CVE-2024-2196

aimhubio/aim is vulnerable to Cross-Site Request Forgery CSRF, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboar...

CVE-2024-2288

A Cross-Site Request Forgery CSRF vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without thei...

Security Bulletin: IBM Operations Analytics - Log Analysis is affected by CSRF Token Replay Attack

Summary IBM Operations Analytics – Log Analysis uses CSRF tokens to prevent unauthorised actions from being performed by an attacker on behalf of an authenticated user. CVE-2024-40685. Vulnerability Details CVEID:CVE-2024-40685 DESCRIPTION: IBM SmartCloud Analytics - Log Analysis is vulnerable to...

CVE-2025-13521 WP Status Notifier <= 1.0 - Cross-Site Request Forgery to Settings Update

The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin...

CVE-2025-13520 MTCaptcha WordPress Plugin <= 2.7.2 - Cross-Site Request Forgery to Settings Update

The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugi...

CVE-2025-14999 Latest Tabs <= 1.5 - Cross-Site Request Forgery to Plugin's Settings Update

The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers to modify plugin...

CVE-2025-31963 HCL BigFix IVR is impacted by improper authentication and missing CSRF protection

Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests...

CVE-2025-13657 HelpDesk contact form plugin <= 1.1.5 - Cross-Site Request Forgery to Settings Update via handle_query_args

The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handlequeryargs function. This makes it possible for unauthenticated attackers to update the plugin's...

CVE-2025-14468 AMP for WP – Accelerated Mobile Pages <= 1.1.9 - Cross-Site Request Forgery to Comment Submission

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the ampthemeajaxcomments AJAX handler, which rejects requests with VALID nonces and accepts...

PT-2026-1550

Name of the Vulnerable Software and Affected Versions invoiceninja versions prior to 5.12.38 Description A security issue exists in invoiceninja. The issue involves server-side request forgery SSRF stemming from manipulation of the company logo argument within the copy function of the...

Invoice Ninja 代码问题漏洞

Invoice Ninja is a free invoicing software from Invoice Ninja USA. A code issue vulnerability exists in Invoice Ninja version 5.12.38 and earlier, which stems from the incorrect manipulation of the parameter companylogo in the file /app/Jobs/Util/Import.php of the component Migration Import, whic...

PT-2026-1663

Name of the Vulnerable Software and Affected Versions minnur External Media versions through 1.0.36 Description A Server-Side Request Forgery SSRF vulnerability exists in minnur External Media. This issue allows for Server Side Request Forgery. Recommendations Update minnur External Media to a...

WordPress plugin Mamurjor Employee Info 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blogging sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site reque...

WordPress Newsletter Email Subscribe plugin <= 2.4 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin Newsletter Email Subscribe versions = 2.4...

WordPress AMP for WP - Accelerated Mobile Pages plugin <= 1.1.9 - Cross-Site Request Forgery to Comment Submission vulnerability

WordPress AMP for WP - Accelerated Mobile Pages plugin = 1.1.9 - Cross-Site Request Forgery to Comment Submission vulnerability discovered by 0N0ise - cert.pl in WordPress Plugin AMP for WP versions = 1.1.9...

WordPress teachPress plugin <= 9.0.12 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin teachPress versions = 9.0.12...

EUVD-2026-1038

Mailpit Proxy Endpoint has Server-Side Request Forgery SSRF vulnerability...

Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability

Summary A Server-Side Request Forgery SSRF vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources. Description The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it doe...

CVE-2025-53344

Cross-Site Request Forgery CSRF vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3...

CVE-2020-36918 iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery via User Management

iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft malicious web pages to trick logged-in administrators into adding unauthorized users by exploiting the...