Lucene search
+L

24 matches found

EUVD
EUVD
added 9 hours ago4 views

EUVD-2026-45082

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS6.1AI score
Exploits0References2
NVD
NVD
added 2026/06/18 8:16 a.m.19 views

CVE-2026-55742

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action 'a=update' modifies group access rights including via cotauthaddgroup without calling cotcheckxg to validate th...

9.6CVSS0.00227EPSS
Exploits0References2
NVD
NVD
added 2026/06/18 8:16 a.m.17 views

CVE-2026-55741

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action 'a=update' processes POST data via cotconfigupdateoptions without calling cotcheckxg to validate...

8.8CVSS0.00176EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/18 6:7 a.m.10 views

EUVD-2026-37856

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.editfolder.php, the folder update action 'a=update' updates folder metadata title, description, public/gallery flags without calling cotcheckxg ...

5.4CVSS5.3AI score0.00116EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/18 6:6 a.m.11 views

EUVD-2026-37855

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.main.php, the file upload action 'a=upload' processes uploaded files without calling cotcheckxg to validate the anti-CSRF token, even though...

8.6CVSS5.4AI score0.00177EPSS
Exploits0References2
OSV
OSV
added 2026/06/18 6:4 a.m.4 views

CVE-2026-55741 Cotonti CSRF in admin.config.php allows unauthorized configuration changes

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action 'a=update' processes POST data via cotconfigupdateoptions without calling cotcheckxg to validate...

8.7CVSS6.1AI score0.00176EPSS
Exploits0References4
OSV
OSV
added 2026/06/04 2:32 p.m.3 views

CVE-2026-43985 Taultulli has CSRF in /configUpdate via missing anti-CSRF and method restriction that allows admin credential takeover

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose configUpdate as a state-changing administrator endpoint, but the route does not enforce POST and does not use any anti-CSRF token. In the default form and JWT-based authentication mode,...

8.8CVSS5.8AI score0.00146EPSS
Exploits0References4
NVD
NVD
added 2026/05/06 8:16 p.m.10 views

CVE-2026-40309

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanent...

7.2CVSS0.00165EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/10 7:40 p.m.4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the type parameter, which is concatenated into an API error message and rendered without HTML escaping. An attacker can execute arbitrary JavaScript code in the context of the backend session by crafting a...

4.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/16 6:13 p.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the BucketsController-actionLoadBucketData endpoint. An attacker can retrieve a list of accessible buckets by sending a request with a valid CSRF token, even without authentication. Remediation Upgrade...

6.9CVSS5.8AI score0.00344EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/04 12:30 a.m.5 views

EUVD-2026-9348

Missing Authorization vulnerability in OpenText™ Filr allows Authentication Bypass. The vulnerability could allow unauthenticated users to get XSRF token and do RPC with carefully crafted programs. This issue affects Filr: through 25.1.2...

8.3CVSS5.9AI score0.00342EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/12/08 12:9 p.m.4 views

CVE-2025-42616 CSRF vulnerability in CIRCL Vulnerability-Lookup

Some endpoints in vulnerability-lookup that modified application state e.g. changing database entries, user data, configurations, or other privileged actions may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site...

7CVSS6.7AI score0.00151EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/04/22 12:0 a.m.6 views

Moodle 跨站请求伪造漏洞

Moodle is Moodle open source set of free e-learning software platform, also known as course management system, learning management system or virtual learning environment. Moodle suffers from a cross-site request forgery vulnerability that stems from the lack of an anti-cross-site request forgery...

8.8CVSS6.7AI score0.00269EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2025/02/24 5:53 a.m.170 views

Exploit for Cross-Site Request Forgery (CSRF) in Selldone Storefront

🚨 CVE-2025-26206: Cross-Site Request Forgery CSRF in Sell Do...

9CVSS7.8AI score0.00573EPSS
Exploits3
BDU FSTEC
BDU FSTEC
added 2024/04/09 12:0 a.m.10 views

The vulnerability of the SportsTeams extension of the software for implementing the MediaWiki hypertext environment allows a hacker to compromise the integrity of the protected information.

The vulnerability of the SportsTeams extension of the software for implementing the hypertext environment MediaWiki is related to the lack of checks for the anti-CSRF token in Special:SportsTeamsManager and Special:UpdateFavoriteTeams. Exploiting this vulnerability could allow a malicious actor t...

5.3CVSS5.9AI score0.00186EPSS
Exploits0References4Affected Software2
CNNVD
CNNVD
added 2022/10/31 12:0 a.m.3 views

Lfi-ProcessWire Cms 跨站请求伪造漏洞

Ryan Cramer Design Lfi-ProcessWire Cms is a free content management system Cms and framework Cmf from Ryan Cramer Design USA designed to save you time and work the way you want. A cross-site request forgery vulnerability exists in Lfi-ProcessWire Cms version v3.0.200, which stems from Althoug...

6.5CVSS6.3AI score0.00265EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 2022/07/06 11:15 a.m.33 views

CVE-2022-35229

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict...

5.4CVSS7.3AI score0.00725EPSS
Exploits0References4
OSV
OSV
added 2022/03/09 8:15 p.m.1 views

DEBIAN-CVE-2022-24918

An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all th...

4.4CVSS5.1AI score0.01143EPSS
Exploits0References1
CNNVD
CNNVD
added 2021/04/15 12:0 a.m.5 views

Centreon Web 跨站请求伪造漏洞

Centreon Web is a set of open source system monitoring tools from the French company Centreon . The product mainly provides monitoring functions on the network , system and application resources . A cross-site request forgery vulnerability exists in Centreon-Web in Centreon Platform version 20.10...

6.5CVSS5.4AI score0.00823EPSS
Exploits0References2
CNNVD
CNNVD
added 2021/04/14 12:0 a.m.6 views

MDaemon Webmail 跨站请求伪造漏洞

MDaemon Webmail is a server-side application used to provide mail services from MDaemon, Inc. in the United States. A security vulnerability exists in MDaemon Webmail versions prior to 20.0.4 that allows an attacker to immobilize an ANTI-CSRF token...

8.8CVSS8AI score0.0065EPSS
Exploits1References3
Rows per page
Query Builder