7 matches found
EUVD-2026-31340
Concrete CMS 9.5.0 and below emits a CSRF token in the localavailableupdate.php view $token-output'doupdate' but the corresponding doupdate method in concrete/controllers/singlepage/dashboard/system/update/update.php never calls $this-token-validate'doupdate'. The form is rendered as a POST form,...
SUSE CVE-2026-33252
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...
CVE-2026-33252
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...
EUVD-2026-14643
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...
CVE-2025-69241
creationtimestamp| type| source ---|---|--- 2026-03-16 12:55:00+00:00| seen| https://cert.pl/en/posts/2026/03/CVE-2025-69236/...
CVE-2020-36712
The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliformsformdeleteuploadedfile function lacking any privilege or user protections. This makes it possible for unauthenticated attackers to dele...
CVE-2019-8910
An issue was discovered in WTCMS 1.0. It allows index.php?g=admin&m=setting&a=sitepost CSRF...