Lucene search
+L

10337 matches found

EUVD
EUVD
added 2026/06/24 5:33 a.m.11 views

EUVD-2026-38669

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel blcapmainpage and on the Hall of Shame and Log subpages, which accept a 'blcapaction' / 'action'...

4.3CVSS5.9AI score0.00146EPSS
Exploits0References6
CVE
CVE
added 2026/06/24 5:33 a.m.19 views

CVE-2026-10552

The CVE-2026-10552 entry concerns the WordPress plugin Blue Captcha (versions up to 2.0.1). It documents a Cross-Site Request Forgery (CSRF) flaw caused by missing or incorrect nonce validation on the main admin page (blcap_main_page) and on Hall of Shame and Log subpages. These pages accept a bl...

4.3CVSS5.9AI score0.00146EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/24 5:33 a.m.8 views

EUVD-2026-38665

The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the motordeskadminhome function. This makes it possible for unauthenticated attackers to update the plugin's...

4.3CVSS5.8AI score0.00145EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/24 5:33 a.m.36 views

CVE-2026-9721 Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update

The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settingsform/updatesettings functionality. The plugin's options page handler dispatches on the...

4.3CVSS0.00103EPSS
Exploits0References4
CVE
CVE
added 2026/06/24 5:33 a.m.14 views

CVE-2026-9721

CVE-2026-9721 affects the Book a Room Event Calendar plugin for WordPress (versions up to 1.9). The vulnerability is a Cross-Site Request Forgery due to missing nonce validation on the settings_form()/update_settings() flow. The plugin’s settings page accepts POST actions and persists configurati...

4.3CVSS5.8AI score0.00103EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.14 views

PT-2026-51678

Name of the Vulnerable Software and Affected Versions MP Customize Login Page versions prior to 1.1 Description The MP Customize Login Page plugin for WordPress is subject to Cross-Site Request Forgery CSRF, a flaw where an attacker tricks a logged-in user into performing unwanted actions. The...

4.3CVSS5.9AI score0.00176EPSS
Exploits0References12
Jenkins Security Advisories
Jenkins Security Advisories
added 2026/06/24 12:0 a.m.7 views

CSRF vulnerability and missing permission check in contrast-continuous-application-security

contrast-continuous-application-security 3.11 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to a Contrast TeamServer. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, AP...

5.4CVSS5.8AI score0.00167EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2026/06/24 12:0 a.m.10 views

CSRF vulnerability and missing permission check in zdevops

zdevops 1.1.3.50.ve350c9b450b1 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...

4.2CVSS5.8AI score0.0014EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/06/23 8:39 p.m.2 views

CVE-2026-46550 NocoDB: Refresh Token Cookie Set Without `Secure` and `SameSite` Flags

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it t...

5.4CVSS5.8AI score0.00099EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/06/23 4:38 p.m.7 views

WordPress Osiris Signature Banner plugin <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin Osiris Signature Banner versions = 0.5...

6.1CVSS5.8AI score0.00135EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/06/23 2:37 p.m.6 views

BIT-APISIX-2026-49871 Apache APISIX: cas-auth login CSRF / session injection issue

Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...

9.3CVSS5.9AI score0.00261EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/22 5:39 p.m.50 views

CVE-2026-53663 React Router: `handleDocumentRequest` CSRF check covers `POST` only; PUT/PATCH/DELETE bypass

React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight,...

3.1CVSS0.00106EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 6:0 a.m.6 views

CVE-2026-7859

The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices...

5.3CVSS6AI score0.00117EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/22 6:0 a.m.14 views

EUVD-2026-38214

The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices...

5.3CVSS6AI score0.00117EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/19 1:18 p.m.42 views

CVE-2026-49871 Apache APISIX: cas-auth login CSRF / session injection issue

Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...

2.1CVSS0.00261EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/19 1:18 p.m.15 views

EUVD-2026-38025

Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...

2.1CVSS5.9AI score0.00261EPSS
Exploits0References1
CVE
CVE
added 2026/06/19 1:18 p.m.57 views

CVE-2026-49871

CVE-2026-49871 describes a Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations in Apache APISIX versions 3.0.0–3.16.0. The issue allows a remote attacker who can lure a victim to a controlled webpage to cause the victim’s browser to become authentic...

9.3CVSS5.9AI score0.00261EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/19 1:18 p.m.3 views

CVE-2026-49871 Apache APISIX: cas-auth login CSRF / session injection issue

Cross-Site Request Forgery CSRF vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim...

2.1CVSS7.2AI score0.00261EPSS
Exploits0References4
CVE
CVE
added 2026/06/19 4:31 a.m.21 views

CVE-2026-10034

The CVE concerns the WordPress plugin WP DSGVO Tools (GDPR) with versions up to and including 3.1.39. The core issue is improper authorization verification on the subject-access-request (SAR) AJAX endpoints (process_now and is_ajax), enabling unauthenticated attackers to supply a victim email and...

5.3CVSS5.5AI score0.00385EPSS
Exploits0References12
OSV
OSV
added 2026/06/18 6:5 a.m.4 views

CVE-2026-55742 Cotonti CSRF in admin.rights.php allows privilege escalation

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action 'a=update' modifies group access rights including via cotauthaddgroup without calling cotcheckxg to validate th...

9.4CVSS6.3AI score0.00227EPSS
Exploits0References4
Rows per page
Query Builder