rdiffweb is vulnerable to cross-site request forgery. The vulnerability exists in repository and user deletions because the server accepts the GET request for deleting repositories and users which allows an attacker to cause a CSRF attack.
github.com/advisories/GHSA-cw2v-wv4g-w4p6
github.com/ikus060/rdiffweb/blob/ab2ad9a905efc7313fb0193373c21210275b6160/rdiffweb/controller/page_delete.py#L64-L81
github.com/ikus060/rdiffweb/commit/422791ea45713aaaa865bdca74addb9fffd93a71
huntr.dev/bounties/15c8fd98-7f50-4d46-b013-42710af1f99c
huntr.dev/bounties/15c8fd98-7f50-4d46-b013-42710af1f99c/