 and earlier. An attacker can lure a logged-in administrator into submitting forged requests to add, modify, or delete user address records (including emails and phone numbers), potentially altering contact info...

7.1CVSS5.7AI score0.00165EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/06 7:40 p.m.7 views

CVE-2026-40174 Masa CMS CSRF in user address management allows unauthorized address changes

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds,...

7.1CVSS5.7AI score0.00165EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/06 7:40 p.m.5 views

CVE-2026-40174

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds,...

7.1CVSS5.7AI score0.00165EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.13 views

PT-2026-38226

Name of the Vulnerable Software and Affected Versions Masa CMS versions prior to 7.2.10 Masa CMS versions prior to 7.3.15 Masa CMS versions prior to 7.4.10 Masa CMS versions prior to 7.5.3 Description The cUsers.updateAddress function fails to properly validate anti-CSRF Cross-Site Request Forger...

7.1CVSS5.8AI score0.00165EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/06 12:0 a.m.13 views

Masa CMS 跨站请求伪造漏洞

Masa CMS is a digital experience platform organized by Masa CMS. Versions of Masa CMS 7.5.2 and earlier contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the cTrash.empty function not verifying the anti-CSRF token, which could allow attackers to induce...

7.2CVSS5.7AI score0.00165EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/05 3:31 a.m.7 views

EUVD-2026-27203

The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settingspagebuild function. This makes it possible for unauthenticated attackers to trick a logged-in...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References6
NVD
NVD
added 2026/05/05 3:16 a.m.42 views

CVE-2026-6702

The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated attackers t...

6.1CVSS0.0012EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/05 2:26 a.m.8 views

CVE-2026-6702

The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated attackers t...

6.1CVSS5.7AI score0.0012EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/05/05 2:26 a.m.3 views

CVE-2026-6700

The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settingspagebuild function. This makes it possible for unauthenticated attackers to trick a logged-in...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References6
NVD
NVD
added 2026/04/30 4:16 p.m.18 views

CVE-2026-36960

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft ...

8.8CVSS0.00173EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/30 12:0 a.m.5 views

CVE-2026-36956

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An...

5.5AI score0.00163EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/30 12:0 a.m.3 views

CVE-2026-36960

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft ...

5.4AI score0.00173EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/30 12:0 a.m.7 views

EUVD-2026-26386

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft ...

8.8CVSS5.4AI score0.00173EPSS
Exploits0References2
OSV
OSV
added 2026/04/29 9:56 p.m.6 views

GHSA-25CW-98HG-G3CG Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests

Summary The Admidio SAML Identity Provider implementation discards the return value of its validateSignature method at both call sites handleSSORequest line 418 and handleSLORequest line 613. The method returns error strings on failure rather than throwing exceptions, but the developer believed i...

8.2CVSS6.1AI score0.00191EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/29 9:56 p.m.8 views

Improper Verification of Cryptographic Signature

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to improper validation of SAML signatures in the authentication and logout...

8.8CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/29 12:0 a.m.15 views

PT-2026-36106

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description The SAML Identity Provider implementation fails to properly handle the return value of the validateSignature function. This function returns error strings upon failure instead of throwing exceptions,...

8.2CVSS5.8AI score0.00191EPSS
Exploits0References6
Rows per page
Query Builder