CVE-2026-40883 goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory creation

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because...

CVE-2025-13142

CVE-2025-13142 affects the WordPress plugin Custom Post Type. The vulnerability is a Cross-Site Request Forgery (CSRF) on the custom post type deletion functionality, arising from missing nonce validation. This allows unauthenticated attackers to trigger deletions by tricking a site administrator...

CVE-2024-35108

idccms v1.35 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/homeProdeal.php?mudi=del&dataType=&dataTypeCN...

CVE-2023-5990

The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor WordPress plugin before 3.4.2 does not have CSRF checks on some of its form actions such as deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks...

CVE-2023-30607 icingaweb2-module-jira template and field configuration are susceptible to CSRF

icingaweb2-module-jira provides integration with Atlassian Jira. Starting in version 1.3.0 and prior to version 1.3.2, template and field configuration forms perform the deletion action before user input is validated, including the cross site request forgery token. This issue is fixed in version...