Skip to main content

CSRF

8437 CVEs technique

Monthly

CVE-2026-54498 Ruby HIGH POC PATCH This Week

Stored/reflected XSS in the ViewComponent Rails gem (versions >= 4.0.0, < 4.12.0) arises because HTML-unsafe strings returned from a component's around_render hook bypass the automatic escaping applied to normal #call output, letting attacker-controlled data reach the browser as raw HTML. The flaw is amplified in collection rendering, where Collection#render_in joins per-item output and blindly marks it html_safe, laundering unsafe content into a trusted SafeBuffer. Publicly available exploit code exists (a detailed PoC in the GitHub advisory), but there is no public exploit identified as actively used in the wild; a vendor patch is available in v4.12.0.

CSRF XSS
NVD GitHub
CVSS 3.1
8.7
CVE-2026-54458 PHP CRITICAL Act Now

Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.

PHP CSRF XSS Avideo
NVD GitHub
CVSS 3.1
9.6
CVE-2026-20296 HIGH PATCH This Week

Cross-Site Request Forgery combined with SPL injection in Splunk Enterprise (below 10.4.1, 10.2.5, 10.0.8, 9.4.13) and Splunk Cloud Platform lets an attacker trick a logged-in user holding the list_deployment_server capability into unknowingly executing attacker-controlled Search Processing Language searches as the privileged splunk-system-user, exposing stored credentials and indexed data. The flaw stems from Deployment Server endpoints in Splunk Web accepting unvalidated GET requests without CSRF token checks and failing to neutralize caller input before it reaches an SPL search. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Splunk CSRF Splunk Enterprise Splunk Cloud Platform
NVD
CVSS 3.1
8.3
CVE-2026-47158 HIGH PATCH This Week

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. Rated CVSS 8.3 (CWE-352) with no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft CSRF Vaultwarden
NVD GitHub
CVSS 3.1
8.3
CVE-2026-26718 Awaiting Data

A Cross-Site Request Forgery (CSRF) vulnerability exists in the xxl-job-admin web application v.3.0.0 that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitrary HTTP methods via a permissive request mapping

CSRF N A
NVD GitHub
CVE-2026-52100 HIGH This Week

Arbitrary code execution in andreimarcu linx-server (a self-hosted file/media sharing service) versions 1.0 through 2.3.8 can be triggered by a remote attacker abusing a Cross-Site Request Forgery flaw in the uploadPutHandler function, per NVD and MITRE. Because the upload endpoint lacks anti-CSRF protection, an attacker can forge upload requests that ride an authenticated victim's session to achieve code execution. No public exploit has been identified in the provided data, though a third-party vulnerability report is referenced; the flaw is not listed in CISA KEV and no EPSS score was supplied.

CSRF RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-55513 Go MEDIUM POC PATCH GHSA This Month

The `nebula-mgmt` Web UI host-creation path ignores both the server-wide `enrollment_token_ttl` security setting and per-network `network_config.enrollment_token_ttl` overrides. API host creation and token-regeneration paths use the configured TTL resolver, but `POST /ui/hosts` hardcodes `now.Add(24 * time.Hour)` for newly minted agent enrollment tokens. In deployments that intentionally reduce enrollment-token lifetime, any authenticated operator who can create a host through the Web UI can still mint a bearer enrollment token valid for about 24 hours. Enrollment tokens are bearer credentials for the public `POST /api/v1/enroll` endpoint: possession of a valid token allows enrolling the pending host and receiving a signed Nebula certificate/config for that host. The server configuration documents a security knob for their default lifetime and per-network overrides: - `internal/config/server.go:82` defines `EnrollmentTokenTTL` as the default lifetime for freshly minted enrollment tokens. - `internal/config/server.go:83` documents per-network overrides in `network_config` under `enrollment_token_ttl`. The API server implements and consistently uses this resolver: - `internal/api/server.go:77` defines `tokenTTLFor`, with precedence of per-network `enrollment_token_ttl`, then server default, then 24h fallback. - `internal/api/server.go:82` reads `network_config.enrollment_token_ttl`. - `internal/api/server.go:89` falls back to the configured server default. - `internal/api/hosts.go:190` through `internal/api/hosts.go:196` use `now.Add(s.tokenTTLFor(r.Context(), host.NetworkID))` for API host creation. The Web UI sibling path does not call the resolver and instead always sets a 24-hour expiry: - `internal/web/handlers.go:874` mints the raw token for `POST /ui/hosts`. - `internal/web/handlers.go:879` sets `ExpiresAt: now.Add(24 * time.Hour)`. This creates inconsistent behavior between API and Web UI host creation and bypasses an operator-configured token lifetime policy. The issue is reachable by an authenticated Web UI operator who can create hosts. Admins can create hosts in any network; non-admin operators can create hosts in networks whose CA they own. Affected version evidence: the configurable enrollment-token TTL feature was introduced by commit `6c344a6` (`feat(api): configurable enrollment-token TTL + regenerate endpoint (#75) (#79)`), and `git tag --contains 6c344a6 --sort=version:refname` returns `v0.3.0` through `v0.3.8`. Pattern checks across all release tags showed the TTL config/API resolver and the Web UI 24-hour hardcode are present in every `v0.3.x` release from `v0.3.0` to `v0.3.8`, and are not meaningfully applicable to `v0.1.x`/`v0.2.0` because the TTL policy knob was not present there. The current checkout at commit `d92dd9a60de291e2bc1caf73b4e9a99567b31ec0` (`git describe`: `v0.3.8-1-gd92dd9a`) remains affected. Safe local PoC run from a clean checkout at commit `d92dd9a60de291e2bc1caf73b4e9a99567b31ec0` on 2026-06-12. The PoC is a temporary Go test that uses only in-memory SQLite and `httptest`; it does not start a real server and does not contact external services. 1. Create a temporary test file `internal/web/security_audit_poc_test.go` in package `web`. 2. In the test, create an in-memory Web UI with `newTestWeb(t)`, create a network `audit-poc-net` with CIDR `10.77.0.0/24`, and set `network_config.enrollment_token_ttl` to `30m`. 3. Log in as the seeded test admin through the normal Web UI helper and obtain a CSRF token from `GET /ui/hosts/new`. 4. Submit `POST /ui/hosts` with `network_id=audit-poc-net`, `name=audit-poc-host`, `nebula_ips=10.77.0.10`, `role=host`, and `kind=agent`. 5. Parse the one-shot enrollment token from the returned host-detail page and read the token row with `GetEnrollmentToken`. 6. Compare the observed expiry to the configured 30-minute network override. Command run: ```bash go test ./internal/web -run 'TestSecurityAuditPOC' -count=1 -v ``` Observed vulnerable output from this environment: ```text === RUN TestSecurityAuditPOC_UIHostCreateIgnoresNetworkEnrollmentTokenTTL POC_UI_TTL_BYPASS observed_token_ttl=24h0m0s configured_network_ttl=30m expires_at=2026-06-13T14:51:45Z --- PASS: TestSecurityAuditPOC_UIHostCreateIgnoresNetworkEnrollmentTokenTTL (0.05s) ``` The meaningful control is the API sibling: `internal/api/hosts.go:190` through `internal/api/hosts.go:196` uses `s.tokenTTLFor(...)`, and existing tests in `internal/api/hosts_token_ttl_test.go` verify API-created/regenerated enrollment tokens honor server-default and per-network TTLs. Variant review also found API regenerate-token, API re-enroll, and signed-poll rekey token minting use the resolver rather than a hardcoded 24h value. After recording the output, the temporary test file was removed and `git status --short` returned clean. The PoC was re-run after drafting this report and produced the output shown above. An authenticated Web UI operator can bypass a configured enrollment-token lifetime policy and obtain a token valid for approximately 24 hours even when the deployment or network is configured for a much shorter lifetime such as 30 minutes. Because enrollment tokens are bearer credentials for the public enrollment endpoint, longer-than-intended validity increases the window in which a copied, logged, shared, or otherwise exposed token can be used to enroll the pending host and obtain its Nebula certificate/config. This weakens confidentiality and integrity for deployments relying on short token lifetimes to reduce enrollment-token exposure. Suggested remediation: refactor the Web UI host-creation path to use the same TTL resolution as the API path, or move the resolver into a shared package/service used by both API and Web UI. Add a regression test under `internal/web` that sets `network_config.enrollment_token_ttl = "30m"`, creates an agent host through `POST /ui/hosts`, and asserts the persisted enrollment token expires within the configured 30-minute window rather than 24 hours.

CSRF
NVD GitHub
CVSS 3.1
5.4
CVE-2026-54087 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.

XSS Privilege Escalation PHP CSRF RCE
NVD GitHub
CVSS 3.1
7.6
CVE-2026-45710 PHP LOW GHSA Monitor

{ $items = []; foreach ($this->variantes() as $item) { $match = $item->{$this->match}; $description = Tools::textBreak($item->description(), 300); ... $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' ... ``` `$this->match` defaults to `'referencia'` (`WidgetVariante::__construct`, line 42). `$item->referencia` was sanitised at write time by `Variante::test()` (`Core/Model/Variante.php:392`) which calls `Tools::noHtml($this->referencia)`. `Tools::noHtml` (`Core/Tools.php:499-504`) replaces `'`, `"`, `<`, `>` with `&#39;`, `&quot;`, `&lt;`, `&gt;`. The defender therefore expects that any apostrophe a user typed becomes `&#39;` in the database, which renders inside the `onclick` attribute as `&#39;` and cannot break out of the surrounding `'...'` JS string literal. `Core/Lib/Widget/WidgetSubcuenta.php:290-305` has the identical shape: ```php foreach ($this->subcuentas() as $item) { $match = $item->{$this->match}; ... $items[] = '<tr class="clickableRow" onclick="widgetSubaccountSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' . '<a href="' . $item->url() . '" target="_blank" onclick="event.stopPropagation();">' ... ``` `$this->match` defaults to `'codsubcuenta'`; the value is `Tools::noHtml`-encoded by `Subcuenta::test()` (`Core/Model/Subcuenta.php:213`). Per the HTML5 spec (and what every browser actually does), the value of an HTML attribute is processed by the **character reference state** of the tokenizer before any consumer sees it. By the time the `onclick` attribute value reaches the script engine, the bytes inside are the *decoded* string. Concretely, the HTML the browser receives is: ```html <tr onclick="widgetVarianteSelect('id', '1&#39;,alert(1),&#39;2');"> ``` After the tokenizer decodes `&#39;` to `'`, the JavaScript fragment passed to the script engine is: ```javascript widgetVarianteSelect('id', '1',alert(1),'2'); ``` `alert(1)` runs as a third positional argument that JavaScript happily evaluates while building the call. The `widgetVarianteSelect` function ends up being called with four arguments and the side-effect of `alert(1)` (or any payload) has already occurred. The recent `40bc701` AccountingModalHTML and `8586b97` SalesModalHTML / PurchasesModalHTML fix recognised this. Both replaced the `onclick="...('"+ value +"')"` pattern with: ```php $tbody .= '<tr ... data-subaccount="' . $code . '" onclick="$(...).modal(\'hide\');' . ' return newLineAction(this.dataset.subaccount);">' ``` Where `$code = static::html($subaccount->codsubcuenta)` and `static::html` is `htmlspecialchars(html_entity_decode($text, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')`. The HTML5 entity decode is deliberate: it normalises any double-encoded data so that the subsequent `htmlspecialchars` produces stable single-encoded output. The JavaScript then reads the value from `this.dataset.*`, which is the post-decoded attribute value, where the original quote is now literally inside a string property and cannot break out of any quote context. `WidgetSubcuenta` and `WidgetVariante` were not migrated to this pattern. `Variante::test()` (`Core/Model/Variante.php:389-401`) accepts up to 30 characters in `referencia`. The minimum payload is 13 bytes (`1',alert(1),'2`), comfortably under the limit. The `Tools::noHtml` pass during `test()` produces the stored form `1&#39;,alert(1),&#39;2`, which is 22 bytes. Three plant primitives are practical: 1. **Direct create** via `EditProducto?action=save` with the attacker-controlled `referencia` field. Because `EditProducto` is exposed to any user with the `EditProducto` permission (which roles like *sales agent* and *warehouse manager* commonly carry), this is a within-tenant primitive: a low-privilege salesperson plants the payload, an admin opens any sales document and clicks the variant picker. 2. **DB write** by anyone with raw SQL access (DBA or shared-hosting admin). `INSERT INTO variantes (referencia, ...) VALUES ('1\',alert(1),\'2', ...)`. This is what I used for the live test; the plant is permanent until the row is deleted. 3. **Plugin / API import.** `ApiAttachedFiles` and the various import endpoints allow a low-privilege API key to land arbitrary `referencia` values that bypass the `EditProducto` `permissions->onlyOwnerData` filter. For `WidgetSubcuenta`, the `codsubcuenta` field is constrained to the exercise's `longsubcuenta` length (10 by default), and the regex-free `Tools::noHtml` pass turns one apostrophe into 5 bytes (`&#39;`), so the post-noHtml string must equal the configured length exactly. A 5-byte payload (`1','` is 4) plus padding is workable for compact bypass payloads such as `'+x+'` (where `x` is a previously-loaded global). DB-write planting (primitive 2) bypasses the length check entirely. The fix wave centred on the `Lib/AjaxForms/*ModalHTML.php` files. Both audited widgets live in `Lib/Widget/` and look superficially safe to a reviewer because every value is `Tools::noHtml`-escaped at storage. The actual decoding step happens inside the browser, not the PHP code, so the defect is not visible in a `grep`-based review of the PHP source unless the reviewer specifically looks for `onclick="...('+ $field +')'` shapes that put a `Tools::noHtml`-escaped value in a JavaScript string position inside an HTML attribute. > **Live PoC verified 2026-05-01** against `http://127.0.0.1:8081/` running facturascripts at commit `24281ca`. A `Variante.referencia` value of `1',alert(1),'2` (planted via raw DB write below) renders inside `widgetVarianteSelect('0', '1&#39;,alert(1),&#39;2');` in the modal grid; opening the variant-picker modal in any user's browser (low-priv or admin) fires `alert(1)` from the host page's realm. Setup: the admin session at `http://127.0.0.1:8081/` is at `/tmp/fs-cookie2`. Step 1 - plant the payload (any of the three primitives works). DB-write primitive: ```bash mysql -h127.0.0.1 -ufs -pfs facturascripts <<'SQL' INSERT INTO productos (referencia, descripcion, codimpuesto, sevende, secompra, bloqueado, nostock, publico, stockfis, ventasinstock, observaciones) VALUES ('XSSPRD', 'XSS via WidgetVariante', 'IVA21', 1, 1, 0, 1, 0, 0, 1, ''); INSERT INTO variantes (referencia, idproducto, precio, coste, margen, stockfis, codbarras) SELECT "1',alert('XSS-WidgetVariante'),'2", idproducto, 0, 0, 0, 0, '' FROM productos WHERE referencia='XSSPRD'; SQL ``` After the insert, `Variante::test()` did not run (the row was created via SQL), so the literal `'` survives. Even via the EditProducto UI primitive, the round trip through `Tools::noHtml` produces the encoded form `1&#39;,alert(...),&#39;2` which decodes back to the working payload at render time. Step 2 - open any controller that uses WidgetVariante with the default `match` (or any third-party plugin form that does so). Core ships two views (`Core/XMLView/EditAgente.xml`, `Core/XMLView/ListAgente.xml`) but both override `match="idproducto"`, so they are not exposed in stock core. Any plugin form that uses `<widget type="variante" .../>` without an explicit `match` attribute opts into the vulnerable code path. Trigger the variant-picker modal: ```bash $ curl -s -b /tmp/fs-cookie2 "http://127.0.0.1:8081/EditAgente?code=1" \ | grep -oE 'widgetVarianteSelect[^<>]{1,200}' | head -3 ``` When the modal renders `match=referencia`, the row in the response contains: ```html <tr class="clickableRow" onclick="widgetVarianteSelect('0', '1&#39;,alert(&#39;XSS-WidgetVariante&#39;),&#39;2');"> ``` The browser HTML-decodes the attribute value before passing it to the script engine, yielding the actual JavaScript `widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');`. The `alert` fires the moment the attribute is parsed for execution (i.e., when the user clicks the row, or when an automation script triggers the click programmatically), and the host realm's session, cookies, and CSRF tokens are exposed to the payload. For `WidgetSubcuenta`, the payload trigger is identical: any controller with `<widget type="subcuenta" fieldname="codsubcuentaXxx"/>` (`Core/XMLView/EditProducto.xml`, `EditCuentaBanco.xml`, `EditFamilia.xml`, `EditImpuesto.xml`, `EditRetencion.xml` are the in-tree consumers) renders the modal with `widgetSubaccountSelect('id', '<HTML-decoded codsubcuenta>')`. A `codsubcuenta` row planted with one apostrophe and five bytes of payload escapes the JS string and runs in the host page. * **Stored XSS in any user's browser the moment they open a product or subaccount picker.** The execution context is the host page, with full access to the viewer's session, CSRF tokens, and the running application. From an admin viewer's perspective the payload achieves admin compromise (install plugins, change passwords); from a normal user's perspective it can be used to exfiltrate the user's data and pivot. * **Within-tenant escalation primitive.** `EditProducto` is a routinely granted role permission. A salesperson, warehouse user, or a plugin-supplied controller without `admin` rights can plant a payload that fires in admin's browser the next time admin opens any sales document and clicks the variant picker. * **Sister vulnerability to the `40bc701` / `8586b97` fix wave.** The maintainers already understand and have fixed the same anti-pattern in three sister classes; these two were missed and remain exploitable. CVSS reasoning: `AV:N`, `AC:L` (one DB or one form POST plant), `PR:H` (the planter must be authenticated and have either `EditProducto` or DB write or import-API access; with weaker roles the payload is also reachable), `UI:R` (the victim opens a form that renders the modal and triggers a click), `S:U` (the impact stays within the application), `C:L I:L A:N` (the viewer's session and CSRF token are exposed; integrity loss bounded by viewer's role). Score 4.8. Mirror the `40bc701` and `8586b97` fix exactly. In both `Core/Lib/Widget/WidgetVariante.php:321` and `Core/Lib/Widget/WidgetSubcuenta.php:296`, replace: ```php $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' ``` with the data-attribute pattern that the modal helpers now use: ```php $encMatch = htmlspecialchars( html_entity_decode((string)$match, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8' ); $items[] = '<tr class="clickableRow" data-match="' . $encMatch . '"' . ' onclick="widgetVarianteSelect(\'' . $this->id . '\', this.dataset.match);">' ``` (and the analogous change for `widgetSubaccountSelect`). The same approach should be applied to: * `WidgetSubcuenta::renderExerciseFilter` (`Core/Lib/Widget/WidgetSubcuenta.php:251-255`) where `$item->codejercicio` is interpolated into `<option value="...">`. Codes are short and predictable but the same escaping consideration applies for defence in depth. * `WidgetVariante::renderManufacturerFilter` (line 213) and `renderFamilyFilter` (line 197). Long term, the `BaseWidget::onclickHtml` and `inputHtml` builders (`Core/Lib/Widget/BaseWidget.php:163-167`, `234-239`, `273-283`) likewise concatenate `$this->value` into HTML attributes without context-aware escaping. Migrating them to use Twig (or at least `htmlspecialchars` with `ENT_QUOTES`) closes a class of bugs that today rely on every model's `test()` to be defensive. A regression test should plant a `Variante.referencia` of `1',alert(1),'2`, render the page through the live HTTP stack, and assert that no JavaScript dialog fires (e.g. via Playwright `page.on('dialog', ...)`).

