Skip to main content

CWE-352

Cross-Site Request Forgery (CSRF)

7692 CVEs Avg CVSS 6.6 MITRE
86
CRITICAL
3284
HIGH
4171
MEDIUM
146
LOW
2269
POC
4
KEV

Monthly

CVE-2026-15005 HIGH This Week

Remote code execution in the Loco Translate WordPress plugin (all versions up to and including 2.8.5) is reachable through a Cross-Site Request Forgery flaw in the execTemplate function, where missing nonce validation lets an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link supply a php://filter stream wrapper as the 'template' parameter, bypassing path validation and reaching a PHP include sink to execute arbitrary code. The chain converts a classic CSRF (CWE-352) into full server compromise, carrying CVSS 8.8 (C:H/I:H/A:H). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

CSRF PHP WordPress Loco Translate
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-11866 MEDIUM POC PATCH This Month

Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. A publicly available proof-of-concept exists per the WPScan advisory, though EPSS sits at 0.10% (1st percentile), indicating negligible observed exploitation activity and no CISA KEV listing at time of analysis.

CSRF WordPress Appointment Booking Plugin
NVD WPScan
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-12409 MEDIUM This Month

Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified; EPSS data was not provided in available intelligence.

CSRF WordPress Landing Page Builder Coming Soon Page Maintenance Mode Lead Page Wordpress Landing Pages
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-20296 HIGH PATCH This Week

Cross-Site Request Forgery combined with SPL injection in Splunk Enterprise (below 10.4.1, 10.2.5, 10.0.8, 9.4.13) and Splunk Cloud Platform lets an attacker trick a logged-in user holding the list_deployment_server capability into unknowingly executing attacker-controlled Search Processing Language searches as the privileged splunk-system-user, exposing stored credentials and indexed data. The flaw stems from Deployment Server endpoints in Splunk Web accepting unvalidated GET requests without CSRF token checks and failing to neutralize caller input before it reaches an SPL search. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Splunk CSRF Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-47158 HIGH PATCH This Week

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. Rated CVSS 8.3 (CWE-352) with no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft CSRF Vaultwarden
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-26718 CRITICAL Act Now

Cross-Site Request Forgery in the xxl-job-admin console of XXL-JOB v3.0.0 lets remote attackers silently modify Glue IDE shell scripts by tricking an authenticated administrator into triggering a forged request. Because Glue scripts are executed by the scheduler's worker nodes, unauthorized script modification can escalate into arbitrary command execution across the job-execution fabric. Publicly available exploit/PoC code appears to exist via a CVE-specific GitHub repository; there is no CISA KEV listing and EPSS is low (0.27%, 18th percentile).

CSRF N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-52100 HIGH This Week

Arbitrary code execution in andreimarcu linx-server (a self-hosted file/media sharing service) versions 1.0 through 2.3.8 can be triggered by a remote attacker abusing a Cross-Site Request Forgery flaw in the uploadPutHandler function, per NVD and MITRE. Because the upload endpoint lacks anti-CSRF protection, an attacker can forge upload requests that ride an authenticated victim's session to achieve code execution. No public exploit has been identified in the provided data, though a third-party vulnerability report is referenced; the flaw is not listed in CISA KEV and no EPSS score was supplied.

CSRF RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-58476 HIGH POC This Week

Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute state-changing administrative actions when a logged-in administrator is lured to a malicious page, because administrative endpoints accept HTTP GET requests with no CSRF token or origin validation. An attacker can disable the passphrase, reboot the irrigation controller, delete watering programs, or install plugins; in the default configuration these endpoints are exposed to unauthenticated users because no passphrase is required and the default credential is 'opendoor'. Publicly available exploit code exists (ZeroScience ZSL-2026-5995), though there is no public exploit identified as being used in active campaigns.

CSRF Sip
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-52823 PHP MEDIUM PATCH GHSA This Month

Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.

PHP CSRF
NVD GitHub
CVE-2026-49992 PHP MEDIUM PATCH GHSA This Month

CSRF vulnerabilities in Kimai 2.56.0 through 2.57.0 allow an unauthenticated attacker to manipulate the authorization topology of the time-tracking application by tricking a privileged logged-in user into visiting a malicious page. The three affected GET endpoints - for projects, customers, and activities - perform persistent writes: creating or reusing a Team, assigning the victim as teamlead, and binding the target object to that team. No public exploit is currently available at time of analysis, though a PoC was submitted to the vendor and subsequently removed; the fix (moving routes to POST endpoints) shipped in version 2.58.0.

CSRF
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Loco Translate WordPress plugin (all versions up to and including 2.8.5) is reachable through a Cross-Site Request Forgery flaw in the execTemplate function, where missing nonce validation lets an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link supply a php://filter stream wrapper as the 'template' parameter, bypassing path validation and reaching a PHP include sink to execute arbitrary code. The chain converts a classic CSRF (CWE-352) into full server compromise, carrying CVSS 8.8 (C:H/I:H/A:H). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

CSRF PHP WordPress +1
NVD
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. A publicly available proof-of-concept exists per the WPScan advisory, though EPSS sits at 0.10% (1st percentile), indicating negligible observed exploitation activity and no CISA KEV listing at time of analysis.

CSRF WordPress Appointment Booking Plugin
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified; EPSS data was not provided in available intelligence.

CSRF WordPress Landing Page Builder Coming Soon Page Maintenance Mode Lead Page Wordpress Landing Pages
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Cross-Site Request Forgery combined with SPL injection in Splunk Enterprise (below 10.4.1, 10.2.5, 10.0.8, 9.4.13) and Splunk Cloud Platform lets an attacker trick a logged-in user holding the list_deployment_server capability into unknowingly executing attacker-controlled Search Processing Language searches as the privileged splunk-system-user, exposing stored credentials and indexed data. The flaw stems from Deployment Server endpoints in Splunk Web accepting unvalidated GET requests without CSRF token checks and failing to neutralize caller input before it reaches an SPL search. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Splunk CSRF Splunk Enterprise +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. Rated CVSS 8.3 (CWE-352) with no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft CSRF Vaultwarden
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Cross-Site Request Forgery in the xxl-job-admin console of XXL-JOB v3.0.0 lets remote attackers silently modify Glue IDE shell scripts by tricking an authenticated administrator into triggering a forged request. Because Glue scripts are executed by the scheduler's worker nodes, unauthorized script modification can escalate into arbitrary command execution across the job-execution fabric. Publicly available exploit/PoC code appears to exist via a CVE-specific GitHub repository; there is no CISA KEV listing and EPSS is low (0.27%, 18th percentile).

CSRF N A
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary code execution in andreimarcu linx-server (a self-hosted file/media sharing service) versions 1.0 through 2.3.8 can be triggered by a remote attacker abusing a Cross-Site Request Forgery flaw in the uploadPutHandler function, per NVD and MITRE. Because the upload endpoint lacks anti-CSRF protection, an attacker can forge upload requests that ride an authenticated victim's session to achieve code execution. No public exploit has been identified in the provided data, though a third-party vulnerability report is referenced; the flaw is not listed in CISA KEV and no EPSS score was supplied.

CSRF RCE
NVD GitHub
EPSS 0% CVSS 7.0
HIGH POC This Week

Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute state-changing administrative actions when a logged-in administrator is lured to a malicious page, because administrative endpoints accept HTTP GET requests with no CSRF token or origin validation. An attacker can disable the passphrase, reboot the irrigation controller, delete watering programs, or install plugins; in the default configuration these endpoints are exposed to unauthenticated users because no passphrase is required and the default credential is 'opendoor'. Publicly available exploit code exists (ZeroScience ZSL-2026-5995), though there is no public exploit identified as being used in active campaigns.

CSRF Sip
NVD
MEDIUM PATCH This Month

Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.

PHP CSRF
NVD GitHub
MEDIUM PATCH This Month

CSRF vulnerabilities in Kimai 2.56.0 through 2.57.0 allow an unauthenticated attacker to manipulate the authorization topology of the time-tracking application by tricking a privileged logged-in user into visiting a malicious page. The three affected GET endpoints - for projects, customers, and activities - perform persistent writes: creating or reusing a Team, assigning the victim as teamlead, and binding the target object to that team. No public exploit is currently available at time of analysis, though a PoC was submitted to the vendor and subsequently removed; the fix (moving routes to POST endpoints) shipped in version 2.58.0.

CSRF
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy