PT-2026-39654

Name of the Vulnerable Software and Affected Versions HireFlow version 1.2 Description The software fails to implement Cross-Site Request Forgery CSRF token validation on state-changing POST endpoints. This allows an attacker to trick an authenticated user into visiting a malicious page to perfor...

CVE-2026-38566

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...

PT-2026-39627

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.15 Description Local file inclusion LFI and server-side request forgery SSRF issues exist in the LLM API configuration endpoints. Authenticated users can read arbitrary server-side files by providing a path to the...

PT-2026-39755

A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the component updatePlatformConfigByKey Endpoint. Such manipulation of the argument weixinUrl lead...

Unity Linux 20.1070e Security Update: xstream (UTSA-2026-017732)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017732 advisory. XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated...

Unity Linux 20.1070e Security Update: batik (UTSA-2026-017770)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017770 advisory. Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an...

CVE-2026-38566

CVE-2026-38566 affects HireFlow v1.2. The issue is CSRF on all state-changing POST endpoints (e.g., /profile password change, /candidates/delete/, /feedback/add/, /interviews/add) due to missing CSRF token validation and no SESSION_COOKIE_SAMESITE configuration. Root cause: CSRF token validation ...

PT-2026-39754

Name of the Vulnerable Software and Affected Versions Next.js versions 15.2.0 through 15.5.17 Next.js versions 16.0.0 through 16.2.5 Description A flaw exists where a previous security fix was not correctly applied to middleware.ts when used in conjunction with Turbopack, a high-performance...

📄 Grafana 11.2.0 Server-Side Request Forgery

This Python script targets a server-side request forgery vulnerability in Grafana version 11.2.0. It abuses a path traversal flaw in the /render endpoint to make the server send requests to internal or otherwise restricted resources...

CVE-2026-5791

Cross-Site request forgery CSRF vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2...

EUVD-2021-34812

OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and...

EUVD-2021-34806

OpenCart 3.0.36 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and accoun...

EUVD-2022-55976

WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Attackers can trick authenticated administrators into submitting forged requests to the options-general.php page...

Cross-site Request Forgery (CSRF)

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the /account/edit endpoint. An attacker can alter account details, such as email addresses, by tricking users into visiting malicious pages, and subsequentl...

Cross-site Request Forgery (CSRF)

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the account/password process. An attacker can change user passwords by sending crafted requests to the relevant endpoint, potentially hijacking accounts...

CVE-2022-50955

WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Attackers can trick authenticated administrators into submitting forged requests to the options-general.php page...

CVE-2021-47946

OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and accou...

CVE-2021-47953

OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and...

CVE-2021-47953 OpenCart 3.0.3.7 Cross-Site Request Forgery via account/password

OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and...

CVE-2021-47953

OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and...