PHP CSRF XSS
NVD GitHub
CVSS 3.1
3.5
CVE-2026-45263 PHP HIGH GHSA This Week

Stored CSV formula injection in FacturaScripts (all versions through 2026.1) lets an authenticated low-privilege user plant spreadsheet formula payloads in ordinary text fields (customer/supplier/product names, contacts) that execute when an administrator opens a routine list export. Because Core/Lib/Export/CSVExport.php::writeData() wraps values without neutralising leading =,+,-,@,tab, or carriage-return characters, and Tools::noHtml() only strips HTML metacharacters, the payload reaches the CSV verbatim and Excel/LibreOffice run it (including DDE process spawning) in the admin's OS context. A live PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no active exploitation confirmed (not in CISA KEV).

PHP CSRF Microsoft Canonical RCE
NVD GitHub
CVSS 3.1
8.0
CVE-2026-45262 PHP CRITICAL GHSA Act Now

Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).

Oracle SQLi PHP CSRF RCE
NVD GitHub
CVSS 3.1
9.9
CVE-2026-15747 CRITICAL PATCH Act Now

CSRF token disclosure in the Perl Mojolicious web framework (versions 4.59 up to but not including 9.48) allows a network attacker to recover a victim's session CSRF token via a BREACH compression side channel and then bypass csrf_protect validation. Because _csrf_token cached and returned one stable per-session value that _csrf_field embedded in every response, an attacker who could inject reflected input into a gzip-compressed page could iteratively guess the token by observing compressed response lengths. There is no public exploit identified at time of analysis, EPSS is low (0.15%), and it is not in CISA KEV, but SSVC rates technical impact as total and automatable as yes.

CSRF Oracle Mojolicious
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-58479 CRITICAL POC Act Now

Remote command injection in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets unauthenticated or CSRF-driven attackers store a malicious payload via the optional cli_control plugin's HTTP endpoint and execute arbitrary OS commands on the host when the linked irrigation station is activated. Because the plugin ships with no passphrase protection or the well-known default passphrase 'opendoor', exploitation is trivial on default installs. Publicly available exploit code exists (ZeroScience/VulnCheck), though the flaw is not listed in CISA KEV, and the CVSS 4.0 base score is 9.2 (Critical).

CSRF Command Injection Sip
NVD
CVSS 4.0
9.2
EPSS
5.2%
CVE-2026-58477 HIGH POC This Week

Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated attackers overwrite sensitive settings - including the passphrase and listening port - by injecting arbitrary parameter names into HTTP requests. Because the application binds request parameters directly to internal configuration objects without an allow-list, the same effect can be triggered blindly through cross-site request forgery against an authenticated operator's browser. Publicly available exploit code exists (ZeroScience ZSL-2026-5997), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

CSRF Sip
NVD
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-58476 HIGH POC This Week

Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute state-changing administrative actions when a logged-in administrator is lured to a malicious page, because administrative endpoints accept HTTP GET requests with no CSRF token or origin validation. An attacker can disable the passphrase, reboot the irrigation controller, delete watering programs, or install plugins; in the default configuration these endpoints are exposed to unauthenticated users because no passphrase is required and the default credential is 'opendoor'. Publicly available exploit code exists (ZeroScience ZSL-2026-5995), though there is no public exploit identified as being used in active campaigns.

CSRF Sip
NVD
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-11563 CRITICAL POC Act Now

Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list.

PHP CSRF WordPress Word Count And Social Shares
NVD WPScan
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-52827 PHP HIGH PATCH GHSA This Week

Two-factor authentication bypass in Kimai (open-source time-tracking) before 2.59.0 lets an attacker with only a victim's password reach every authenticated REST API endpoint without completing TOTP. The KIMAI_SESSION cookie returned by the password-only login response - issued before the 2FA step - is already treated as authenticated by /api/*, so it can be replayed to act fully as the user while the browser is still pinned to the 2FA screen. No public exploit identified at time of analysis (a PoC existed but was redacted by the reporter); not listed in CISA KEV.

Authentication Bypass CSRF
NVD GitHub
CVE-2026-52824 PHP CRITICAL PATCH GHSA Act Now

Account takeover in Kimai (<= 2.57.0) stems from the official Docker image shipping a hard-coded default APP_SECRET ('change_this_to_something_unique') that Symfony consumes as kernel.secret. Because this HMAC signing key is publicly known and the entrypoint never rotates or validates it, a remote unauthenticated attacker can forge remember-me cookies, LoginLink signatures, password-reset URLs and CSRF tokens to log in as any user, including the id=1 super_admin. No public exploit is identified at time of analysis (a PoC existed but was withheld), and no CVSS/EPSS/KEV data was provided, so the scoring below is independently assessed.

CSRF Docker
NVD GitHub
CVE-2026-52823 PHP MEDIUM PATCH GHSA This Month

Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.

PHP CSRF
NVD GitHub
CVE-2026-49992 PHP MEDIUM PATCH GHSA This Month

CSRF vulnerabilities in Kimai 2.56.0 through 2.57.0 allow an unauthenticated attacker to manipulate the authorization topology of the time-tracking application by tricking a privileged logged-in user into visiting a malicious page. The three affected GET endpoints - for projects, customers, and activities - perform persistent writes: creating or reusing a Team, assigning the victim as teamlead, and binding the target object to that team. No public exploit is currently available at time of analysis, though a PoC was submitted to the vendor and subsequently removed; the fix (moving routes to POST endpoints) shipped in version 2.58.0.

CSRF
NVD GitHub
CVE-2026-47677 PHP CRITICAL POC PATCH GHSA Act Now

Complete account takeover in FacturaScripts (<= 2026.2) lets an unauthenticated network attacker hijack any 2FA-enabled account, including admins, by brute-forcing the /login?action=two-factor-validation endpoint. The handler issues a full session cookie on a matching TOTP without verifying the password, requiring a CSRF token, or enforcing any rate limit, and an over-wide verification window keeps ~17 codes valid at once. Publicly available exploit code exists (a working Python PoC in the GitHub advisory GHSA-c67f-gmxw-mj93); no active exploitation has been reported in CISA KEV.

PHP Python Authentication Bypass CSRF
NVD GitHub
CVE-2026-58489 MEDIUM This Month

HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. An attacker who tricks a logged-in victim into clicking a crafted callback URL can redirect the victim's note export to the attacker's own GitHub Gist, bypassing any note visibility controls. No public exploit code or CISA KEV listing is identified at time of analysis, but a confirmed patch exists in version 1.11.0.

CSRF Hedgedoc
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-49971 MEDIUM PATCH This Month

Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. No public exploit has been identified at time of analysis, but the attack requires no special privileges and the technique is well-understood; the vendor has classified this as a security release and strongly recommends immediate upgrade to 7.0.0.

XSS CSRF Laravel Mediable
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-61502 MEDIUM PATCH This Month

Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. Patch version 3.2.1 is available; no public exploit or CISA KEV listing has been identified at time of analysis.

RCE CSRF Hfs
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2024-27091 PyPI MEDIUM PATCH GHSA This Month

An issue exists within GEONODE where the current rich text editor is vulnerable to Stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

CSRF XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.4%
CVE-2026-61956 HIGH This Week

Cross-Site Request Forgery in the Woosalam (ووسلام - همگام سازی ووکامرس و باسلام) WooCommerce-to-Basalam sync plugin for WordPress lets a remote attacker forge state-changing requests that a logged-in victim's browser executes, affecting all versions from an unspecified initial release through 1.9.1. Because the plugin fails to validate request authenticity (CWE-352), an attacker who lures an authenticated user to a malicious page can trigger high-integrity changes with no attacker authentication required (CVSS 7.1). No public exploit identified at time of analysis and the flaw is not on CISA KEV.

CSRF 8211
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57786 HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-15080 PHP MEDIUM PATCH This Month

Cross-Site Request Forgery in the Drupal Ray Enterprise Translation contrib module lets a remote attacker forge state-changing requests that are executed with the privileges of an authenticated victim (typically a site administrator), potentially altering translation configuration and integrations. It affects module versions below 4.0.4, below 4.1.4, and below 11.0.4, and carries a vendor CVSS of 8.8. No public exploit has been identified at time of analysis and the EPSS score is very low (0.12%, 2nd percentile), indicating no observed exploitation activity.

CSRF Ray Enterprise Translation
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-13243 PHP MEDIUM PATCH This Month

Cross-Site Request Forgery in the Drupal Salesforce Suite contrib module (all versions from 0.0.0 up to and including 5.1.3) lets an attacker forge state-changing requests that are executed with the privileges of an authenticated Drupal user who is tricked into loading attacker-controlled content. The Drupal security team (SA-CONTRIB-2026-063) rates it critical, and a fixed release is available; no public exploit code has been identified and EPSS is very low (0.10%, 1st percentile), indicating no observed exploitation activity. Note that the published CVSS vector (UI:N) is atypical for CSRF, which normally depends on victim interaction, so the real-world impact profile should be verified against the vendor advisory.

CSRF Salesforce Suite
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-38057 HIGH CISA This Week

Cross-site request forgery in ST Engineering iDirect satellite terminals (Evolution iQ-series, including the iQ200, plus 3315-series and 9-series) lets a remote attacker force an authenticated administrator's browser to submit a POST to the /api/reboot endpoint, rebooting the modem and dropping the satellite link. Because the session cookie lacks a SameSite attribute and no CSRF token is validated, simply luring a logged-in admin to a malicious page triggers the reboot; repeated abuse sustains a denial-of-service against connectivity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CSRF Evolution Iq Series Terminals 3315 Series 9 Series Terminals
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-6440 MEDIUM This Month

Cross-Site Request Forgery in the GoodMeet WordPress plugin (versions up to and including 1.1.8) enables unauthenticated remote attackers to wipe a site's stored Google Meet API credentials and OAuth tokens by deceiving a logged-in administrator into triggering a crafted request. The vulnerable reset_credential() function handling the wp_ajax_goodmeet_reset_google_meet_credential AJAX action checks the manage_options capability but omits mandatory WordPress nonce validation, allowing any cross-origin request to be processed as legitimate. The practical outcome is complete disabling of the site's Google Meet integration with no data disclosure; no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF Google Goodmeet Google Meet Integration For Webinar Meeting Video Conference
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15070 HIGH This Week

Remote code execution in the Salon Booking System - Free Version WordPress plugin (all versions ≤ 10.30.32) lets a remote attacker write attacker-controlled PHP into the plugin's web-accessible translate-constants.php file by abusing the unprotected setCustomText AJAX handler. Because the handler lacks proper nonce validation (CWE-352 CSRF), an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link can achieve full server-side code execution. Reported by Wordfence with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.

