89297 matches found
CVE-2026-9591
Cross-site request forgery CSRF in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to /api/news-items, due to missing anti-CSRF protection...
NPM: NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint
NPM: NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...
NocoDB: Server-Side Request Forgery via Base Migration URL
Summary The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse file:, ftp:, etc. and probing of internal HTTP destinations. Details The migrate endpoint is restricted to the workspace owner...
NPM: NocoDB: Server-Side Request Forgery via Base Migration URL
NPM: NocoDB: Server-Side Request Forgery via Base Migration URL vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
Summary The spreadsheet-fetch endpoint axiosRequestMake accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL...
NPM: NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
NPM: NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...
CVE-2026-9591 Cross-Site Request Forgery (CSRF) in SimplCommerce News Module
Cross-site request forgery CSRF in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to /api/news-items, due to missing anti-CSRF protection...
EUVD-2026-37710
Cross-site request forgery CSRF in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to /api/news-items, due to missing anti-CSRF protection...
CVE-2026-9591
CVE-2026-9591 documents a CSRF vulnerability in the SimplCommerce News module. The issue is in the NewsItemApiController and allows an unauthenticated remote attacker to create or modify news items as an administrator by submitting a crafted form to /api/news-items, due to missing anti-CSRF prote...
CVE-2026-22342
Unauthenticated Cross Site Request Forgery CSRF in WordPress Dating Theme = 11.2.0 versions...
CVE-2024-35648
Cross-Site request forgery CSRF vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery. This issue affects Emergency Password Reset: from n/a through 8.0...
CVE-2024-34810
Cross-Site request forgery CSRF vulnerability in Extend Themes Skyline WP allows Cross Site Request Forgery. This issue affects Skyline WP: from n/a through 1.0.10...
CVE-2024-34810 WordPress Skyline WP theme <= 1.0.10 - Cross Site Request Forgery (CSRF) vulnerability
Cross-Site request forgery CSRF vulnerability in Extend Themes Skyline WP allows Cross Site Request Forgery. This issue affects Skyline WP: from n/a through 1.0.10...
CVE-2026-22342
CVE-2026-22342 affects WordPress Dating Theme (WordPress) versions
CVE-2026-22342 WordPress WordPress Dating Theme theme <= 11.2.0 - Cross Site Request Forgery (CSRF) to Account Takeover vulnerability
Unauthenticated Cross Site Request Forgery CSRF in WordPress Dating Theme = 11.2.0 versions...
WordPress Fusion Builder <3.6.2 - Server-Side Request Forgery
WordPress Fusion Builder plugin before 3.6.2 is susceptible to server-side request forgery. The plugin does not validate a parameter in its forms, which can be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. An attacker can...
Lobe Chat <= v0.150.5 - Server-Side Request Forgery
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause...
PT-2026-50590
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The SafePlaywrightURLLoader uses a validate url function to prevent Server-Side Request Forgery SSRF by checking the IP address of a user-provided URL. However, this validation only occurs for the...
PT-2026-50572
TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF validation is implemented by resolving a hostname once and checking whether the resolved IP belongs to a forbidden range allowing for DNS rebinding bypass. The root cause is a time-of-check to time-of-use gap in the SSRF guard...
Bosch Security Systems IP Cameras Cross-Site Request Forgery (CVE-2021-23849)
A vulnerability in the web-based interface allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user CSRF - Cross Site Request Forgery. This requires the victim to be tricked into clicking a malicious link or opening a malicious website while bei...