Concrete CMS 跨站请求伪造漏洞

Concrete CMS is an open-source content management system designed for teams. Versions of Concrete CMS prior to 9.5.0 had a cross-site request forgeing vulnerability. This vulnerability stems from the function concrete/controllers/backend/file addFavoriteFolder$id, which is vulnerable to cross-sit...

PT-2026-42702

Name of the Vulnerable Software and Affected Versions KnpSnappyBundle affected versions not specified Description An issue exists that allows Server-Side Request Forgery SSRF and local file read. This occurs when applications allow user-supplied input to be passed directly to the Snappy library,...

Concrete CMS 跨站请求伪造漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS 9.5.0 and earlier had a cross-site request forgeing vulnerability. This vulnerability occurred due to the lack of validation of the CSRF token before processing requests like...

Concrete CMS 跨站请求伪造漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS 9.5.0 and earlier had a cross-site request forgeing vulnerability. This vulnerability stemmed from the lack of validation of CSRF tokens, which could allow attackers to overwrite PHP files...

PT-2026-42653

Summary A Server-Side Request Forgery SSRF vulnerability in get image info allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services e.g., AWS 169.254.169.254. This is a blind SSRF with confirmed internal port scanni...

CVE-2026-30118

scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery SSRF in the scalarurl query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs, leading to...

GO-2026-4966 monetr: Server-side request forgery in Lunch Flow link creation and refresh in github.com/monetr/monetr

monetr: Server-side request forgery in Lunch Flow link creation and refresh in github.com/monetr/monetr...

CVE-2026-6405 Anomify AI <= 0.3.6 - Cross-Site Request Forgery

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF leading to Stored Cross-Site Scripting XSS in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output...

Astra Linux - уязвимость в jetty9

Eclipse Jetty is a lightweight, highly scalable Java-based web server and Servlet engine. It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class performs insufficient validation on the authority segment of a URI. However, the behavior of HttpURI differs from that of common...

Astra Linux - уязвимость в batik

Server-side Request Forgery SSRF vulnerability in Apache Software Foundation Apache XML Graphics Batik. This issue affects Apache XML Graphics Batik version 1.16. A malicious SVG can probe user profile/data and send it directly as a parameter to a URL...

CVE-2026-6395 Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

CVE-2026-6395 Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

CVE-2026-6401 Bottom Bar <= 0.1.7 - Cross-Site Request Forgery to Settings Update

The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms main settings, sharing...

CVE-2026-6400 Child Height Predictor by Ostheimer <= 1.3 - Cross-Site Request Forgery to Settings Update via Plugin Settings Form

The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options function, which handles plugin settings updates. The form template does not include a...

CVE-2026-6401

The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms main settings, sharing...

CVE-2026-6394

CVE-2026-6394 affects Nexa Blocks ≤ 1.1.1 (WordPress Gutenberg/FSE plugin). The import_demo() function accepts a user-supplied URL in demo_json_file via POST and forwards it to wp_remote_get() without URL validation or internal-network restrictions, enabling unauthenticated SSRF to arbitrary dest...

EUVD-2026-31028

The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious...

CVE-2026-8420 BLOGCHAT Chat System <= 1.3.6.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update

The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious...

CVE-2026-6391 Sentence To SEO (keywords, description and tags) <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page Parameters

The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the createadminpage function. This makes it possible for unauthenticated attackers...

CVE-2026-6452 Bigfishgames Syndicate <= 1.2 - Cross-Site Request Forgery to Settings Reset and Update

The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigfishgamessyndicatesubmenu function. This makes it possible for unauthenticated attackers to reset...