WordPress CSRF RCE PHP Salon Booking System Free Version
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-58143 HIGH This Week

Cross-site request forgery in Cotonti Siena (versions 0.9.26 and earlier) lets remote attackers alter administrator configuration by luring an authenticated admin into loading an attacker-controlled page that auto-submits a forged POST to the admin.php config update handler, which never calls the CMS's own CSRF validation routine. The highest-value abuse sets the PFS module option pfsfilecheck to 0, disabling the file-extension whitelist so any account with PFS (Personal File Storage) access can upload and execute arbitrary PHP, turning a CSRF into server-side code execution. There is no public exploit identified at time of analysis and it is not on CISA KEV, though a referenced public gist may contain proof-of-concept details; EPSS was not provided.

CSRF PHP
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-52777 PHP CRITICAL POC PATCH GHSA Act Now

PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).

Deserialization Path Traversal CSRF XSS RCE +1
NVD GitHub
CVE-2026-52772 PHP MEDIUM POC PATCH GHSA This Month

Stored XSS in YesWiki's Bazar form module allows a privileged form editor to inject persistent script payloads into field label and hint fields, which execute in the browser context of every subsequent visitor - including unauthenticated guests - who renders an affected form. The vulnerability is a sibling class of an incomplete fix at commit e6b66aa: that commit removed the dangerous |raw('html') filter from two Twig template call sites but left eleven additional sites in range.twig, email.twig, layouts/input.twig, layouts/field.twig, textarea.twig, user.twig, bookmarklet.twig, subscribe.twig, and linked-entry.twig still suppressing Twig's HTML auto-escaping. No active exploitation is confirmed in CISA KEV, but a detailed proof-of-concept with exact payloads, rendered HTML output, and affected line numbers is included in GitHub Security Advisory GHSA-xc7j-3g8q-9vh4, and patch commit 5d1a4d07 is publicly available.

XSS CSRF PHP
NVD GitHub
CVSS 3.1
5.5
CVE-2026-52769 PHP HIGH POC PATCH GHSA This Week

Server-side request forgery in YesWiki's Bazar ActivityPub module (through v4.6.5) lets an unauthenticated remote attacker coerce the server into fetching arbitrary attacker-chosen URLs. The public inbox route parses the HTTP Signature header and issues a server-side GET to the attacker-supplied keyId URL before any signature or URL validation, enabling internal port scanning, service enumeration, and cloud IAM metadata theft (169.254.169.254). Publicly available exploit code exists (a detailed PoC with a working request), and verbose 500 exception/stack-trace responses act as a data oracle; there is no CISA KEV listing.

CSRF SSRF PHP
NVD GitHub
CVSS 3.1
8.3
CVE-2026-52767 PHP HIGH POC PATCH GHSA This Week

Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.

CSRF Jwt Attack SSRF OpenSSL Apache +2
NVD GitHub
CVSS 3.1
8.2
CVE-2026-52766 PHP CRITICAL POC PATCH GHSA Act Now

{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.

Privilege Escalation CSRF PHP
NVD GitHub
CVSS 3.1
9.1
CVE-2026-53760 PHP MEDIUM POC GHSA This Month

Cross-site request forgery in Admidio's plugin management endpoint (`modules/plugins.php`) enables a remote attacker to trigger destructive plugin operations - including irreversible DROP TABLE SQL execution - against any authenticated administrator who visits an attacker-controlled web page. The endpoint processes install, uninstall, and update operations via unauthenticated GET requests lacking CSRF token validation, and SameSite=Lax cookie behavior causes browsers to automatically include session credentials on top-level GET navigations from cross-origin pages. A working Playwright-based proof-of-concept is publicly available demonstrating the full attack chain; no confirmed active exploitation (CISA KEV) is present at time of analysis.

CSRF PHP
NVD GitHub
CVSS 3.1
5.2
CVE-2026-4275 HIGH This Week

Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. No public exploit is identified at time of analysis, but installing an attacker-supplied plugin yields effective remote code execution on the site.

WordPress CSRF Divi Torque Lite Divi Modules For The Divi Builder Theme
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-5923 MEDIUM PATCH This Month

Cross-Site Request Forgery in HP IP phones' web management interface allows an attacker who has obtained a stolen session cookie to submit unauthorized state-changing requests that modify the phone's webpage contents, with integrity and availability rated high (VI:H/VA:H) in the vendor-supplied CVSS 4.0 vector. The CVSS 4.0 score of 6.0 reflects the attack conditions prerequisite (AT:P) of prior cookie theft, low-level privilege requirement (PR:L), and passive user interaction (UI:P), meaningfully limiting opportunistic exploitation. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

CSRF
NVD
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-60105 HIGH PATCH This Week

Server-side request forgery in Monsta FTP before 2.14.5 lets an unauthenticated remote attacker coerce the server into making HTTP requests to internal-only services and exfiltrate the responses. The flaw lives in the fetchRemoteFile action, where the isBlockedIP() SSRF filter fails to recognize IPv4-mapped IPv6 addresses, so blocklisted internal ranges can be reached anyway; a CSRF token is trivially obtainable from the public getSystemVars endpoint. Impact is notable because the primary abuse case is stealing cloud instance metadata credentials, though no public exploit is identified at time of analysis.

CSRF SSRF
NVD VulDB
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-49455 npm MEDIUM POC PATCH GHSA This Month

Cross-Site Request Forgery in Waku's RSC request dispatcher allows a remote attacker to invoke any state-mutating 'use server' server action with a victim's session cookies by exploiting the complete absence of Origin header validation in the core request handler at packages/waku/src/lib/utils/request.ts. Both the RSC path prefix branch (exploitable via Content-Type: text/plain, no preflight) and the progressive-enhancement HTML form branch (exploitable via multipart/form-data) are unguarded, with opaque-origin contexts such as sandboxed iframes and browser extension pages additionally exploitable via Origin: null. The reporter confirmed a working proof-of-concept against waku 1.0.0-beta.0 with dynamic verification on 2026-05-17; all HTTP adapters share the same vulnerable dispatcher and no patched version has been identified at time of analysis.

CSRF
NVD GitHub
CVSS 3.1
6.5
CVE-2026-15034 LOW Monitor

Cross-site request forgery in Flask-MonitoringDashboard up to version 5.0.2 allows a remote unauthenticated attacker to trick an authenticated dashboard user into submitting malicious state-changing requests by luring them to a crafted page. The vulnerability (CWE-352) is limited in scope to the monitoring dashboard itself with a low integrity impact and no confidentiality or availability consequence, reflected in the CVSS 4.0 score of 2.1. Exploit details have been publicly disclosed via VulDB submissions and a GitHub issue report, but no patch has been released and the project maintainer has not yet responded to the responsible disclosure.

CSRF Python
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12002 MEDIUM This Month

Cross-Site Request Forgery in Smash Balloon Social Photo Feed - Easy Social Feeds Plugin for WordPress (all versions through 6.11.1) enables unauthenticated remote attackers to overwrite the site's Instagram and Facebook oEmbed access tokens by forging a request that a logged-in administrator unwittingly executes. The root cause is missing or incorrect nonce validation on the `maybe_connection_data` function, WordPress's primary CSRF defense mechanism. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, a patch changeset is confirmed in the WordPress plugin repository.

WordPress CSRF Smash Balloon Social Photo Feed Easy Social Feeds Plugin
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-9731 MEDIUM This Month

Cross-Site Request Forgery in the Wp Js Detect WordPress plugin (all versions ≤ 1.0.9) permits unauthenticated attackers to overwrite the plugin's frontend notification text and CSS settings by exploiting absent nonce validation in the plugin_settings function. Because the stored values are echoed unescaped to the WordPress frontend, a successful forged request can inject arbitrary HTML or script content visible to site visitors who have JavaScript disabled. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; EPSS data was not supplied.

WordPress CSRF Wp Js Detect
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-49471 PyPI HIGH POC PATCH GHSA This Week

Remote code execution in the Oraios Serena MCP coding toolkit (prior to v1.5.2) lets a malicious webpage hijack a developer's local coding agent via DNS rebinding. Serena's built-in web dashboard runs an unauthenticated Flask API on a fixed, predictable port with no auth, no CSRF protection, and no Host-header validation, so any site the victim visits while Serena is running can write attacker-controlled content into the agent's persistent memory store; because the agent autonomously reads that memory and can invoke execute_shell_command with shell=True, this chains to code execution on the developer's machine. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.

Authentication Bypass CSRF Python RCE Serena
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-44342 Go MEDIUM PATCH GHSA This Month

Cross-site request forgery in new-api's OAuth account binding endpoints allows an unauthenticated network attacker to silently rebind a logged-in user's email or WeChat identity to attacker-controlled credentials by luring the victim to a malicious page. Affected are all deployments running versions prior to v0.12.0-alpha.1 where the GET-based bind endpoints are reachable. No public exploit has been identified at time of analysis, and the default SameSite=Strict cookie configuration substantially limits real-world exploitability to environments that have weakened or overridden that default.

CSRF
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-58315 MEDIUM This Month

Cross-site request forgery in SEIKO EPSON Web Config allows a remote, unauthenticated attacker to trigger unintended configuration changes on Epson network devices by luring an authenticated administrator into visiting a malicious web page. The vulnerability (CWE-352) requires no privileges on the attacker's side but depends on an active, authenticated Web Config session on the victim's browser. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

CSRF
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-34171 HIGH PATCH This Week

{uuid} endpoint performing a state-changing password reset when merely visited. In versions prior to 4.0.0-beta.471, an attacker who knows a victim's invitation UUID and lures them to a crafted link can silently reset the victim's account password to a predictable value and seize the account. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix is confirmed in release v4.0.0-beta.471.

CSRF Coolify
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-59713 HIGH PATCH This Week

Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a victim into an attacker-controlled account. The root cause is a stubbed verifyState() method that unconditionally returns true, so the OIDC state parameter is never validated, letting a crafted callback URL carrying an attacker-supplied authorization code complete login as the attacker. No public exploit identified at time of analysis, but a vendor patch and a public technical advisory (VulnCheck) exist; CVSS 4.0 is rated 8.6 (High).

CSRF Leantime
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-14800 LOW POC Monitor

Cross-site request forgery in imhamzaazam ecommerceFlask allows a remote, unauthenticated attacker to induce authenticated victims into executing unauthorized state-changing actions against the application. The vulnerability exists in an unspecified function of the Flask-based e-commerce application up to commit cb7d9e24c30a99379651b7493b32048126ef402b, with no patch released and the project maintainer not yet responding. A publicly available proof-of-concept exploit has been disclosed via a GitHub issue, and the application's rolling release model means no fixed version can be identified.

CSRF Ecommerceflask
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-59520 MEDIUM This Month

Cross-Site Request Forgery in the CrawlWP SEO WordPress plugin (versions through 3.0.16) allows an unauthenticated attacker to perform unauthorized state-changing actions on behalf of an authenticated site administrator. Exploitation requires social engineering - a logged-in admin must be tricked into visiting a malicious page that silently submits a forged request. The integrity impact is low, limited to unauthorized configuration changes within the plugin's functionality. No public exploit code or active exploitation has been identified at time of analysis, consistent with the vulnerability's low CVSS base score of 4.3.

CSRF Crawlwp Seo
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-12740 HIGH This Week

Login cross-site request forgery in Plack::Middleware::OAuth through 0.10 (Perl/PSGI OAuth login middleware) lets an unauthenticated remote attacker bind their own provider identity to a victim's session because the OAuth 2.0 flow omits the anti-CSRF state parameter and never verifies that a callback belongs to the session that initiated the flow. With victim interaction (clicking an attacker-supplied callback URL), the attacker's provider account and access token become associated with the victim's session, and where the app persists this as an account link the attacker retains ongoing access to the victim's account. There is no public exploit identified at time of analysis; EPSS is low (0.13%) and it is not in CISA KEV, but an upstream fix exists in PR #13.

CSRF
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-12746 HIGH PATCH This Week

Login CSRF via a missing OAuth 2.0 state parameter in Dancer2::Plugin::Auth::OAuth::Provider (all versions before 0.23) allows a remote, unauthenticated attacker to associate their own OAuth provider identity and access token with a victim's application session, potentially achieving persistent account takeover. The plugin's authentication_url method never generates a state value, and the callback handler never validates one, leaving the entire authorization flow unbound to the session that initiated it. No public exploit code or active exploitation (CISA KEV) has been identified, but the attack concept is well-understood and described in RFC 6749 §10.12 as a known threat to any OAuth 2.0 implementation omitting state binding.

CSRF
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-14620 MEDIUM PATCH This Month

Cross-site request forgery in webpack-dev-server 5.2.5 and earlier allows any website visited by a developer to silently invoke two unauthenticated state-changing endpoints - `/webpack-dev-server/open-editor` and `/webpack-dev-server/invalidate` - via simple browser-initiated GET requests that carry no CSRF protection. An attacker controlling a web page visited during an active dev session can open arbitrary local files in the developer's editor (including files outside the project root) and trigger repeated forced recompilations that degrade workstation performance. No public exploit has been identified at time of analysis, and exploitation is confined to developer workstations rather than production infrastructure.

CSRF Webpack Dev Server Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-13040 HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the 'real_val__' form-submission parameter, which later executes in the browser of any user who views the affected page. The flaw is amplified by a design weakness: the submission handler is registered through wp_ajax_nopriv_submit_nex_form with no nonce/CSRF verification, so no authentication or valid session is required to reach the vulnerable sink. There is no public exploit identified at time of analysis and no CISA KEV listing, but the unauthenticated, network-reachable nature makes it a practical mass-exploitation candidate against exposed WordPress sites.

WordPress XSS CSRF Nex Forms Ultimate Forms Plugin For Wordpress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-57766 HIGH This Week

Cross-Site Request Forgery in the WPIDE - File Manager & Code Editor WordPress plugin (versions <= 3.5.6) allows a remote attacker to forge privileged requests that a logged-in administrator's browser executes without consent. Because WPIDE exposes filesystem read/write and code-editing functionality, a successful CSRF can lead to arbitrary file modification and effectively remote code execution on the WordPress host. No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.

