Lucene search
K

6 matches found

RedhatCVE
RedhatCVE
added 2026/04/22 7:22 p.m.5 views

CVE-2026-41194

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/id/inout/provider. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF...

5.4CVSS5.6AI score0.0012EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/21 5:16 p.m.6 views

EUVD-2026-24225

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/id/inout/provider. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF...

5.4CVSS5.6AI score0.0012EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/21 5:16 p.m.2 views

CVE-2026-41194 FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/id/inout/provider. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF...

5.4CVSS5.6AI score0.0012EPSS
Exploits0References3
CVE
CVE
added 2026/04/21 5:16 p.m.13 views

CVE-2026-41194

FreeScout before 1.8.215 exposes a GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider} action that removes stored OAuth metadata without CSRF protection, enabling cross-site triggering against a logged-in mailbox admin. Root cause: GET route lacks CSRF token validation. Impact: potential unaut...

5.4CVSS5.6AI score0.0012EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/11 7:36 a.m.6 views

CVE-2026-3903

The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth function. This makes it possible for unauthenticated attacker...

4.3CVSS5.6AI score0.00104EPSS
Exploits0References3
CVE
CVE
added 2026/03/11 7:36 a.m.22 views

CVE-2026-3903

CVE-2026-3903 concerns the Modular DS: Monitor, update, and backup multiple websites plugin for WordPress (Modular Connector

4.3CVSS5.6AI score0.00104EPSS
Exploits0References2
Rows per page
Query Builder