EUVD-2026-31506

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery CSRF vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that...

CVE-2026-40458

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

Measuring the Permission Gate: A Stress-Test Evaluation of Claude Code's Auto Mode

Claude Code's auto mode is the first deployed permission system for AI coding agents, using a two-stage transcript classifier to gate dangerous tool calls. Anthropic reports a 0.4% false positive rate and 17% false negative rate on production traffic. We present the first independent evaluation o...

PT-2026-27464

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions regenerate-yaml, apply-yaml-chang...

CVE-2026-27978

A CSRF check bypass flaw has been discovered in Next.js. The origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts such as sandboxed iframes could bypass origin verification instead of being validated as cross-origin...

CVE-2026-27518 Binardat 10G08-0800GSM Network Switch CSRF

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior lack CSRF protections for state-changing actions in the administrative interface. An attacker can trick an authenticated administrator into performing unauthorized configuration changes...

CVE-2026-24434

Shenzhen Tenda AC7 firmware version V03.03.03.01cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrat...

CVE-2026-0493

Due to a Cross-Site Request Forgery CSRF vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on...

CVE-2026-0493

CVE-2026-0493 describes a Cross-Site Request Forgery in the SAP Fiori App Intercompany Balance Reconciliation. The issue could allow an attacker to trigger state-changing actions on behalf of an authenticated user by using an inappropriate request type, with low impact on integrity and no impact ...

CVE-2018-14711

Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to cause state-changing actions with specially crafted URLs...

CVE-2025-62797 CSRF in FluxCP account endpoints allows account takeover / state-changing actions

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A critical Cross-Site Request Forgery CSRF vulnerability exists in the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests that are authoriz...

CVE-2025-62797 CSRF in FluxCP account endpoints allows account takeover / state-changing actions

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A critical Cross-Site Request Forgery CSRF vulnerability exists in the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests that are authoriz...

EUVD-2025-0057

Malicious code in bioql PyPI...

EUVD-2023-29536

Malicious code in bioql PyPI...

CVE-2023-43508

Vulnerabilities in the web-based management interface of ClearPass Policy Manager allow an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of these vulnerabilities allow an attacker to complete...

CVE-2024-55893

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery CSRF. Additionally, state-changing actions in downstrea...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to the absence of CSRF token validation. An attacker can compromise account settings and data integrity by crafting malicious requests that can trigger state-changing operations on behalf of an...

CVE-2024-0392

A Cross-Site Request Forgery CSRF vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the absence of CSRF token validation. This flaw allows attackers to craft malicious requests that can trigger state-changing operations on behalf of an authenticated user,...

Cross-Site Request Forgery (CSRF)

typo3/cms-beuser is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to improper handling of state-changing actions in downstream components, where HTTP GET submissions are incorrectly accepted instead of enforcing the appropriate HTTP method. Misconfigurations, such as...

PT-2024-24418 · Leadinfo · Leadinfo

Name of the Vulnerable Software and Affected Versions: Leadinfo versions 1.0 and earlier Description: A Cross-Site Request Forgery CSRF issue affects the software. This issue allows an attacker to perform unintended actions on a user's account. The estimated number of potentially affected devices...