CVE-2026-27978

Next.js (React framework) vulnerability CVE-2026-27978: in versions 16.0.1 up to 16.1.7, origin: null was treated as missing during Server Action CSRF validation, allowing requests from opaque contexts (e.g., sandboxed iframes) to bypass origin verification and potentially trigger state-changing ...

PT-2026-6472

Summary Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. Impact A vulnerability in checkCSRF lets an attacke...

CVE-2025-43745

A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remo...

PYSEC-2024-171

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable ...

Mozilla Firefox/Thunderbird navigator.sendBeacon implements CORS access control check bypass vulnerability

Mozilla Firefox/SeaMonkey is a WEB browser/newsgroup client released by Mozilla. A CORS access control check bypass vulnerability in the HTTP 30X status code of the Mozilla Firefox Onavigator.sendBeacon implementation that handles redirects allows remote attackers to exploit the vulnerability to...