CSRF Wpide File Manager Code Editor
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-57761 HIGH This Week

Stored cross-site scripting via cross-site request forgery affects the SEOWP WordPress theme by BlueAstralThemes in all versions up to and including 3.12.2, allowing a remote unauthenticated attacker who tricks a logged-in administrator into loading a malicious page to forge a state-changing request that injects persistent script into the site. The CVSS 3.1 score of 7.1 reflects a scope change (attacker-controlled JavaScript executes in the victim's browser session) with limited confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation hinges on successful social engineering of an authenticated victim (UI:R).

CSRF Seowp
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57759 HIGH This Week

Cross-site request forgery in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (versions 5.9.9.7 and earlier) allows a remote unauthenticated attacker to force a logged-in victim into performing unintended state-changing actions, chaining to full account takeover. Because a successful CSRF against an administrator can hijack a privileged account, impact is rated high across confidentiality, integrity, and availability (CVSS 8.8). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CSRF Profilegrid
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-57758 HIGH This Week

Stored cross-site scripting via cross-site request forgery affects the Permalink Manager for WooCommerce WordPress plugin in all versions up to and including 1.0.8.2. Because the plugin fails to validate request authenticity (CWE-352), an unauthenticated attacker who lures a logged-in administrator into loading a malicious page can forge a state-changing request that persists attacker-controlled script into the site, which later executes in the admin context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 3.1 base score is 7.1 with a scope change reflecting the CSRF-to-stored-XSS impact.

WordPress CSRF Permalink Manager For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57757 HIGH This Week

Cross-Site Request Forgery in the pCloud WP Backup WordPress plugin (versions 2.0.2 and earlier) allows a remote unauthenticated attacker to trick a logged-in administrator into submitting forged requests, leading to high-confidentiality impact and limited integrity impact on the WordPress site. The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R), reflecting network exploitation with no attacker privileges but required victim interaction. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

CSRF Pcloud Wp Backup
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57751 HIGH This Week

Cross-Site Request Forgery in the Heateor Social Login WordPress plugin (versions up to and including 1.1.39) lets an unauthenticated remote attacker forge state-changing requests that are executed with a logged-in victim's privileges once the victim is lured into interacting with a malicious page. The CVSS 3.1 score is 8.1 with High confidentiality and integrity impact, reflecting potential account or configuration manipulation, though exploitation is gated on user interaction (UI:R). There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

CSRF Heateor Social Login
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-57747 MEDIUM This Month

Unauthenticated CSRF in Booked WordPress plugin (versions <= 3.0.0) enables remote attackers to trigger availability-impacting actions against authenticated WordPress users without their consent. The CVSS vector (C:N/I:N/A:H) indicates this CSRF leads to a destructive availability outcome - likely deletion or corruption of booking/scheduling data - rather than data theft or code execution. No public exploit or active exploitation has been identified at time of analysis, though the low attack complexity and no required privileges for staging the attack make social-engineering delivery straightforward.

CSRF Booked
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57690 MEDIUM This Month

Cross-Site Request Forgery in the Werkstatt WordPress theme (FuelThemes) version 4.7.2 and earlier allows remote unauthenticated attackers to perform unauthorized state-changing actions on behalf of authenticated WordPress users. The flaw stems from missing or inadequate CSRF token validation on one or more theme action endpoints, meaning a crafted web page or link can silently trigger privileged operations when visited by a logged-in user. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

CSRF Werkstatt
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-58451 HIGH PATCH This Week

Arbitrary file disclosure in Horde IMP webmail before 7.0.1 lets an authenticated user read any file the web server can access by planting directory-traversal sequences after a CKEditor path prefix inside an image src URL when composing mail. A weak stripos() prefix check fails to block traversal appended after the allowed prefix, so file_get_contents() pulls in files like /etc/passwd or configuration secrets and attaches them as MIME parts on the outgoing message. No public exploit identified at time of analysis, but VulnCheck published an advisory and the flaw is CSRF-triggerable against a live session, raising practical exposure for internet-facing Horde deployments.

CSRF Path Traversal PHP Imp
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57723 HIGH This Week

Arbitrary file deletion in the VikBooking Hotel Booking Engine & PMS WordPress plugin (versions up to and including 1.8.12) is reachable via a cross-site request forgery flaw that lets an attacker abuse a path-traversal-capable file operation. By tricking a logged-in administrator into visiting a malicious page, a remote unauthenticated attacker can forge a request that deletes arbitrary files on the WordPress host, potentially disabling the site. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.

CSRF Path Traversal Vikbooking Hotel Booking Engine Pms
NVD VulDB
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-12158 HIGH This Week

Privilege escalation via Cross-Site Request Forgery in the RegistrationMagic WordPress plugin (all versions through 6.0.9.1) lets a remote attacker promote an arbitrary form submitter to administrator by forging a request to the process_request function, which lacks proper nonce validation. The attack plants a malicious Chronos automation task that later runs through WordPress cron, and it succeeds when a logged-in administrator is tricked into clicking an attacker-supplied link. No public exploit identified at time of analysis, and it is not listed in CISA KEV; risk is driven by the plugin's install base and the low technical bar of CSRF.

WordPress CSRF Registrationmagic Custom Registration Forms User Registration Payment And User Login
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-11981 MEDIUM This Month

Cross-Site Request Forgery in GiveWP - Donation Plugin and Fundraising Platform (versions up to and including 4.15.3) allows unauthenticated remote attackers to disable donation email notifications by tricking a logged-in administrator into clicking a crafted link. The root cause is absent nonce validation in the give_set_notification_status_handler() AJAX handler, permitting forged state-changing requests. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; however, the integrity impact - silently disabling donation notifications - could cause operational blind spots for nonprofit or fundraising site operators.

WordPress CSRF Givewp Donation Plugin And Fundraising Platform
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-58518 MEDIUM PATCH This Month

Cross-site request forgery in the Wikimedia Foundation's MediaWiki RedirectManager Extension (all versions before 1.3.3) enables remote attackers to perform unauthorized redirect management actions on behalf of authenticated wiki users. The CVSS 4.0 base score of 6.9 (Medium) reflects network-accessible exploitation with low impact across confidentiality, integrity, and availability dimensions on both vulnerable and subsequent systems. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

CSRF Mediawiki Redirectmanager Extension
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-14016 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's SVG implementation prior to version 150.0.7871.47 allows a remote attacker to read data from cross-origin resources by luring a victim to a crafted HTML page. The flaw exploits improper SVG handling that bypasses same-origin policy protections, exposing potentially sensitive session data or authenticated content from third-party origins. No active exploitation has been confirmed (not listed in CISA KEV), and EPSS stands at 0.17% (7th percentile), indicating low observed exploitation probability at time of analysis.

CSRF Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13963 LOW PATCH Monitor

Cross-origin data leakage in Google Chrome's DevTools component (versions prior to 150.0.7871.47) permits a remote attacker to exfiltrate data across origin boundaries by tricking a user into performing specific UI gestures on a crafted HTML page. The CVSS base score of 3.1 (Low) reflects high attack complexity and mandatory user interaction, consistent with the EPSS score of 0.21% (11th percentile) indicating negligible in-the-wild exploitation activity. No public exploit code is identified and no CISA KEV listing exists; a vendor patch is available in Chrome 150.0.7871.47.

CSRF Google
NVD
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-13952 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's PerformanceAPI implementation (versions prior to 150.0.7871.47) allows a remote unauthenticated attacker to infer sensitive data from other browser origins by luring a victim to visit a crafted HTML page. The flaw exploits timing measurements exposed by the Performance API to create a side-channel that bypasses the Same-Origin Policy for limited data reads. No public exploit code or active exploitation (CISA KEV) has been identified; EPSS probability stands at 0.21% (11th percentile), consistent with SSVC's 'exploitation: none' assessment.

CSRF Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13946 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome on iOS (prior to 150.0.7871.47) stems from an inappropriate implementation in the ScriptInjections subsystem, exploitable by a remote attacker who can lure a victim to a crafted HTML page. The flaw allows the attacker's origin to read data belonging to a different, protected origin - a fundamental violation of the Same-Origin Policy on Apple's iOS platform. No public exploit code has been identified at time of analysis, EPSS places exploitation probability at 0.22% (13th percentile), and SSVC signals no observed active exploitation, making this a medium-priority patch item despite its cross-origin impact.

CSRF Apple Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13944 LOW PATCH Monitor

Cross-origin data leakage in Google Chrome's DataTransfer implementation on macOS exposes sensitive content from one origin to an attacker-controlled page by exploiting improper boundary enforcement during user-driven UI gestures such as drag-and-drop. Versions prior to 150.0.7871.47 on Mac are affected; the flaw is platform-specific to macOS, limiting scope. No public exploit has been identified and SSVC assessment confirms no current exploitation, though successful abuse would silently exfiltrate cross-origin data without triggering typical security warnings.

CSRF Google
NVD
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-56286 HIGH PATCH This Week

Account takeover-style destruction in Capgo before 12.128.2 lets remote attackers delete arbitrary user accounts because the deletion endpoint enforces no password re-authentication or secondary verification (CWE-306, Missing Authentication for a Critical Function). Reported by VulnCheck, the flaw is exploitable through CSRF, session hijacking, or parameter tampering, causing irreversible account removal, data loss, and denial-of-service. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass CSRF Capgo
NVD GitHub
CVSS 4.0
7.0
EPSS
0.4%
CVE-2026-35096 MEDIUM PATCH This Month

CSRF flaws in KTM System e-BOK's email-change and password-change endpoints allow any remote, unauthenticated attacker to trigger account credential changes on behalf of an authenticated victim by luring them to a malicious web page. Reported by CERT-PL, the vulnerabilities affect all e-BOK versions prior to the June 2026 patch and carry a CVSS 4.0 score of 5.1 (Medium). No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is trivially constructable given the well-understood CSRF class and the public CERT-PL advisory.

CSRF E Bok
NVD VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-8944 MEDIUM This Month

Cross-site request forgery in Plugin for Google Analytics by IO Technologies (WordPress) versions up to and including 1.1 allows unauthenticated remote attackers to overwrite the site's Google Analytics tracking ID by tricking a logged-in administrator into clicking a crafted link. The flaw stems from absent nonce validation on the ga.php settings handler, meaning forged POST requests bypass WordPress's standard CSRF protections entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 4.3 reflects the required administrator interaction and limited integrity-only impact.

WordPress CSRF PHP Google Plugin For Google Analytics By Io Technologies
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-43735 HIGH PATCH This Week

The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.

Apple Ios And Ipados CSRF
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-9676 MEDIUM POC PATCH This Month

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

WordPress CSRF F4 Post Tree
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-13537 LOW POC Monitor

Cross-site request forgery in CodeAstro Human Resource Management System 1.0 enables remote attackers to perform unauthorized state-changing actions - specifically department deletion - by tricking an authenticated user into visiting a crafted malicious page. The exploit targets the department deletion endpoint and publicly available proof-of-concept code has been published on GitHub, lowering the bar for exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of a public PoC, network-accessible attack vector, and no required attacker privileges makes this an accessible target for opportunistic attackers against organizations running this software.

CSRF Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-31016 MEDIUM This Month

Cross-site request forgery in Squidex CMS v7.21.0 and earlier allows a remote attacker to escalate privileges by targeting the IdentityServer account profile endpoint without requiring any authentication of their own. A proof-of-concept exploit is publicly documented, including a video walkthrough, and SSVC analysis classifies the attack as automatable with partial technical impact. No active exploitation has been confirmed by CISA KEV at time of analysis.

CSRF N A
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13422 MEDIUM This Month

Cross-Site Request Forgery in the HD Quiz WordPress plugin versions 2.2.0 and 2.2.1 enables unauthenticated attackers to manipulate quiz content and plugin settings by tricking a logged-in administrator into clicking a crafted link. The flaw originates in the `hdq_validate_nonce` function (`includes/functions.php:39`), which fails to properly validate WordPress nonces across at least six distinct AJAX action handlers in `includes/actions-ajax.php`. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though Wordfence has published a detailed advisory with source code references for both affected versions.

WordPress CSRF Hd Quiz
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-52784 HIGH PATCH This Week

Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id carrying the POST parameter user[admin], coercing a logged-in privileged user's browser into granting administrator rights to an arbitrary account. The flaw (CWE-352) rates CVSS 8.8 because a successful forgery yields full administrative control over the instance; no public exploit is identified at time of analysis and it is not listed in CISA KEV. Both the 17.3.x and 17.4.x maintenance lines are affected, with fixes shipped in 17.3.3 and 17.4.1.

CSRF Openproject
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-57659 HIGH This Week

Cross-Site Request Forgery in the WordPress plugin 'Paid Memberships Pro - Add Member From Admin' (versions 0.7.2 and earlier) lets a remote attacker forge privileged member-management actions by tricking a logged-in administrator into loading a malicious page. Because the plugin's member-add functionality lacks valid CSRF nonce protection (CWE-352), an attacker can abuse the admin's authenticated session to create or modify membership records, yielding high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not supplied.

CSRF
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-57657 MEDIUM This Month

Cross-Site Request Forgery in the Gmail SMTP WordPress plugin (versions up to and including 1.2.3.19) enables a remote unauthenticated attacker to trigger unauthorized state-changing actions on behalf of a logged-in WordPress administrator. The attacker does not need any credentials - only the administrator's authenticated browser session, obtained by luring them to a malicious page. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and zero-privilege requirement make it straightforward to exploit once a target is identified.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57655 HIGH This Week

Cross-Site Request Forgery in the Child Theme Wizard WordPress plugin (versions 1.4 and earlier) lets a remote, unauthenticated attacker trick a logged-in administrator into submitting forged state-changing requests, allowing unauthorized actions on the WordPress site without the victim's consent. The CVSS 3.1 score is 8.2 with a scope-change (S:C) and high integrity impact, reflecting that the forged action can affect resources beyond the vulnerable component. There is no public exploit identified at time of analysis, the flaw is not listed in CISA KEV, and no EPSS score was supplied.

CSRF
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-57641 MEDIUM This Month

Cross-Site Request Forgery in the Real Estate 7 WordPress theme (versions <= 3.5.9) enables unauthenticated remote attackers to forge destructive HTTP requests on behalf of authenticated users, with the CVSS vector indicating high availability impact - consistent with forced deletion of property listings or site content rather than data exposure or modification. Exploitation requires luring an authenticated WordPress session holder to a malicious page, making it a social-engineering-dependent attack. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

CSRF
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57637 MEDIUM This Month

Cross-Site Request Forgery in the Abandoned Cart Lite for WooCommerce WordPress plugin (versions 6.8.0 and below) enables unauthenticated remote attackers to perform unauthorized state-changing actions by luring an authenticated site user into visiting a malicious page. The CVSS score of 4.3 (Medium) reflects a limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57635 MEDIUM This Month

Cross-Site Request Forgery in FunnelKit Payment Gateway for Stripe WooCommerce plugin (versions up to and including 1.14.0.3) allows a remote unauthenticated attacker to perform unauthorized state-changing actions by tricking an authenticated WordPress user into interacting with a crafted request. The absence of proper CSRF token validation (CWE-352) means any action protected only by session authentication can be forged. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

WordPress CSRF
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVSS 8.7
HIGH POC PATCH This Week

Stored/reflected XSS in the ViewComponent Rails gem (versions >= 4.0.0, < 4.12.0) arises because HTML-unsafe strings returned from a component's around_render hook bypass the automatic escaping applied to normal #call output, letting attacker-controlled data reach the browser as raw HTML. The flaw is amplified in collection rendering, where Collection#render_in joins per-item output and blindly marks it html_safe, laundering unsafe content into a trusted SafeBuffer. Publicly available exploit code exists (a detailed PoC in the GitHub advisory), but there is no public exploit identified as actively used in the wild; a vendor patch is available in v4.12.0.

CSRF XSS
NVD GitHub
CVSS 9.6
CRITICAL Act Now

Stored DOM cross-site scripting in WWBN AVideo's YPTSocket plugin (all versions prior to 29.0) lets any unauthenticated remote attacker run arbitrary JavaScript in the browser session of any administrator viewing the YPTSocket online-users debug panel. Because the malicious WebSocket metadata is broadcast to every connected client and rendered without escaping, a single anonymous WebSocket connection can be escalated into full administrative account takeover via the admin's own session and CSRF token. No public exploit identified at time of analysis; the flaw carries a CVSS 9.6 (Critical) rating driven by the scope change into the privileged admin origin.

PHP CSRF XSS +1
NVD GitHub
CVSS 8.3
HIGH PATCH This Week

Cross-Site Request Forgery combined with SPL injection in Splunk Enterprise (below 10.4.1, 10.2.5, 10.0.8, 9.4.13) and Splunk Cloud Platform lets an attacker trick a logged-in user holding the list_deployment_server capability into unknowingly executing attacker-controlled Search Processing Language searches as the privileged splunk-system-user, exposing stored credentials and indexed data. The flaw stems from Deployment Server endpoints in Splunk Web accepting unvalidated GET requests without CSRF token checks and failing to neutralize caller input before it reaches an SPL search. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Splunk CSRF Splunk Enterprise +1
NVD
CVSS 8.3
HIGH PATCH This Week

Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. Rated CVSS 8.3 (CWE-352) with no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft CSRF Vaultwarden
NVD GitHub
Awaiting Data

A Cross-Site Request Forgery (CSRF) vulnerability exists in the xxl-job-admin web application v.3.0.0 that allows an attacker to perform unauthorized modifications to Glue IDE shell scripts. The affected endpoint lacks proper CSRF token validation and accepts arbitrary HTTP methods via a permissive request mapping

CSRF N A
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary code execution in andreimarcu linx-server (a self-hosted file/media sharing service) versions 1.0 through 2.3.8 can be triggered by a remote attacker abusing a Cross-Site Request Forgery flaw in the uploadPutHandler function, per NVD and MITRE. Because the upload endpoint lacks anti-CSRF protection, an attacker can forge upload requests that ride an authenticated victim's session to achieve code execution. No public exploit has been identified in the provided data, though a third-party vulnerability report is referenced; the flaw is not listed in CISA KEV and no EPSS score was supplied.

CSRF RCE
NVD GitHub
CVSS 5.4
MEDIUM POC PATCH This Month

The `nebula-mgmt` Web UI host-creation path ignores both the server-wide `enrollment_token_ttl` security setting and per-network `network_config.enrollment_token_ttl` overrides. API host creation and token-regeneration paths use the configured TTL resolver, but `POST /ui/hosts` hardcodes `now.Add(24 * time.Hour)` for newly minted agent enrollment tokens. In deployments that intentionally reduce enrollment-token lifetime, any authenticated operator who can create a host through the Web UI can still mint a bearer enrollment token valid for about 24 hours. Enrollment tokens are bearer credentials for the public `POST /api/v1/enroll` endpoint: possession of a valid token allows enrolling the pending host and receiving a signed Nebula certificate/config for that host. The server configuration documents a security knob for their default lifetime and per-network overrides: - `internal/config/server.go:82` defines `EnrollmentTokenTTL` as the default lifetime for freshly minted enrollment tokens. - `internal/config/server.go:83` documents per-network overrides in `network_config` under `enrollment_token_ttl`. The API server implements and consistently uses this resolver: - `internal/api/server.go:77` defines `tokenTTLFor`, with precedence of per-network `enrollment_token_ttl`, then server default, then 24h fallback. - `internal/api/server.go:82` reads `network_config.enrollment_token_ttl`. - `internal/api/server.go:89` falls back to the configured server default. - `internal/api/hosts.go:190` through `internal/api/hosts.go:196` use `now.Add(s.tokenTTLFor(r.Context(), host.NetworkID))` for API host creation. The Web UI sibling path does not call the resolver and instead always sets a 24-hour expiry: - `internal/web/handlers.go:874` mints the raw token for `POST /ui/hosts`. - `internal/web/handlers.go:879` sets `ExpiresAt: now.Add(24 * time.Hour)`. This creates inconsistent behavior between API and Web UI host creation and bypasses an operator-configured token lifetime policy. The issue is reachable by an authenticated Web UI operator who can create hosts. Admins can create hosts in any network; non-admin operators can create hosts in networks whose CA they own. Affected version evidence: the configurable enrollment-token TTL feature was introduced by commit `6c344a6` (`feat(api): configurable enrollment-token TTL + regenerate endpoint (#75) (#79)`), and `git tag --contains 6c344a6 --sort=version:refname` returns `v0.3.0` through `v0.3.8`. Pattern checks across all release tags showed the TTL config/API resolver and the Web UI 24-hour hardcode are present in every `v0.3.x` release from `v0.3.0` to `v0.3.8`, and are not meaningfully applicable to `v0.1.x`/`v0.2.0` because the TTL policy knob was not present there. The current checkout at commit `d92dd9a60de291e2bc1caf73b4e9a99567b31ec0` (`git describe`: `v0.3.8-1-gd92dd9a`) remains affected. Safe local PoC run from a clean checkout at commit `d92dd9a60de291e2bc1caf73b4e9a99567b31ec0` on 2026-06-12. The PoC is a temporary Go test that uses only in-memory SQLite and `httptest`; it does not start a real server and does not contact external services. 1. Create a temporary test file `internal/web/security_audit_poc_test.go` in package `web`. 2. In the test, create an in-memory Web UI with `newTestWeb(t)`, create a network `audit-poc-net` with CIDR `10.77.0.0/24`, and set `network_config.enrollment_token_ttl` to `30m`. 3. Log in as the seeded test admin through the normal Web UI helper and obtain a CSRF token from `GET /ui/hosts/new`. 4. Submit `POST /ui/hosts` with `network_id=audit-poc-net`, `name=audit-poc-host`, `nebula_ips=10.77.0.10`, `role=host`, and `kind=agent`. 5. Parse the one-shot enrollment token from the returned host-detail page and read the token row with `GetEnrollmentToken`. 6. Compare the observed expiry to the configured 30-minute network override. Command run: ```bash go test ./internal/web -run 'TestSecurityAuditPOC' -count=1 -v ``` Observed vulnerable output from this environment: ```text === RUN TestSecurityAuditPOC_UIHostCreateIgnoresNetworkEnrollmentTokenTTL POC_UI_TTL_BYPASS observed_token_ttl=24h0m0s configured_network_ttl=30m expires_at=2026-06-13T14:51:45Z --- PASS: TestSecurityAuditPOC_UIHostCreateIgnoresNetworkEnrollmentTokenTTL (0.05s) ``` The meaningful control is the API sibling: `internal/api/hosts.go:190` through `internal/api/hosts.go:196` uses `s.tokenTTLFor(...)`, and existing tests in `internal/api/hosts_token_ttl_test.go` verify API-created/regenerated enrollment tokens honor server-default and per-network TTLs. Variant review also found API regenerate-token, API re-enroll, and signed-poll rekey token minting use the resolver rather than a hardcoded 24h value. After recording the output, the temporary test file was removed and `git status --short` returned clean. The PoC was re-run after drafting this report and produced the output shown above. An authenticated Web UI operator can bypass a configured enrollment-token lifetime policy and obtain a token valid for approximately 24 hours even when the deployment or network is configured for a much shorter lifetime such as 30 minutes. Because enrollment tokens are bearer credentials for the public enrollment endpoint, longer-than-intended validity increases the window in which a copied, logged, shared, or otherwise exposed token can be used to enroll the pending host and obtain its Nebula certificate/config. This weakens confidentiality and integrity for deployments relying on short token lifetimes to reduce enrollment-token exposure. Suggested remediation: refactor the Web UI host-creation path to use the same TTL resolution as the API path, or move the resolver into a shared package/service used by both API and Web UI. Add a regression test under `internal/web` that sets `network_config.enrollment_token_ttl = "30m"`, creates an agent host through `POST /ui/hosts`, and asserts the persisted enrollment token expires within the configured 30-minute window rather than 24 hours.

CSRF
NVD GitHub
CVSS 7.6
HIGH PATCH This Week

Stored cross-site scripting in EasyAdminBundle (Symfony admin generator) versions 5.0.0 through 5.0.12 allows a lower-privileged user with access to a form using FileField or ImageField to upload a browser-executable .html or .svg file that EasyAdmin then links to inline, executing attacker-controlled JavaScript in a viewing administrator's authenticated session. Impact includes session/CSRF-token theft and privilege escalation; it is explicitly NOT remote code execution because filenames come from Symfony's guessExtension(). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available in 5.0.13.

XSS Privilege Escalation PHP +2
NVD GitHub
CVSS 3.5
LOW Monitor

{ $items = []; foreach ($this->variantes() as $item) { $match = $item->{$this->match}; $description = Tools::textBreak($item->description(), 300); ... $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' ... ``` `$this->match` defaults to `'referencia'` (`WidgetVariante::__construct`, line 42). `$item->referencia` was sanitised at write time by `Variante::test()` (`Core/Model/Variante.php:392`) which calls `Tools::noHtml($this->referencia)`. `Tools::noHtml` (`Core/Tools.php:499-504`) replaces `'`, `"`, `<`, `>` with `&#39;`, `&quot;`, `&lt;`, `&gt;`. The defender therefore expects that any apostrophe a user typed becomes `&#39;` in the database, which renders inside the `onclick` attribute as `&#39;` and cannot break out of the surrounding `'...'` JS string literal. `Core/Lib/Widget/WidgetSubcuenta.php:290-305` has the identical shape: ```php foreach ($this->subcuentas() as $item) { $match = $item->{$this->match}; ... $items[] = '<tr class="clickableRow" onclick="widgetSubaccountSelect(\'' . $this->id . '\', \'' . $match . '\');">' . '<td class="text-center">' . '<a href="' . $item->url() . '" target="_blank" onclick="event.stopPropagation();">' ... ``` `$this->match` defaults to `'codsubcuenta'`; the value is `Tools::noHtml`-encoded by `Subcuenta::test()` (`Core/Model/Subcuenta.php:213`). Per the HTML5 spec (and what every browser actually does), the value of an HTML attribute is processed by the **character reference state** of the tokenizer before any consumer sees it. By the time the `onclick` attribute value reaches the script engine, the bytes inside are the *decoded* string. Concretely, the HTML the browser receives is: ```html <tr onclick="widgetVarianteSelect('id', '1&#39;,alert(1),&#39;2');"> ``` After the tokenizer decodes `&#39;` to `'`, the JavaScript fragment passed to the script engine is: ```javascript widgetVarianteSelect('id', '1',alert(1),'2'); ``` `alert(1)` runs as a third positional argument that JavaScript happily evaluates while building the call. The `widgetVarianteSelect` function ends up being called with four arguments and the side-effect of `alert(1)` (or any payload) has already occurred. The recent `40bc701` AccountingModalHTML and `8586b97` SalesModalHTML / PurchasesModalHTML fix recognised this. Both replaced the `onclick="...('"+ value +"')"` pattern with: ```php $tbody .= '<tr ... data-subaccount="' . $code . '" onclick="$(...).modal(\'hide\');' . ' return newLineAction(this.dataset.subaccount);">' ``` Where `$code = static::html($subaccount->codsubcuenta)` and `static::html` is `htmlspecialchars(html_entity_decode($text, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')`. The HTML5 entity decode is deliberate: it normalises any double-encoded data so that the subsequent `htmlspecialchars` produces stable single-encoded output. The JavaScript then reads the value from `this.dataset.*`, which is the post-decoded attribute value, where the original quote is now literally inside a string property and cannot break out of any quote context. `WidgetSubcuenta` and `WidgetVariante` were not migrated to this pattern. `Variante::test()` (`Core/Model/Variante.php:389-401`) accepts up to 30 characters in `referencia`. The minimum payload is 13 bytes (`1',alert(1),'2`), comfortably under the limit. The `Tools::noHtml` pass during `test()` produces the stored form `1&#39;,alert(1),&#39;2`, which is 22 bytes. Three plant primitives are practical: 1. **Direct create** via `EditProducto?action=save` with the attacker-controlled `referencia` field. Because `EditProducto` is exposed to any user with the `EditProducto` permission (which roles like *sales agent* and *warehouse manager* commonly carry), this is a within-tenant primitive: a low-privilege salesperson plants the payload, an admin opens any sales document and clicks the variant picker. 2. **DB write** by anyone with raw SQL access (DBA or shared-hosting admin). `INSERT INTO variantes (referencia, ...) VALUES ('1\',alert(1),\'2', ...)`. This is what I used for the live test; the plant is permanent until the row is deleted. 3. **Plugin / API import.** `ApiAttachedFiles` and the various import endpoints allow a low-privilege API key to land arbitrary `referencia` values that bypass the `EditProducto` `permissions->onlyOwnerData` filter. For `WidgetSubcuenta`, the `codsubcuenta` field is constrained to the exercise's `longsubcuenta` length (10 by default), and the regex-free `Tools::noHtml` pass turns one apostrophe into 5 bytes (`&#39;`), so the post-noHtml string must equal the configured length exactly. A 5-byte payload (`1','` is 4) plus padding is workable for compact bypass payloads such as `'+x+'` (where `x` is a previously-loaded global). DB-write planting (primitive 2) bypasses the length check entirely. The fix wave centred on the `Lib/AjaxForms/*ModalHTML.php` files. Both audited widgets live in `Lib/Widget/` and look superficially safe to a reviewer because every value is `Tools::noHtml`-escaped at storage. The actual decoding step happens inside the browser, not the PHP code, so the defect is not visible in a `grep`-based review of the PHP source unless the reviewer specifically looks for `onclick="...('+ $field +')'` shapes that put a `Tools::noHtml`-escaped value in a JavaScript string position inside an HTML attribute. > **Live PoC verified 2026-05-01** against `http://127.0.0.1:8081/` running facturascripts at commit `24281ca`. A `Variante.referencia` value of `1',alert(1),'2` (planted via raw DB write below) renders inside `widgetVarianteSelect('0', '1&#39;,alert(1),&#39;2');` in the modal grid; opening the variant-picker modal in any user's browser (low-priv or admin) fires `alert(1)` from the host page's realm. Setup: the admin session at `http://127.0.0.1:8081/` is at `/tmp/fs-cookie2`. Step 1 - plant the payload (any of the three primitives works). DB-write primitive: ```bash mysql -h127.0.0.1 -ufs -pfs facturascripts <<'SQL' INSERT INTO productos (referencia, descripcion, codimpuesto, sevende, secompra, bloqueado, nostock, publico, stockfis, ventasinstock, observaciones) VALUES ('XSSPRD', 'XSS via WidgetVariante', 'IVA21', 1, 1, 0, 1, 0, 0, 1, ''); INSERT INTO variantes (referencia, idproducto, precio, coste, margen, stockfis, codbarras) SELECT "1',alert('XSS-WidgetVariante'),'2", idproducto, 0, 0, 0, 0, '' FROM productos WHERE referencia='XSSPRD'; SQL ``` After the insert, `Variante::test()` did not run (the row was created via SQL), so the literal `'` survives. Even via the EditProducto UI primitive, the round trip through `Tools::noHtml` produces the encoded form `1&#39;,alert(...),&#39;2` which decodes back to the working payload at render time. Step 2 - open any controller that uses WidgetVariante with the default `match` (or any third-party plugin form that does so). Core ships two views (`Core/XMLView/EditAgente.xml`, `Core/XMLView/ListAgente.xml`) but both override `match="idproducto"`, so they are not exposed in stock core. Any plugin form that uses `<widget type="variante" .../>` without an explicit `match` attribute opts into the vulnerable code path. Trigger the variant-picker modal: ```bash $ curl -s -b /tmp/fs-cookie2 "http://127.0.0.1:8081/EditAgente?code=1" \ | grep -oE 'widgetVarianteSelect[^<>]{1,200}' | head -3 ``` When the modal renders `match=referencia`, the row in the response contains: ```html <tr class="clickableRow" onclick="widgetVarianteSelect('0', '1&#39;,alert(&#39;XSS-WidgetVariante&#39;),&#39;2');"> ``` The browser HTML-decodes the attribute value before passing it to the script engine, yielding the actual JavaScript `widgetVarianteSelect('0', '1',alert('XSS-WidgetVariante'),'2');`. The `alert` fires the moment the attribute is parsed for execution (i.e., when the user clicks the row, or when an automation script triggers the click programmatically), and the host realm's session, cookies, and CSRF tokens are exposed to the payload. For `WidgetSubcuenta`, the payload trigger is identical: any controller with `<widget type="subcuenta" fieldname="codsubcuentaXxx"/>` (`Core/XMLView/EditProducto.xml`, `EditCuentaBanco.xml`, `EditFamilia.xml`, `EditImpuesto.xml`, `EditRetencion.xml` are the in-tree consumers) renders the modal with `widgetSubaccountSelect('id', '<HTML-decoded codsubcuenta>')`. A `codsubcuenta` row planted with one apostrophe and five bytes of payload escapes the JS string and runs in the host page. * **Stored XSS in any user's browser the moment they open a product or subaccount picker.** The execution context is the host page, with full access to the viewer's session, CSRF tokens, and the running application. From an admin viewer's perspective the payload achieves admin compromise (install plugins, change passwords); from a normal user's perspective it can be used to exfiltrate the user's data and pivot. * **Within-tenant escalation primitive.** `EditProducto` is a routinely granted role permission. A salesperson, warehouse user, or a plugin-supplied controller without `admin` rights can plant a payload that fires in admin's browser the next time admin opens any sales document and clicks the variant picker. * **Sister vulnerability to the `40bc701` / `8586b97` fix wave.** The maintainers already understand and have fixed the same anti-pattern in three sister classes; these two were missed and remain exploitable. CVSS reasoning: `AV:N`, `AC:L` (one DB or one form POST plant), `PR:H` (the planter must be authenticated and have either `EditProducto` or DB write or import-API access; with weaker roles the payload is also reachable), `UI:R` (the victim opens a form that renders the modal and triggers a click), `S:U` (the impact stays within the application), `C:L I:L A:N` (the viewer's session and CSRF token are exposed; integrity loss bounded by viewer's role). Score 4.8. Mirror the `40bc701` and `8586b97` fix exactly. In both `Core/Lib/Widget/WidgetVariante.php:321` and `Core/Lib/Widget/WidgetSubcuenta.php:296`, replace: ```php $items[] = '<tr class="clickableRow" onclick="widgetVarianteSelect(\'' . $this->id . '\', \'' . $match . '\');">' ``` with the data-attribute pattern that the modal helpers now use: ```php $encMatch = htmlspecialchars( html_entity_decode((string)$match, ENT_QUOTES | ENT_HTML5, 'UTF-8'), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8' ); $items[] = '<tr class="clickableRow" data-match="' . $encMatch . '"' . ' onclick="widgetVarianteSelect(\'' . $this->id . '\', this.dataset.match);">' ``` (and the analogous change for `widgetSubaccountSelect`). The same approach should be applied to: * `WidgetSubcuenta::renderExerciseFilter` (`Core/Lib/Widget/WidgetSubcuenta.php:251-255`) where `$item->codejercicio` is interpolated into `<option value="...">`. Codes are short and predictable but the same escaping consideration applies for defence in depth. * `WidgetVariante::renderManufacturerFilter` (line 213) and `renderFamilyFilter` (line 197). Long term, the `BaseWidget::onclickHtml` and `inputHtml` builders (`Core/Lib/Widget/BaseWidget.php:163-167`, `234-239`, `273-283`) likewise concatenate `$this->value` into HTML attributes without context-aware escaping. Migrating them to use Twig (or at least `htmlspecialchars` with `ENT_QUOTES`) closes a class of bugs that today rely on every model's `test()` to be defensive. A regression test should plant a `Variante.referencia` of `1',alert(1),'2`, render the page through the live HTTP stack, and assert that no JavaScript dialog fires (e.g. via Playwright `page.on('dialog', ...)`).

PHP CSRF XSS
NVD GitHub
CVSS 8.0
HIGH This Week

Stored CSV formula injection in FacturaScripts (all versions through 2026.1) lets an authenticated low-privilege user plant spreadsheet formula payloads in ordinary text fields (customer/supplier/product names, contacts) that execute when an administrator opens a routine list export. Because Core/Lib/Export/CSVExport.php::writeData() wraps values without neutralising leading =,+,-,@,tab, or carriage-return characters, and Tools::noHtml() only strips HTML metacharacters, the payload reaches the CSV verbatim and Excel/LibreOffice run it (including DDE process spawning) in the admin's OS context. A live PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no active exploitation confirmed (not in CISA KEV).

PHP CSRF Microsoft +2
NVD GitHub
CVSS 9.9
CRITICAL Act Now

Cross-resource SQL injection in the FacturaScripts REST API (all versions through 2026.1) lets a low-privileged, scoped ApiKey read or modify arbitrary database tables via the `filter` query parameter, enabling full admin account takeover. A single GET request with a parenthesized filter key leaks the admin's bcrypt password hash and `logkey` session token, which are then replayed as the `fsLogkey` cookie to reach admin-only endpoints like `/AdminPlugins`. A live end-to-end PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no public exploit identified as being used in active attacks (not in CISA KEV).

Oracle SQLi PHP +2
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

CSRF token disclosure in the Perl Mojolicious web framework (versions 4.59 up to but not including 9.48) allows a network attacker to recover a victim's session CSRF token via a BREACH compression side channel and then bypass csrf_protect validation. Because _csrf_token cached and returned one stable per-session value that _csrf_field embedded in every response, an attacker who could inject reflected input into a gzip-compressed page could iteratively guess the token by observing compressed response lengths. There is no public exploit identified at time of analysis, EPSS is low (0.15%), and it is not in CISA KEV, but SSVC rates technical impact as total and automatable as yes.

CSRF Oracle Mojolicious
NVD GitHub VulDB
EPSS 5% CVSS 9.2
CRITICAL POC Act Now

Remote command injection in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets unauthenticated or CSRF-driven attackers store a malicious payload via the optional cli_control plugin's HTTP endpoint and execute arbitrary OS commands on the host when the linked irrigation station is activated. Because the plugin ships with no passphrase protection or the well-known default passphrase 'opendoor', exploitation is trivial on default installs. Publicly available exploit code exists (ZeroScience/VulnCheck), though the flaw is not listed in CISA KEV, and the CVSS 4.0 base score is 9.2 (Critical).

CSRF Command Injection Sip
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated attackers overwrite sensitive settings - including the passphrase and listening port - by injecting arbitrary parameter names into HTTP requests. Because the application binds request parameters directly to internal configuration objects without an allow-list, the same effect can be triggered blindly through cross-site request forgery against an authenticated operator's browser. Publicly available exploit code exists (ZeroScience ZSL-2026-5997), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

CSRF Sip
NVD
EPSS 0% CVSS 7.0
HIGH POC This Week

Cross-site request forgery in the Sustainable Irrigation Platform (SIP) through 5.2.16 lets remote attackers execute state-changing administrative actions when a logged-in administrator is lured to a malicious page, because administrative endpoints accept HTTP GET requests with no CSRF token or origin validation. An attacker can disable the passphrase, reboot the irrigation controller, delete watering programs, or install plugins; in the default configuration these endpoints are exposed to unauthenticated users because no passphrase is required and the default credential is 'opendoor'. Publicly available exploit code exists (ZeroScience ZSL-2026-5995), though there is no public exploit identified as being used in active campaigns.

CSRF Sip
NVD
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list.

PHP CSRF WordPress +1
NVD WPScan
HIGH PATCH This Week

Two-factor authentication bypass in Kimai (open-source time-tracking) before 2.59.0 lets an attacker with only a victim's password reach every authenticated REST API endpoint without completing TOTP. The KIMAI_SESSION cookie returned by the password-only login response - issued before the 2FA step - is already treated as authenticated by /api/*, so it can be replayed to act fully as the user while the browser is still pinned to the 2FA screen. No public exploit identified at time of analysis (a PoC existed but was redacted by the reporter); not listed in CISA KEV.

Authentication Bypass CSRF
NVD GitHub
CRITICAL PATCH Act Now

Account takeover in Kimai (<= 2.57.0) stems from the official Docker image shipping a hard-coded default APP_SECRET ('change_this_to_something_unique') that Symfony consumes as kernel.secret. Because this HMAC signing key is publicly known and the entrypoint never rotates or validates it, a remote unauthenticated attacker can forge remember-me cookies, LoginLink signatures, password-reset URLs and CSRF tokens to log in as any user, including the id=1 super_admin. No public exploit is identified at time of analysis (a PoC existed but was withheld), and no CVSS/EPSS/KEV data was provided, so the scoring below is independently assessed.

CSRF Docker
NVD GitHub
MEDIUM PATCH This Month

Cross-site request forgery in Kimai's timesheet API allows an unauthenticated attacker to trigger unauthorized state changes against any logged-in victim by embedding malicious GET requests in attacker-controlled pages. Kimai versions up to and including 2.57.0 expose the `stop` and `restart` timesheet operations as HTTP GET routes, which browsers will follow automatically using the victim's active session cookie - no CSRF token is required. Impact is limited to timesheet data integrity and availability (corrupted time records, unauthorized entries, billing distortion), not system compromise; no public exploit is confirmed at time of analysis, and no active exploitation has been reported by CISA KEV.

PHP CSRF
NVD GitHub
MEDIUM PATCH This Month

CSRF vulnerabilities in Kimai 2.56.0 through 2.57.0 allow an unauthenticated attacker to manipulate the authorization topology of the time-tracking application by tricking a privileged logged-in user into visiting a malicious page. The three affected GET endpoints - for projects, customers, and activities - perform persistent writes: creating or reusing a Team, assigning the victim as teamlead, and binding the target object to that team. No public exploit is currently available at time of analysis, though a PoC was submitted to the vendor and subsequently removed; the fix (moving routes to POST endpoints) shipped in version 2.58.0.

CSRF
NVD GitHub
CRITICAL POC PATCH Act Now

Complete account takeover in FacturaScripts (<= 2026.2) lets an unauthenticated network attacker hijack any 2FA-enabled account, including admins, by brute-forcing the /login?action=two-factor-validation endpoint. The handler issues a full session cookie on a matching TOTP without verifying the password, requiring a CSRF token, or enforcing any rate limit, and an over-wide verification window keeps ~17 codes valid at once. Publicly available exploit code exists (a working Python PoC in the GitHub advisory GHSA-c67f-gmxw-mj93); no active exploitation has been reported in CISA KEV.

PHP Python Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. An attacker who tricks a logged-in victim into clicking a crafted callback URL can redirect the victim's note export to the attacker's own GitHub Gist, bypassing any note visibility controls. No public exploit code or CISA KEV listing is identified at time of analysis, but a confirmed patch exists in version 1.11.0.

CSRF Hedgedoc
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. No public exploit has been identified at time of analysis, but the attack requires no special privileges and the technique is well-understood; the vendor has classified this as a security release and strongly recommends immediate upgrade to 7.0.0.

XSS CSRF Laravel Mediable
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. Patch version 3.2.1 is available; no public exploit or CISA KEV listing has been identified at time of analysis.

RCE CSRF Hfs
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

An issue exists within GEONODE where the current rich text editor is vulnerable to Stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

CSRF XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery in the Woosalam (ووسلام - همگام سازی ووکامرس و باسلام) WooCommerce-to-Basalam sync plugin for WordPress lets a remote attacker forge state-changing requests that a logged-in victim's browser executes, affecting all versions from an unspecified initial release through 1.9.1. Because the plugin fails to validate request authenticity (CWE-352), an attacker who lures an authenticated user to a malicious page can trigger high-integrity changes with no attacker authentication required (CVSS 7.1). No public exploit identified at time of analysis and the flaw is not on CISA KEV.

CSRF 8211
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-Site Request Forgery in the Drupal Ray Enterprise Translation contrib module lets a remote attacker forge state-changing requests that are executed with the privileges of an authenticated victim (typically a site administrator), potentially altering translation configuration and integrations. It affects module versions below 4.0.4, below 4.1.4, and below 11.0.4, and carries a vendor CVSS of 8.8. No public exploit has been identified at time of analysis and the EPSS score is very low (0.12%, 2nd percentile), indicating no observed exploitation activity.

CSRF Ray Enterprise Translation
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Cross-Site Request Forgery in the Drupal Salesforce Suite contrib module (all versions from 0.0.0 up to and including 5.1.3) lets an attacker forge state-changing requests that are executed with the privileges of an authenticated Drupal user who is tricked into loading attacker-controlled content. The Drupal security team (SA-CONTRIB-2026-063) rates it critical, and a fixed release is available; no public exploit code has been identified and EPSS is very low (0.10%, 1st percentile), indicating no observed exploitation activity. Note that the published CVSS vector (UI:N) is atypical for CSRF, which normally depends on victim interaction, so the real-world impact profile should be verified against the vendor advisory.

CSRF Salesforce Suite
NVD
EPSS 0% CVSS 7.0
HIGH This Week

Cross-site request forgery in ST Engineering iDirect satellite terminals (Evolution iQ-series, including the iQ200, plus 3315-series and 9-series) lets a remote attacker force an authenticated administrator's browser to submit a POST to the /api/reboot endpoint, rebooting the modem and dropping the satellite link. Because the session cookie lacks a SameSite attribute and no CSRF token is validated, simply luring a logged-in admin to a malicious page triggers the reboot; repeated abuse sustains a denial-of-service against connectivity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CSRF Evolution Iq Series Terminals 3315 Series +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the GoodMeet WordPress plugin (versions up to and including 1.1.8) enables unauthenticated remote attackers to wipe a site's stored Google Meet API credentials and OAuth tokens by deceiving a logged-in administrator into triggering a crafted request. The vulnerable reset_credential() function handling the wp_ajax_goodmeet_reset_google_meet_credential AJAX action checks the manage_options capability but omits mandatory WordPress nonce validation, allowing any cross-origin request to be processed as legitimate. The practical outcome is complete disabling of the site's Google Meet integration with no data disclosure; no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF Google +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Salon Booking System - Free Version WordPress plugin (all versions ≤ 10.30.32) lets a remote attacker write attacker-controlled PHP into the plugin's web-accessible translate-constants.php file by abusing the unprotected setCustomText AJAX handler. Because the handler lacks proper nonce validation (CWE-352 CSRF), an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link can achieve full server-side code execution. Reported by Wordfence with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.

WordPress CSRF RCE +2
NVD
EPSS 0% CVSS 8.7
HIGH This Week

Cross-site request forgery in Cotonti Siena (versions 0.9.26 and earlier) lets remote attackers alter administrator configuration by luring an authenticated admin into loading an attacker-controlled page that auto-submits a forged POST to the admin.php config update handler, which never calls the CMS's own CSRF validation routine. The highest-value abuse sets the PFS module option pfsfilecheck to 0, disabling the file-extension whitelist so any account with PFS (Personal File Storage) access can upload and execute arbitrary PHP, turning a CSRF into server-side code execution. There is no public exploit identified at time of analysis and it is not on CISA KEV, though a referenced public gist may contain proof-of-concept details; EPSS was not provided.

CSRF PHP
NVD GitHub
CRITICAL POC PATCH Act Now

PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. Publicly available exploit code exists demonstrating the object-injection primitive, but no full end-to-end RCE chain is published and this is not confirmed actively exploited (not in CISA KEV).

Deserialization Path Traversal CSRF +3
NVD GitHub
CVSS 5.5
MEDIUM POC PATCH This Month

Stored XSS in YesWiki's Bazar form module allows a privileged form editor to inject persistent script payloads into field label and hint fields, which execute in the browser context of every subsequent visitor - including unauthenticated guests - who renders an affected form. The vulnerability is a sibling class of an incomplete fix at commit e6b66aa: that commit removed the dangerous |raw('html') filter from two Twig template call sites but left eleven additional sites in range.twig, email.twig, layouts/input.twig, layouts/field.twig, textarea.twig, user.twig, bookmarklet.twig, subscribe.twig, and linked-entry.twig still suppressing Twig's HTML auto-escaping. No active exploitation is confirmed in CISA KEV, but a detailed proof-of-concept with exact payloads, rendered HTML output, and affected line numbers is included in GitHub Security Advisory GHSA-xc7j-3g8q-9vh4, and patch commit 5d1a4d07 is publicly available.

XSS CSRF PHP
NVD GitHub
CVSS 8.3
HIGH POC PATCH This Week

Server-side request forgery in YesWiki's Bazar ActivityPub module (through v4.6.5) lets an unauthenticated remote attacker coerce the server into fetching arbitrary attacker-chosen URLs. The public inbox route parses the HTTP Signature header and issues a server-side GET to the attacker-supplied keyId URL before any signature or URL validation, enabling internal port scanning, service enumeration, and cloud IAM metadata theft (169.254.169.254). Publicly available exploit code exists (a detailed PoC with a working request), and verbose 500 exception/stack-trace responses act as a data oracle; there is no CISA KEV listing.

CSRF SSRF PHP
NVD GitHub
CVSS 8.2
HIGH POC PATCH This Week

Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.

CSRF Jwt Attack SSRF +4
NVD GitHub
CVSS 9.1
CRITICAL POC PATCH Act Now

{{erasespamedcomments}} action, which processes a POST-supplied suppr[] array with no authorization, ownership, or CSRF check. On a default install where default_write_acl='*', an unauthenticated attacker first creates a page containing the action, then submits a cleanup request naming target page tags. A vendor patch commit exists; there is no public exploit identified at time of analysis beyond the fully working PoC included in the advisory.

Privilege Escalation CSRF PHP
NVD GitHub
CVSS 5.2
MEDIUM POC This Month

Cross-site request forgery in Admidio's plugin management endpoint (`modules/plugins.php`) enables a remote attacker to trigger destructive plugin operations - including irreversible DROP TABLE SQL execution - against any authenticated administrator who visits an attacker-controlled web page. The endpoint processes install, uninstall, and update operations via unauthenticated GET requests lacking CSRF token validation, and SameSite=Lax cookie behavior causes browsers to automatically include session credentials on top-level GET navigations from cross-origin pages. A working Playwright-based proof-of-concept is publicly available demonstrating the full attack chain; no confirmed active exploitation (CISA KEV) is present at time of analysis.

CSRF PHP
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. No public exploit is identified at time of analysis, but installing an attacker-supplied plugin yields effective remote code execution on the site.

WordPress CSRF Divi Torque Lite Divi Modules For The Divi Builder Theme
NVD
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Cross-Site Request Forgery in HP IP phones' web management interface allows an attacker who has obtained a stolen session cookie to submit unauthorized state-changing requests that modify the phone's webpage contents, with integrity and availability rated high (VI:H/VA:H) in the vendor-supplied CVSS 4.0 vector. The CVSS 4.0 score of 6.0 reflects the attack conditions prerequisite (AT:P) of prior cookie theft, low-level privilege requirement (PR:L), and passive user interaction (UI:P), meaningfully limiting opportunistic exploitation. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

CSRF
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-side request forgery in Monsta FTP before 2.14.5 lets an unauthenticated remote attacker coerce the server into making HTTP requests to internal-only services and exfiltrate the responses. The flaw lives in the fetchRemoteFile action, where the isBlockedIP() SSRF filter fails to recognize IPv4-mapped IPv6 addresses, so blocklisted internal ranges can be reached anyway; a CSRF token is trivially obtainable from the public getSystemVars endpoint. Impact is notable because the primary abuse case is stealing cloud instance metadata credentials, though no public exploit is identified at time of analysis.

CSRF SSRF
NVD VulDB
CVSS 6.5
MEDIUM POC PATCH This Month

Cross-Site Request Forgery in Waku's RSC request dispatcher allows a remote attacker to invoke any state-mutating 'use server' server action with a victim's session cookies by exploiting the complete absence of Origin header validation in the core request handler at packages/waku/src/lib/utils/request.ts. Both the RSC path prefix branch (exploitable via Content-Type: text/plain, no preflight) and the progressive-enhancement HTML form branch (exploitable via multipart/form-data) are unguarded, with opaque-origin contexts such as sandboxed iframes and browser extension pages additionally exploitable via Origin: null. The reporter confirmed a working proof-of-concept against waku 1.0.0-beta.0 with dynamic verification on 2026-05-17; all HTTP adapters share the same vulnerable dispatcher and no patched version has been identified at time of analysis.

CSRF
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site request forgery in Flask-MonitoringDashboard up to version 5.0.2 allows a remote unauthenticated attacker to trick an authenticated dashboard user into submitting malicious state-changing requests by luring them to a crafted page. The vulnerability (CWE-352) is limited in scope to the monitoring dashboard itself with a low integrity impact and no confidentiality or availability consequence, reflected in the CVSS 4.0 score of 2.1. Exploit details have been publicly disclosed via VulDB submissions and a GitHub issue report, but no patch has been released and the project maintainer has not yet responded to the responsible disclosure.

CSRF Python
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

Cross-Site Request Forgery in Smash Balloon Social Photo Feed - Easy Social Feeds Plugin for WordPress (all versions through 6.11.1) enables unauthenticated remote attackers to overwrite the site's Instagram and Facebook oEmbed access tokens by forging a request that a logged-in administrator unwittingly executes. The root cause is missing or incorrect nonce validation on the `maybe_connection_data` function, WordPress's primary CSRF defense mechanism. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, a patch changeset is confirmed in the WordPress plugin repository.

WordPress CSRF Smash Balloon Social Photo Feed Easy Social Feeds Plugin
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Wp Js Detect WordPress plugin (all versions ≤ 1.0.9) permits unauthenticated attackers to overwrite the plugin's frontend notification text and CSS settings by exploiting absent nonce validation in the plugin_settings function. Because the stored values are echoed unescaped to the WordPress frontend, a successful forged request can inject arbitrary HTML or script content visible to site visitors who have JavaScript disabled. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; EPSS data was not supplied.

WordPress CSRF Wp Js Detect
NVD VulDB
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

Remote code execution in the Oraios Serena MCP coding toolkit (prior to v1.5.2) lets a malicious webpage hijack a developer's local coding agent via DNS rebinding. Serena's built-in web dashboard runs an unauthenticated Flask API on a fixed, predictable port with no auth, no CSRF protection, and no Host-header validation, so any site the victim visits while Serena is running can write attacker-controlled content into the agent's persistent memory store; because the agent autonomously reads that memory and can invoke execute_shell_command with shell=True, this chains to code execution on the developer's machine. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.

Authentication Bypass CSRF Python +2
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site request forgery in new-api's OAuth account binding endpoints allows an unauthenticated network attacker to silently rebind a logged-in user's email or WeChat identity to attacker-controlled credentials by luring the victim to a malicious page. Affected are all deployments running versions prior to v0.12.0-alpha.1 where the GET-based bind endpoints are reachable. No public exploit has been identified at time of analysis, and the default SameSite=Strict cookie configuration substantially limits real-world exploitability to environments that have weakened or overridden that default.

CSRF
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site request forgery in SEIKO EPSON Web Config allows a remote, unauthenticated attacker to trigger unintended configuration changes on Epson network devices by luring an authenticated administrator into visiting a malicious web page. The vulnerability (CWE-352) requires no privileges on the attacker's side but depends on an active, authenticated Web Config session on the victim's browser. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

CSRF
NVD VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

{uuid} endpoint performing a state-changing password reset when merely visited. In versions prior to 4.0.0-beta.471, an attacker who knows a victim's invitation UUID and lures them to a crafted link can silently reset the victim's account password to a predictable value and seize the account. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix is confirmed in release v4.0.0-beta.471.

CSRF Coolify
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a victim into an attacker-controlled account. The root cause is a stubbed verifyState() method that unconditionally returns true, so the OIDC state parameter is never validated, letting a crafted callback URL carrying an attacker-supplied authorization code complete login as the attacker. No public exploit identified at time of analysis, but a vendor patch and a public technical advisory (VulnCheck) exist; CVSS 4.0 is rated 8.6 (High).

CSRF Leantime
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site request forgery in imhamzaazam ecommerceFlask allows a remote, unauthenticated attacker to induce authenticated victims into executing unauthorized state-changing actions against the application. The vulnerability exists in an unspecified function of the Flask-based e-commerce application up to commit cb7d9e24c30a99379651b7493b32048126ef402b, with no patch released and the project maintainer not yet responding. A publicly available proof-of-concept exploit has been disclosed via a GitHub issue, and the application's rolling release model means no fixed version can be identified.

CSRF Ecommerceflask
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the CrawlWP SEO WordPress plugin (versions through 3.0.16) allows an unauthenticated attacker to perform unauthorized state-changing actions on behalf of an authenticated site administrator. Exploitation requires social engineering - a logged-in admin must be tricked into visiting a malicious page that silently submits a forged request. The integrity impact is low, limited to unauthorized configuration changes within the plugin's functionality. No public exploit code or active exploitation has been identified at time of analysis, consistent with the vulnerability's low CVSS base score of 4.3.

CSRF Crawlwp Seo
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Login cross-site request forgery in Plack::Middleware::OAuth through 0.10 (Perl/PSGI OAuth login middleware) lets an unauthenticated remote attacker bind their own provider identity to a victim's session because the OAuth 2.0 flow omits the anti-CSRF state parameter and never verifies that a callback belongs to the session that initiated the flow. With victim interaction (clicking an attacker-supplied callback URL), the attacker's provider account and access token become associated with the victim's session, and where the app persists this as an account link the attacker retains ongoing access to the victim's account. There is no public exploit identified at time of analysis; EPSS is low (0.13%) and it is not in CISA KEV, but an upstream fix exists in PR #13.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Login CSRF via a missing OAuth 2.0 state parameter in Dancer2::Plugin::Auth::OAuth::Provider (all versions before 0.23) allows a remote, unauthenticated attacker to associate their own OAuth provider identity and access token with a victim's application session, potentially achieving persistent account takeover. The plugin's authentication_url method never generates a state value, and the callback handler never validates one, leaving the entire authorization flow unbound to the session that initiated it. No public exploit code or active exploitation (CISA KEV) has been identified, but the attack concept is well-understood and described in RFC 6749 §10.12 as a known threat to any OAuth 2.0 implementation omitting state binding.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Cross-site request forgery in webpack-dev-server 5.2.5 and earlier allows any website visited by a developer to silently invoke two unauthenticated state-changing endpoints - `/webpack-dev-server/open-editor` and `/webpack-dev-server/invalidate` - via simple browser-initiated GET requests that carry no CSRF protection. An attacker controlling a web page visited during an active dev session can open arbitrary local files in the developer's editor (including files outside the project root) and trigger repeated forced recompilations that degrade workstation performance. No public exploit has been identified at time of analysis, and exploitation is confined to developer workstations rather than production infrastructure.

