Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the function parameter, which is concatenated into an API error message and rendered without HTML escaping. An attacker can execute arbitrary JavaScript code in the context of a backend user's session by...

CVE-2026-34228

Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This...

EUVD-2026-17639

AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins...

EUVD-2026-17628

Admidio is an open-source user management solution. Prior to version 5.0.8, the createuser, assignmember, and assignuser action modes in modules/registration.php approve pending user registrations via GET request without validating a CSRF token. Unlike the deleteuser mode in the same file which...

CVE-2026-33373

An issue was discovered in Zimbra Collaboration ZCS 10.0 and 10.1. A Cross-Site Request Forgery CSRF vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after...

CVE-2026-27146

GetSimple CMS is affected by a CSRF on the administrative file upload endpoint across all versions due to missing CSRF protection. An attacker can craft a malicious page that silently triggers a file upload from an authenticated admin user’s browser without a token or origin validation, enabling ...

CVE-2025-61547

Cross-Site Request Forgery CSRF is present on all functions in edu Business Solutions Print Shop Pro WebDesk version 18.34 fixed in 19.76. The application does not implement proper CSRF tokens or other other protective measures, allowing a remote attacker to trick authenticated users into...

PT-2025-49550

Some endpoints in vulnerability-lookup that modified application state e.g. changing database entries, user data, configurations, or other privileged actions may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site...

Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based...

EUVD-2021-30132

Malicious code in bioql PyPI...

EUVD-2021-30133

Malicious code in bioql PyPI...

CVE-2021-43188

In JetBrains YouTrack Mobile before 2021.2, access token protection on iOS is incomplete...

CVE-2021-43189

In JetBrains YouTrack Mobile before 2021.2, access token protection on Android is incomplete...

PT-2024-30808 · WordPress · Wp Armour Extended

Name of the Vulnerable Software and Affected Versions: WP Armour Extended versions 1.26 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that...

PT-2024-30503 · Brave · Brave Popup Builder

Name of the Vulnerable Software and Affected Versions: Brave Popup Builder versions 0.7.0 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application th...

CVE-2024-6977

A vulnerability in Cato Networks SDP Client on Windows allows the insertion of sensitive information into the log file, which can lead to an account takeover. However, the attack requires bypassing protections on modifying the tunnel token on a the attacker's system.This issue affects SDP Client:...

PT-2024-24401 · WordPress · Wp Migration Plugin Db & Files – Wp Synchro

Name of the Vulnerable Software and Affected Versions: WP Migration Plugin DB & Files – WP Synchro versions 1.11.2 and earlier Description: A Cross-Site Request Forgery CSRF issue affects the WP Migration Plugin DB & Files – WP Synchro. This issue allows for malicious requests to be made on behal...

CVE-2024-20282

A vulnerability in Cisco Nexus Dashboard could allow an authenticated, local attacker with valid rescue-user credentials to elevate privileges to root on an affected device. This vulnerability is due to insufficient protections for a sensitive access token. An attacker could exploit this...

PT-2024-14096 · Woocommerce · Customize My Account For Woocommerce

Name of the Vulnerable Software and Affected Versions: Customize My Account for WooCommerce versions 1.8.3 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability in Customize My Account for WooCommerce. This type of vulnerability allows an attacker to trick a user...

PT-2024-14239 · WordPress · Duplicator – Wordpress Migration & Backup Plugin

Name of the Vulnerable Software and Affected Versions: Duplicator – WordPress Migration & Backup Plugin versions 1.5.7 and earlier Description: A Cross-Site Request Forgery CSRF issue affects the Duplicator – WordPress Migration & Backup Plugin. This issue allows for malicious requests to be made...