Skip to main content

CWE-352

Cross-Site Request Forgery (CSRF)

7688 CVEs Avg CVSS 6.6 MITRE
85
CRITICAL
3283
HIGH
4169
MEDIUM
146
LOW
2268
POC
4
KEV

Monthly

CVE-2026-20296 HIGH PATCH This Week

Cross-Site Request Forgery combined with SPL injection in Splunk Enterprise (below 10.4.1, 10.2.5, 10.0.8, 9.4.13) and Splunk Cloud Platform lets an attacker trick a logged-in user holding the list_deployment_server capability into unknowingly executing attacker-controlled Search Processing Language searches as the privileged splunk-system-user, exposing stored credentials and indexed data. The flaw stems from Deployment Server endpoints in Splunk Web accepting unvalidated GET requests without CSRF token checks and failing to neutralize caller input before it reaches an SPL search. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Splunk CSRF Splunk Enterprise Splunk Cloud Platform
NVD
CVSS 3.1
8.3
CVE-2026-47158 HIGH PATCH This Week

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. Rated CVSS 8.3 (CWE-352) with no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft CSRF Vaultwarden
NVD GitHub
CVSS 3.1
8.3
CVE-2026-52100 HIGH This Week

Arbitrary code execution in andreimarcu linx-server (a self-hosted file/media sharing service) versions 1.0 through 2.3.8 can be triggered by a remote attacker abusing a Cross-Site Request Forgery flaw in the uploadPutHandler function, per NVD and MITRE. Because the upload endpoint lacks anti-CSRF protection, an attacker can forge upload requests that ride an authenticated victim's session to achieve code execution. No public exploit has been identified in the provided data, though a third-party vulnerability report is referenced; the flaw is not listed in CISA KEV and no EPSS score was supplied.

CSRF RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-58476 HIGH POC This Week

Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute state-changing administrative actions when a logged-in administrator is lured to a malicious page, because administrative endpoints accept HTTP GET requests with no CSRF token or origin validation. An attacker can disable the passphrase, reboot the irrigation controller, delete watering programs, or install plugins; in the default configuration these endpoints are exposed to unauthenticated users because no passphrase is required and the default credential is 'opendoor'. Publicly available exploit code exists (ZeroScience ZSL-2026-5995), though there is no public exploit identified as being used in active campaigns.

CSRF Sip
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-52823 PHP MEDIUM PATCH GHSA This Month

Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.

PHP CSRF
NVD GitHub
CVE-2026-49992 PHP MEDIUM PATCH GHSA This Month

CSRF vulnerabilities in Kimai 2.56.0 through 2.57.0 allow an unauthenticated attacker to manipulate the authorization topology of the time-tracking application by tricking a privileged logged-in user into visiting a malicious page. The three affected GET endpoints - for projects, customers, and activities - perform persistent writes: creating or reusing a Team, assigning the victim as teamlead, and binding the target object to that team. No public exploit is currently available at time of analysis, though a PoC was submitted to the vendor and subsequently removed; the fix (moving routes to POST endpoints) shipped in version 2.58.0.

CSRF
NVD GitHub
CVE-2026-58489 MEDIUM This Month

HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. An attacker who tricks a logged-in victim into clicking a crafted callback URL can redirect the victim's note export to the attacker's own GitHub Gist, bypassing any note visibility controls. No public exploit code or CISA KEV listing is identified at time of analysis, but a confirmed patch exists in version 1.11.0.

CSRF Hedgedoc
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-61502 MEDIUM PATCH This Month

Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. Patch version 3.2.1 is available; no public exploit or CISA KEV listing has been identified at time of analysis.

RCE CSRF Hfs
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-61956 HIGH This Week

Cross-Site Request Forgery in the Woosalam (ووسلام - همگام سازی ووکامرس و باسلام) WooCommerce-to-Basalam sync plugin for WordPress lets a remote attacker forge state-changing requests that a logged-in victim's browser executes, affecting all versions from an unspecified initial release through 1.9.1. Because the plugin fails to validate request authenticity (CWE-352), an attacker who lures an authenticated user to a malicious page can trigger high-integrity changes with no attacker authentication required (CVSS 7.1). No public exploit identified at time of analysis and the flaw is not on CISA KEV.