CSRF Webpack Dev Server Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the 'real_val__' form-submission parameter, which later executes in the browser of any user who views the affected page. The flaw is amplified by a design weakness: the submission handler is registered through wp_ajax_nopriv_submit_nex_form with no nonce/CSRF verification, so no authentication or valid session is required to reach the vulnerable sink. There is no public exploit identified at time of analysis and no CISA KEV listing, but the unauthenticated, network-reachable nature makes it a practical mass-exploitation candidate against exposed WordPress sites.

WordPress XSS CSRF +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in the WPIDE - File Manager & Code Editor WordPress plugin (versions <= 3.5.6) allows a remote attacker to forge privileged requests that a logged-in administrator's browser executes without consent. Because WPIDE exposes filesystem read/write and code-editing functionality, a successful CSRF can lead to arbitrary file modification and effectively remote code execution on the WordPress host. No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.

CSRF Wpide File Manager Code Editor
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting via cross-site request forgery affects the SEOWP WordPress theme by BlueAstralThemes in all versions up to and including 3.12.2, allowing a remote unauthenticated attacker who tricks a logged-in administrator into loading a malicious page to forge a state-changing request that injects persistent script into the site. The CVSS 3.1 score of 7.1 reflects a scope change (attacker-controlled JavaScript executes in the victim's browser session) with limited confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation hinges on successful social engineering of an authenticated victim (UI:R).

CSRF Seowp
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-site request forgery in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (versions 5.9.9.7 and earlier) allows a remote unauthenticated attacker to force a logged-in victim into performing unintended state-changing actions, chaining to full account takeover. Because a successful CSRF against an administrator can hijack a privileged account, impact is rated high across confidentiality, integrity, and availability (CVSS 8.8). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CSRF Profilegrid
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting via cross-site request forgery affects the Permalink Manager for WooCommerce WordPress plugin in all versions up to and including 1.0.8.2. Because the plugin fails to validate request authenticity (CWE-352), an unauthenticated attacker who lures a logged-in administrator into loading a malicious page can forge a state-changing request that persists attacker-controlled script into the site, which later executes in the admin context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 3.1 base score is 7.1 with a scope change reflecting the CSRF-to-stored-XSS impact.

WordPress CSRF Permalink Manager For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery in the pCloud WP Backup WordPress plugin (versions 2.0.2 and earlier) allows a remote unauthenticated attacker to trick a logged-in administrator into submitting forged requests, leading to high-confidentiality impact and limited integrity impact on the WordPress site. The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R), reflecting network exploitation with no attacker privileges but required victim interaction. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

CSRF Pcloud Wp Backup
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Cross-Site Request Forgery in the Heateor Social Login WordPress plugin (versions up to and including 1.1.39) lets an unauthenticated remote attacker forge state-changing requests that are executed with a logged-in victim's privileges once the victim is lured into interacting with a malicious page. The CVSS 3.1 score is 8.1 with High confidentiality and integrity impact, reflecting potential account or configuration manipulation, though exploitation is gated on user interaction (UI:R). There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

CSRF Heateor Social Login
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated CSRF in Booked WordPress plugin (versions <= 3.0.0) enables remote attackers to trigger availability-impacting actions against authenticated WordPress users without their consent. The CVSS vector (C:N/I:N/A:H) indicates this CSRF leads to a destructive availability outcome - likely deletion or corruption of booking/scheduling data - rather than data theft or code execution. No public exploit or active exploitation has been identified at time of analysis, though the low attack complexity and no required privileges for staging the attack make social-engineering delivery straightforward.

CSRF Booked
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Werkstatt WordPress theme (FuelThemes) version 4.7.2 and earlier allows remote unauthenticated attackers to perform unauthorized state-changing actions on behalf of authenticated WordPress users. The flaw stems from missing or inadequate CSRF token validation on one or more theme action endpoints, meaning a crafted web page or link can silently trigger privileged operations when visited by a logged-in user. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

CSRF Werkstatt
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary file disclosure in Horde IMP webmail before 7.0.1 lets an authenticated user read any file the web server can access by planting directory-traversal sequences after a CKEditor path prefix inside an image src URL when composing mail. A weak stripos() prefix check fails to block traversal appended after the allowed prefix, so file_get_contents() pulls in files like /etc/passwd or configuration secrets and attaches them as MIME parts on the outgoing message. No public exploit identified at time of analysis, but VulnCheck published an advisory and the flaw is CSRF-triggerable against a live session, raising practical exposure for internet-facing Horde deployments.

CSRF Path Traversal PHP +1
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Week

Arbitrary file deletion in the VikBooking Hotel Booking Engine & PMS WordPress plugin (versions up to and including 1.8.12) is reachable via a cross-site request forgery flaw that lets an attacker abuse a path-traversal-capable file operation. By tricking a logged-in administrator into visiting a malicious page, a remote unauthenticated attacker can forge a request that deletes arbitrary files on the WordPress host, potentially disabling the site. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.

CSRF Path Traversal Vikbooking Hotel Booking Engine Pms
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation via Cross-Site Request Forgery in the RegistrationMagic WordPress plugin (all versions through 6.0.9.1) lets a remote attacker promote an arbitrary form submitter to administrator by forging a request to the process_request function, which lacks proper nonce validation. The attack plants a malicious Chronos automation task that later runs through WordPress cron, and it succeeds when a logged-in administrator is tricked into clicking an attacker-supplied link. No public exploit identified at time of analysis, and it is not listed in CISA KEV; risk is driven by the plugin's install base and the low technical bar of CSRF.

WordPress CSRF Registrationmagic Custom Registration Forms User Registration Payment And User Login
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in GiveWP - Donation Plugin and Fundraising Platform (versions up to and including 4.15.3) allows unauthenticated remote attackers to disable donation email notifications by tricking a logged-in administrator into clicking a crafted link. The root cause is absent nonce validation in the give_set_notification_status_handler() AJAX handler, permitting forged state-changing requests. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; however, the integrity impact - silently disabling donation notifications - could cause operational blind spots for nonprofit or fundraising site operators.

WordPress CSRF Givewp Donation Plugin And Fundraising Platform
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Cross-site request forgery in the Wikimedia Foundation's MediaWiki RedirectManager Extension (all versions before 1.3.3) enables remote attackers to perform unauthorized redirect management actions on behalf of authenticated wiki users. The CVSS 4.0 base score of 6.9 (Medium) reflects network-accessible exploitation with low impact across confidentiality, integrity, and availability dimensions on both vulnerable and subsequent systems. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

CSRF Mediawiki Redirectmanager Extension
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's SVG implementation prior to version 150.0.7871.47 allows a remote attacker to read data from cross-origin resources by luring a victim to a crafted HTML page. The flaw exploits improper SVG handling that bypasses same-origin policy protections, exposing potentially sensitive session data or authenticated content from third-party origins. No active exploitation has been confirmed (not listed in CISA KEV), and EPSS stands at 0.17% (7th percentile), indicating low observed exploitation probability at time of analysis.

CSRF Google Suse
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Cross-origin data leakage in Google Chrome's DevTools component (versions prior to 150.0.7871.47) permits a remote attacker to exfiltrate data across origin boundaries by tricking a user into performing specific UI gestures on a crafted HTML page. The CVSS base score of 3.1 (Low) reflects high attack complexity and mandatory user interaction, consistent with the EPSS score of 0.21% (11th percentile) indicating negligible in-the-wild exploitation activity. No public exploit code is identified and no CISA KEV listing exists; a vendor patch is available in Chrome 150.0.7871.47.

CSRF Google
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's PerformanceAPI implementation (versions prior to 150.0.7871.47) allows a remote unauthenticated attacker to infer sensitive data from other browser origins by luring a victim to visit a crafted HTML page. The flaw exploits timing measurements exposed by the Performance API to create a side-channel that bypasses the Same-Origin Policy for limited data reads. No public exploit code or active exploitation (CISA KEV) has been identified; EPSS probability stands at 0.21% (11th percentile), consistent with SSVC's 'exploitation: none' assessment.

CSRF Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome on iOS (prior to 150.0.7871.47) stems from an inappropriate implementation in the ScriptInjections subsystem, exploitable by a remote attacker who can lure a victim to a crafted HTML page. The flaw allows the attacker's origin to read data belonging to a different, protected origin - a fundamental violation of the Same-Origin Policy on Apple's iOS platform. No public exploit code has been identified at time of analysis, EPSS places exploitation probability at 0.22% (13th percentile), and SSVC signals no observed active exploitation, making this a medium-priority patch item despite its cross-origin impact.

CSRF Apple Google +1
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Cross-origin data leakage in Google Chrome's DataTransfer implementation on macOS exposes sensitive content from one origin to an attacker-controlled page by exploiting improper boundary enforcement during user-driven UI gestures such as drag-and-drop. Versions prior to 150.0.7871.47 on Mac are affected; the flaw is platform-specific to macOS, limiting scope. No public exploit has been identified and SSVC assessment confirms no current exploitation, though successful abuse would silently exfiltrate cross-origin data without triggering typical security warnings.

CSRF Google
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Account takeover-style destruction in Capgo before 12.128.2 lets remote attackers delete arbitrary user accounts because the deletion endpoint enforces no password re-authentication or secondary verification (CWE-306, Missing Authentication for a Critical Function). Reported by VulnCheck, the flaw is exploitable through CSRF, session hijacking, or parameter tampering, causing irreversible account removal, data loss, and denial-of-service. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass CSRF Capgo
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

CSRF flaws in KTM System e-BOK's email-change and password-change endpoints allow any remote, unauthenticated attacker to trigger account credential changes on behalf of an authenticated victim by luring them to a malicious web page. Reported by CERT-PL, the vulnerabilities affect all e-BOK versions prior to the June 2026 patch and carry a CVSS 4.0 score of 5.1 (Medium). No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is trivially constructable given the well-understood CSRF class and the public CERT-PL advisory.

CSRF E Bok
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in Plugin for Google Analytics by IO Technologies (WordPress) versions up to and including 1.1 allows unauthenticated remote attackers to overwrite the site's Google Analytics tracking ID by tricking a logged-in administrator into clicking a crafted link. The flaw stems from absent nonce validation on the ga.php settings handler, meaning forged POST requests bypass WordPress's standard CSRF protections entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 4.3 reflects the required administrator interaction and limited integrity-only impact.

WordPress CSRF PHP +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.

Apple Ios And Ipados CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

WordPress CSRF F4 Post Tree
NVD WPScan VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site request forgery in CodeAstro Human Resource Management System 1.0 enables remote attackers to perform unauthorized state-changing actions - specifically department deletion - by tricking an authenticated user into visiting a crafted malicious page. The exploit targets the department deletion endpoint and publicly available proof-of-concept code has been published on GitHub, lowering the bar for exploitation. No active exploitation has been confirmed by CISA KEV, but the combination of a public PoC, network-accessible attack vector, and no required attacker privileges makes this an accessible target for opportunistic attackers against organizations running this software.

CSRF Human Resource Management System
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site request forgery in Squidex CMS v7.21.0 and earlier allows a remote attacker to escalate privileges by targeting the IdentityServer account profile endpoint without requiring any authentication of their own. A proof-of-concept exploit is publicly documented, including a video walkthrough, and SSVC analysis classifies the attack as automatable with partial technical impact. No active exploitation has been confirmed by CISA KEV at time of analysis.

CSRF N A
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the HD Quiz WordPress plugin versions 2.2.0 and 2.2.1 enables unauthenticated attackers to manipulate quiz content and plugin settings by tricking a logged-in administrator into clicking a crafted link. The flaw originates in the `hdq_validate_nonce` function (`includes/functions.php:39`), which fails to properly validate WordPress nonces across at least six distinct AJAX action handlers in `includes/actions-ajax.php`. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though Wordfence has published a detailed advisory with source code references for both affected versions.

WordPress CSRF Hd Quiz
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id carrying the POST parameter user[admin], coercing a logged-in privileged user's browser into granting administrator rights to an arbitrary account. The flaw (CWE-352) rates CVSS 8.8 because a successful forgery yields full administrative control over the instance; no public exploit is identified at time of analysis and it is not listed in CISA KEV. Both the 17.3.x and 17.4.x maintenance lines are affected, with fixes shipped in 17.3.3 and 17.4.1.

CSRF Openproject
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in the WordPress plugin 'Paid Memberships Pro - Add Member From Admin' (versions 0.7.2 and earlier) lets a remote attacker forge privileged member-management actions by tricking a logged-in administrator into loading a malicious page. Because the plugin's member-add functionality lacks valid CSRF nonce protection (CWE-352), an attacker can abuse the admin's authenticated session to create or modify membership records, yielding high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not supplied.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Gmail SMTP WordPress plugin (versions up to and including 1.2.3.19) enables a remote unauthenticated attacker to trigger unauthorized state-changing actions on behalf of a logged-in WordPress administrator. The attacker does not need any credentials - only the administrator's authenticated browser session, obtained by luring them to a malicious page. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and zero-privilege requirement make it straightforward to exploit once a target is identified.

CSRF
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Cross-Site Request Forgery in the Child Theme Wizard WordPress plugin (versions 1.4 and earlier) lets a remote, unauthenticated attacker trick a logged-in administrator into submitting forged state-changing requests, allowing unauthorized actions on the WordPress site without the victim's consent. The CVSS 3.1 score is 8.2 with a scope-change (S:C) and high integrity impact, reflecting that the forged action can affect resources beyond the vulnerable component. There is no public exploit identified at time of analysis, the flaw is not listed in CISA KEV, and no EPSS score was supplied.

CSRF
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-Site Request Forgery in the Real Estate 7 WordPress theme (versions <= 3.5.9) enables unauthenticated remote attackers to forge destructive HTTP requests on behalf of authenticated users, with the CVSS vector indicating high availability impact - consistent with forced deletion of property listings or site content rather than data exposure or modification. Exploitation requires luring an authenticated WordPress session holder to a malicious page, making it a social-engineering-dependent attack. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Abandoned Cart Lite for WooCommerce WordPress plugin (versions 6.8.0 and below) enables unauthenticated remote attackers to perform unauthorized state-changing actions by luring an authenticated site user into visiting a malicious page. The CVSS score of 4.3 (Medium) reflects a limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-Site Request Forgery in FunnelKit Payment Gateway for Stripe WooCommerce plugin (versions up to and including 1.14.0.3) allows a remote unauthenticated attacker to perform unauthorized state-changing actions by tricking an authenticated WordPress user into interacting with a crafted request. The absence of proper CSRF token validation (CWE-352) means any action protected only by session authentication can be forged. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

WordPress CSRF
NVD
Page 1 of 94 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy