CVE-2026-40929

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

EUVD-2026-32017

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: funcr http.Request bool return true , accepting upgrade requests from any origin. Combined with the JWT cookie using SameSite: Lax, this enables...

CVE-2026-38566

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...

PT-2026-39654

Name of the Vulnerable Software and Affected Versions HireFlow version 1.2 Description The software fails to implement Cross-Site Request Forgery CSRF token validation on state-changing POST endpoints. This allows an attacker to trick an authenticated user into visiting a malicious page to perfor...

CVE-2026-38566

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...

PT-2026-34199

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1 Description A state-mutating JSON endpoint 'objects/commentDelete.json.php' fails to perform Cross-Site Request Forgery CSRF validation. The endpoint does not utilize the forbidIfIsUntrustedRequest function,...

CVE-2026-33507

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting...

HCL AION Cross-Site Request Forgery Vulnerability

HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from a cross-site request forgery vulnerability that stems from a missing or insecure SameSite attribute of a cookie, and no detailed vulnerability details are provided at this time...

CVE-2025-52628

HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0...

CVE-2025-52628 HCL AION is susceptible to Missing SameSite vulnerability

HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0...

CVE-2025-52628 HCL AION is susceptible to Missing SameSite vulnerability

HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0...

CVE-2025-52628

HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0...

PT-2026-5904

Name of the Vulnerable Software and Affected Versions HCL AION version 2.0 Description HCL AION is susceptible to a cookie handling issue where cookies may lack proper SameSite attributes, or have insecure or improper configurations. This can allow cookies to be transmitted in unintended cross-si...

Kimai contains a SameSite cookie vulnerability

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session...

CVE-2023-53957

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session...

CVE-2023-53957 Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session...

CVE-2023-53957

Kimai 1.30.10 is affected by a SameSite cookie vulnerability that can enable session hijacking. Attackers may lure victims into running a crafted PHP script that captures and writes session cookies to a file, enabling access to user sessions. The issue is tied to improper SameSite cookie handling...

EUVD-2025-204601

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session...

kimai 安全漏洞

kimai is a web-based multi-user time tracking application by the individual developer of kimai. A security vulnerability exists in kimai version 1.30.10, which stems from an improper implementation of the SameSite cookie and could lead to session hijacking...

PT-2025-52527

Name of the Vulnerable Software and Affected Versions Kimai version 1.30.10 Description Kimai version 1.30.10 has a SameSite cookie flaw that allows attackers to steal user session cookies. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie...