55970 matches found
GHSA-HM8F-75XX-W2VR sigstore CSRF possibility in OIDC authentication during signing
Summary The sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. Details OAuthSession creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Fix...
GHSA-RQFH-9R24-8C9R AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
An XML External Entity XXE vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocumentString method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualToCharSequence...
EUVD-2025-206347
Blind Server-Side Request Forgery SSRF in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information...
CVE-2025-9522 Blind Server-Side Request Forgery (SSRF) in Omada Controller
Blind Server-Side Request Forgery SSRF in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information...
CVE-2025-9522 Blind Server-Side Request Forgery (SSRF) in Omada Controller
Blind Server-Side Request Forgery SSRF in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information...
CVE-2026-24432
Shenzhen Tenda W30E V2 firmware up to 16.01.0.19(5037) lacks CSRF protections on administrative endpoints, including password changes. An attacker could craft requests that, when triggered by an authenticated user’s browser, modify admin passwords and other settings. Root cause: missing CSRF prot...
CVE-2025-14906
The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave function. This makes it possible for unauthenticated attackers to modify plugin...
CVE-2025-13194
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing nonce verification on the 'SurveyJSRenameSurvey' AJAX...
CVE-2026-1088
The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotionloginformprocess AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login...
CVE-2025-13205 SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.20 - Cross-Site Request Forgery to Survey Cloning
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the...
CVE-2025-14907
CVE-2025-14907 – Moderate Selected Posts (WordPress) CSRF vulnerability : The WordPress plugin is vulnerable in versions up to 1.4 due to missing nonce verification in the msp_admin_page() function. This enables unauthenticated attackers to modify plugin settings through forged requests if a site...
CVE-2026-1081
The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categorie...
CVE-2026-1088 Login Page Editor <= 1.2 - Cross-Site Request Forgery to Settings Update
The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotionloginformprocess AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login...
CVE-2025-14906
Summary: CVE-2025-14906 affects the WP Youtube Video Gallery plugin for WordPress. The WordPress plugin (WP Youtube Video Gallery) is vulnerable to Cross-Site Forgery (CSRF) in all versions up to and including 1.0 due to missing nonce verification on the wpYTVideoGallerySettingSave() function. Th...
CVE-2026-1076 Star Review Manager <= 1.2.2 - Cross-Site Request Forgery to Settings Update
The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged...
CVE-2026-1070
CVE-2026-1070 refers to the WordPress plugin “Alex User Counter” (versions
WordPress Login Page Editor plugin <= 1.2 - Cross-Site Request Forgery to Settings Update vulnerability
Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Login Page Editor versions = 1.2...
PT-2026-4600
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS RenameSurvey' AJA...
PT-2026-4577
The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template proxy' function. This makes it possible for unauthenticated attackers to make web...
CVE-2025-67961
Server-Side Request Forgery SSRF vulnerability in Marco van Wieren WPO365 wpo365-login allows Server Side Request Forgery.This issue affects WPO365: from n/a through = 40.0...