PT-2026-45038

Summary modules/registration.php mode send login regenerates a random password for user uuid assigned, stores its bcrypt hash in adm users.usr password, and emails the cleartext to that user. Every other state-changing mode in the same file assign member, assign user, delete user, create user cal...

Nocturne Memory 访问控制错误漏洞

Nocturne Memory is an AI long-term memory server developed by Niwato. Versions prior to Nocturne Memory 2.4.1 contained an access control vulnerability. This vulnerability occurred when the APITOKEN was not set or was empty, allowing the BearerTokenAuthMiddleware to bypass identity verification f...

CVE-2026-38566

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...

CVE-2026-40935

WWBN/AVideo (versions ≤ 29.0) is affected by a CAPTCHA bypass involving objects/getCaptcha.php. The ql parameter is read directly from the query string without clamping or sanitization, allowing an unauthenticated client to request a 1-character CAPTCHA word. Coupled with a case-insensitive strca...

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the commentDelete.json.php endpoint, which lacks proper validation of request origin and does not require a CSRF token. An...

AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...

EUVD-2026-17639

AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins...

CVE-2026-34531

CVE-2026-34531 affects Flask-HTTPAuth (Python package) and concerns the token verification callback receiving an empty string when a request targets a token-protected resource without a token or with an empty token. This could allow authentication against any user whose token is an empty string. ...

Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qvr7-g57c-mrc7. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and...

Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client

In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in...

Mura 安全漏洞

Mura is a content management system developed by Mura Corporation. Versions of Mura 10.1.10 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the bundled package creation feature lacking CSRF token validation, which could lead to data leakage...

PT-2026-24803

CVE-2026-31954 Emlog is an open source website building system. In 2.6.6 and earlier, the delete async action asynchronous delete lacks a call to LoginAuth::checkToken, enabling… https://t.co/jGjg6aBhCJ...

CVE-2026-27603 Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_id/filter missing verifyToken + checkPermissions

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:projectid/chart/:chartid/filter is missing both verifyToken and checkPermissions middleware, allowing...

OrientDB 跨站请求伪造漏洞

OrientDB is an open-source multi-model database developed by OrientDB. In the version 3.0.17 of OrientDB, there is a vulnerability related to cross-site request forgeing. This vulnerability stems from the lack of token verification at endpoints, which may lead to cross-site request forgeing attac...

CVE-2025-59892

Cross-Site request forgery CSRF vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of...

CVE-2025-61547

Cross-Site Request Forgery CSRF is present on all functions in edu Business Solutions Print Shop Pro WebDesk version 18.34 fixed in 19.76. The application does not implement proper CSRF tokens or other other protective measures, allowing a remote attacker to trick authenticated users into...

edu Business Solutions Print Shop Pro WebDesk 安全漏洞

edu Business Solutions Print Shop Pro WebDesk is a print order management system from US-based edu Business Solutions. A security vulnerability exists in edu Business Solutions Print Shop Pro WebDesk version 18.34, which stems from a missing CSRF token and could lead to a cross-site request forge...

CVE-2019-16107

Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments...

CVE-2025-63711

A Cross-Site Request Forgery CSRF vulnerability in the SourceCodester Client Database Management System 1.0 allows an attacker to cause an authenticated administrative user to perform user deletion actions without their consent. The application's user deletion endpoint e.g.,...

EUVD-2020-2696

Malware in sbrugna...