Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the GET routes that change state. An attacker can cause authenticated users to unintentionally delete files or create directories by tricking them into visiting a crafted URL, as there is no validatio...

WWBN AVideo 跨站请求伪造漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 29.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the objects/commentDelete.json.php file, which deleted comments without performi...

CVE-2026-34613

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugin...

Cross-Site Request Forgery (CSRF)

1Panel is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to missing CSRF protections such as anti-CSRF tokens or Origin/Referer validation in the port-change endpoint, which allows an attacker to trick an authenticated user into submitting a malicious request that changes...

OpenClaw Cross-Site Request Forgery Vulnerability

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a cross-site request forgery vulnerability that stems from a browser-oriented local host change route accepting cross-domain browser requests without explicit Origin/Referer validation, which can be...

OpenClaw 跨站请求伪造漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a cross-site request forgery vulnerability that stems from a browser-oriented local host change route accepting cross-domain browser requests without explicit Origin/Referer validation, which can be...

GHSA-3FQR-4CG8-H96Q OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints

Summary Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. Impact A malicious website can trigger unauthorized...

CVE-2025-34429

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery CSRF vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a...

CVE-2025-34430 1Panel CSRF Panel Name Modification

1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery CSRF vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that...

CVE-2025-34430 1Panel CSRF Panel Name Modification

1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery CSRF vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that...

CVE-2025-62797

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A critical Cross-Site Request Forgery CSRF vulnerability exists in the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests that are authoriz...

CVE-2025-62797

FluxCP CSRF in the FluxCP-based website template for rAthena servers (PHP) allows state-changing POST requests to be executed via a logged-in user without per-request anti-CSRF tokens or robust Origin/Referer validation. An attacker luring a user to a malicious page can force actions on the user’...

CVE-2024-25286

CVE-2024-25286 concerns a CSRF vulnerability in the 3DSecure 2.0 system, specifically the “3DS Authorization Method” of Redsys (3DSecure 2.0). The issue allows an attacker to submit unauthorized form data by manipulating HTTP Origin and Referer headers, potentially triggering unauthorized transac...