CVE-2026-25812

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism...

CVE-2026-25812 PlaciPy is Missing CSRF Protection on State-Changing Endpoints

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism...

CVE-2026-23731

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with...

CVE-2026-22918

An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data...

CVE-2026-22918

An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data...

CVE-2019-2298

Protection is missing while accessing md sessions info via macro which can lead to use-after-free in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640,...

CVE-2025-67013

The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery CSRF protection mechanisms no tokens, no Origin/Referer validation on critical configuration endpoints...

EUVD-2025-200254

Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition because of a lack of integrity protection...

CVE-2025-59700

The CVE affects Entrust nShield devices: Connect XC, nShield 5c, and nShield HSMi up to versions 13.6.11 and 13.7. The root cause is insufficient integrity protection on the Recovery Partition, enabling a physically proximate attacker with root access to modify it. Impact includes potential compr...

PT-2025-48701

Name of the Vulnerable Software and Affected Versions Entrust nShield Connect XC versions through 13.6.11 Entrust nShield 5c versions through 13.6.11 Entrust nShield HSMi versions through 13.6.11 Entrust nShield Connect XC version 13.7 Entrust nShield 5c version 13.7 Entrust nShield HSMi version...

PT-2025-47111

Name of the Vulnerable Software and Affected Versions Chunghwa Telecom TenderDocTransfer affected versions not specified Description The application establishes a local web server and offers APIs for communication. A lack of CSRF protection in the APIs allows unauthenticated remote attackers to...

SourceCodester Simple Public Chat Room 安全漏洞

SourceCodester Simple Public Chat Room is a simple public chat room in SourceCodester open source. A security vulnerability exists in SourceCodester Simple Public Chat Room version 1.0, which stems from the sendmessage.php endpoint that does not implement a CSRF protection mechanism, which could...

CVE-2025-11154 IDonate < 2.1.13 - Unauthenticated User Deletion

The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users...

CVE-2025-11154

CVE-2025-11154 affects IDonate for WordPress, vulnerable in versions prior to 2.1.13 due to missing authorization and CSRF protection when deleting users via an action handler. This unauthenticated flow allows an attacker to delete arbitrary users. Reported across multiple sources (Wordfence, Pat...

EUVD-2021-11467

Malware in sbrugna...

EUVD-2022-34535

Malicious code in bioql PyPI...

The vulnerability of the ColdFusion software platform, related to the lack of measures taken to protect the website structure, allows attackers to execute arbitrary code.

The vulnerability of the ColdFusion software platform is related to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely...

CVE-2023-0520

The RapidExpCart WordPress plugin through 1.0 does not sanitize and escape the url parameter in the rapidexpcart endpoint before storing it and outputting it back in the page, leading to a Stored Cross-Site Scripting vulnerability which could be used against high-privilege users such as admin,...

CVE-2023-2627

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings...

CVE-2022-36670

PCProtect Endpoint prior to v5.17.470 for Microsoft Windows lacks tamper protection, allowing authenticated attackers with Administrator privileges to modify processes within the application and escalate privileges to SYSTEM via a crafted executable...