Concrete CMS 跨站请求伪造漏洞

Concrete CMS is an open-source content management system designed for teams. Versions of Concrete CMS 9.5.0 and earlier contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the reverse implementation of CSRF token checks in the DeleteFile controller, which could...

Axios 安全漏洞

Axios is an open-source HTTP client developed by Axios. Versions prior to Axios 1.15.1 and 0.31.1 contain security vulnerabilities. These vulnerabilities stem from the XSRF token protection logic, which uses JavaScript truth/false value semantics instead of strict boolean comparisons. This leads ...

CVE-2026-35634

OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. Attackers can send unauthenticated loopback HTTP and WebSocket request...

CVE-2025-69238

Raytha CMS (CVE-2025-69238) is affected by a Cross‑Site Request Forgery affecting multiple endpoints. The issue arises from missing token verification for authenticated requests, enabling a crafted website to trigger unintended actions (e.g., data deletion) when a logged-in victim visits the page...

emlog 跨站请求伪造漏洞

Emlog is an open-source CMS website building system based on PHP and MySQL. Versions of Emlog 2.6.6 and earlier have a cross-site request forgeing vulnerability. This vulnerability stems from the lack of token checks in the deleteasync operation, which may lead to cross-site request forgeing...

CVE-2026-27603 Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_id/filter missing verifyToken + checkPermissions

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:projectid/chart/:chartid/filter is missing both verifyToken and checkPermissions middleware, allowing...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that stems from the use of non-constant time string comparisons for hook token validation, which can be exploited by an attacker to infer a token via a timed side channel...

PT-2026-6284

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0...

CVE-2020-10241

An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of comtemplates lead to CSRF...

EUVD-2020-2696

Malware in sbrugna...

EUVD-2017-18844

Malware in sbrugna...

EUVD-2020-29286

Malware in sbrugna...

EUVD-2024-1895

Malicious code in bioql PyPI...

CVE-2020-13760

In Joomla! before 3.9.19, missing token checks in compostinstall lead to CSRF...

CVE-2020-8419

An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities...

BIT-JOOMLA-2020-8419

An issue was discovered in Joomla! before 3.9.15. Missing token checks in the batch actions of various components cause CSRF vulnerabilities...

BIT-JOOMLA-2020-13760

In Joomla! before 3.9.19, missing token checks in compostinstall lead to CSRF...

BIT-JOOMLA-2020-10241

An issue was discovered in Joomla! before 3.9.16. Missing token checks in the image actions of comtemplates lead to CSRF...

Moodle 安全漏洞

Moodle is Moodle open source set of free e-learning software platform, also known as course management system, learning management system or virtual learning environment. Moodle suffers from a cross-site request forgery vulnerability that stems from the presence of incorrect CSRF token checks in...

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

...