Cross-site Request Forgery (CSRF)

Overview @gitlawb/openclaude is an OpenClaude opens coding-agent workflows to any LLM — OpenAI, Gemini, DeepSeek, Ollama, and 200+ models Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the callback process. An attacker can cause the local server to shu...

GHSA-C73C-X77G-854R OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS

OAuth State Validation Bypass via error Parameter Causes Local Server DoS in MCP Auth Callback --- Description The OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internal...

CVE-2026-42260

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF wit...

CVE-2026-30810

Pandora FMS versions 777–800 have a Server-Side Request Forgery vulnerability that enables privilege escalation via the API Checker extension (CVE-2026-30810). The CVSSv4 base score is 7.1 (HIGH) with NETWORK vector, LOW attack complexity, and LOW privileges required. Documents confirm SSRF and p...

CVE-2026-30810 Server-Side Request Forgery in API Checker leads to Privilege Escalation

Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800...

CVE-2026-30810 Server-Side Request Forgery in API Checker leads to Privilege Escalation

Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800...

CVE-2026-30807

CVE-2026-30807 is a Cross-Site Request Forgery in Pandora FMS extension/pages for versions 777–800. The flaw allows an attacker to cause unauthorized actions through a crafted page without user interaction beyond visiting the page; CVSSv4 vector indicates NETWORK attack vector, LOW access complex...

CVE-2026-30807 Cross-Site Request Forgery on Extension Pages

Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800...

CVE-2026-30807 Cross-Site Request Forgery on Extension Pages

Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800...

CVE-2026-38566

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...

CVE-2026-42641

Server-Side Request Forgery SSRF vulnerability in ILLID Share This Image share-this-image allows Server Side Request Forgery.This issue affects Share This Image: from n/a through = 2.14...

CVE-2026-42645

Cross-Site Request Forgery CSRF vulnerability in Dmitry V. CEO of "UKR Solution" Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Cross Site Request Forgery.This issue affects Barcode Scanner with Inventory & Order Manager: fro...

CVE-2026-42260 Open-WebSearch: SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF wit...

CVE-2026-42260

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF wit...

Vulnerabilities found in various SAP products

SAP has identified vulnerabilities in the following SAP products: SAP S/4HANA, SAP Commerce Cloud, SAP Forecasting & Replenishment, SAP NetWeaver Application Server for ABAP, SAP Business Server Pages, SAP BusinessObjects Business Intelligence Platform, SAP Strategic Enterprise Management Scoreca...

EUVD-2026-29417

The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification via checkadminreferer or wpverifynonce in the...

EUVD-2026-29418

The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyiadminpage function. This makes it possible for unauthenticated attackers to update the plugin's...

EUVD-2026-29409

The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaAppsAdminAppPage function. This makes it possible for unauthenticated attackers to trick a site...

EUVD-2026-29416

The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicio...

EUVD-2026-29412

The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify t...