CSRF 8211
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57786 HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVSS 8.3
HIGH PATCH This Week

Cross-Site Request Forgery combined with SPL injection in Splunk Enterprise (below 10.4.1, 10.2.5, 10.0.8, 9.4.13) and Splunk Cloud Platform lets an attacker trick a logged-in user holding the list_deployment_server capability into unknowingly executing attacker-controlled Search Processing Language searches as the privileged splunk-system-user, exposing stored credentials and indexed data. The flaw stems from Deployment Server endpoints in Splunk Web accepting unvalidated GET requests without CSRF token checks and failing to neutralize caller input before it reaches an SPL search. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Splunk CSRF Splunk Enterprise +1
NVD
CVSS 8.3
HIGH PATCH This Week

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. Rated CVSS 8.3 (CWE-352) with no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft CSRF Vaultwarden
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary code execution in andreimarcu linx-server (a self-hosted file/media sharing service) versions 1.0 through 2.3.8 can be triggered by a remote attacker abusing a Cross-Site Request Forgery flaw in the uploadPutHandler function, per NVD and MITRE. Because the upload endpoint lacks anti-CSRF protection, an attacker can forge upload requests that ride an authenticated victim's session to achieve code execution. No public exploit has been identified in the provided data, though a third-party vulnerability report is referenced; the flaw is not listed in CISA KEV and no EPSS score was supplied.

CSRF RCE
NVD GitHub
EPSS 0% CVSS 7.0
HIGH POC This Week

Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute state-changing administrative actions when a logged-in administrator is lured to a malicious page, because administrative endpoints accept HTTP GET requests with no CSRF token or origin validation. An attacker can disable the passphrase, reboot the irrigation controller, delete watering programs, or install plugins; in the default configuration these endpoints are exposed to unauthenticated users because no passphrase is required and the default credential is 'opendoor'. Publicly available exploit code exists (ZeroScience ZSL-2026-5995), though there is no public exploit identified as being used in active campaigns.

CSRF Sip
NVD
MEDIUM PATCH This Month

Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.

PHP CSRF
NVD GitHub
MEDIUM PATCH This Month

CSRF vulnerabilities in Kimai 2.56.0 through 2.57.0 allow an unauthenticated attacker to manipulate the authorization topology of the time-tracking application by tricking a privileged logged-in user into visiting a malicious page. The three affected GET endpoints - for projects, customers, and activities - perform persistent writes: creating or reusing a Team, assigning the victim as teamlead, and binding the target object to that team. No public exploit is currently available at time of analysis, though a PoC was submitted to the vendor and subsequently removed; the fix (moving routes to POST endpoints) shipped in version 2.58.0.

CSRF
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. An attacker who tricks a logged-in victim into clicking a crafted callback URL can redirect the victim's note export to the attacker's own GitHub Gist, bypassing any note visibility controls. No public exploit code or CISA KEV listing is identified at time of analysis, but a confirmed patch exists in version 1.11.0.

CSRF Hedgedoc
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. Patch version 3.2.1 is available; no public exploit or CISA KEV listing has been identified at time of analysis.

RCE CSRF Hfs
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery in the Woosalam (ووسلام - همگام سازی ووکامرس و باسلام) WooCommerce-to-Basalam sync plugin for WordPress lets a remote attacker forge state-changing requests that a logged-in victim's browser executes, affecting all versions from an unspecified initial release through 1.9.1. Because the plugin fails to validate request authenticity (CWE-352), an attacker who lures an authenticated user to a malicious page can trigger high-integrity changes with no attacker authentication required (CVSS 7.1). No public exploit identified at time of analysis and the flaw is not on CISA KEV.

CSRF 8211
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy