Skip to main content

CSRF

8444 CVEs technique

Monthly

CVE-2026-42286 HIGH PATCH This Week

Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11.

CSRF
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-42190 npm MEDIUM PATCH This Month

Same-site Cross-Site Request Forgery (CSRF) in RedwoodSDK server actions allows attackers controlling same-site origins to invoke arbitrary server actions with victim session cookies in versions 1.0.0-beta.50 through 1.2.2. The vulnerability stems from missing origin validation despite HTTP method enforcement, enabling attackers to trigger state-changing operations through subdomain takeover, sibling-application XSS, or local development vectors. Vendor-released patch version 1.2.3 enforces Origin/Host matching validation. CVSS 5.3 reflects high integrity impact (UI:R) but constrained attack complexity (AC:H) and no information disclosure.

CSRF Sdk
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42879 PHP MEDIUM GHSA This Month

Remote code execution in FacturaScripts through authenticated file upload allows attackers with valid credentials to bypass MIME type validation by prepending GIF89a magic bytes to PHP files, resulting in executable files stored in a web-accessible directory. An attacker can upload a malicious PHP file disguised as a GIF image via the product image upload functionality, then directly execute arbitrary commands on the server. The vulnerability affects versions 2025.81 and earlier; publicly available proof-of-concept code exists demonstrating end-to-end exploitation.

PHP CSRF File Upload RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-5791 MEDIUM PATCH This Month

Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions with high integrity and confidentiality impact when authenticated users interact with malicious content. The CVSS 9.6 (Critical) score reflects scope change and full CIA triad compromise, though EPSS data and KEV status are unavailable. No public exploit code identified at time of analysis, but CSRF vulnerabilities are well-understood and easily weaponized once identified.

CSRF Divvydrive
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27415 MEDIUM This Month

Cross-site request forgery (CSRF) in PluginUs.Net BEAR plugin versions up to 1.1.5 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted web requests. The vulnerability requires user interaction (clicking a malicious link) but can modify application state without the user's knowledge or consent. No active exploitation has been publicly confirmed at the time of analysis.

CSRF Bear
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68604 MEDIUM This Month

Cross-site request forgery (CSRF) in WPGraphQL plugin versions up to 2.5.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress users with user interaction (typically clicking a malicious link). The vulnerability affects the GraphQL endpoint's lack of token-based request verification, enabling attackers to craft requests that WordPress site visitors are tricked into executing without their knowledge. No public exploit code or active exploitation has been confirmed.

CSRF Wpgraphql
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44364 PyPI CRITICAL PATCH GHSA Act Now

A Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability was due to the home blueprint being exempted from CSRF protection. This could allow modification of session query data in the context of the authenticated user. The issue was fixed by enabling CSRF protection for the affected blueprint and hardening query parsing. As reported by Bilal Teke.

CSRF
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-42551 PHP HIGH PATCH GHSA This Week

Flight PHP micro-framework (< 3.18.1) silently converts GET requests into DELETE or PUT operations via unvalidated X-HTTP-Method-Override headers or _method query parameters, enabling trivial CSRF attacks against destructive endpoints. Attackers can trigger resource deletion using simple HTML image tags without JavaScript or user interaction. The vulnerability bypasses middleware filters that gate only POST/DELETE verbs, and creates CDN cache poisoning scenarios where cached GET responses reflect executed DELETE operations. Patch available in version 3.18.1 introducing opt-in method override control (flight.allow_method_override setting). No active exploitation confirmed at time of analysis; publicly available exploit code exists in GitHub advisory.

PHP CSRF
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40326 HIGH PATCH This Week

Cross-Site Request Forgery in Masa CMS allows unauthenticated attackers to force logged-in administrators to create site bundles containing sensitive data including password hashes, user accounts, and configuration details. The bundles are saved to predictable public directories where any unauthenticated attacker can download them. This vulnerability affects versions 7.5.2 and earlier across multiple release branches. Fixed versions are available: 7.2.10, 7.3.15, 7.4.10, and 7.5.3. CVSS 7.1 HIGH with network attack vector requiring user interaction but no authentication.

CSRF
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-40325 HIGH PATCH This Week

Cross-site request forgery (CSRF) in Masa CMS 7.5.2 and earlier allows remote attackers to restore deleted content through administrator sessions. By tricking an authenticated administrator into clicking a malicious link, attackers can restore previously deleted items from trash and relocate them anywhere in the site structure via the parentid parameter. This enables exposure of sensitive documents by moving them to public areas, restoration of malicious content, or disruption of site integrity. Fixed versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3 are available. EPSS data not available; no confirmed active exploitation (CISA KEV) at time of analysis.

CSRF
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-40309 HIGH PATCH This Week

Cross-Site Request Forgery in Masa CMS trash management allows remote attackers to permanently delete all trashed content through a logged-in administrator. An attacker tricks an authenticated admin into visiting a malicious page that submits a forged trash-emptying request, bypassing CSRF protections and causing irreversible data loss across all pending-deletion content. The vulnerability affects default administrative interfaces without requiring special configuration. No active exploitation confirmed at time of analysis, though the attack technique is well-documented for CSRF vulnerabilities. EPSS data not available.

CSRF
NVD GitHub
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-40174 HIGH PATCH This Week

Cross-site request forgery (CSRF) in Masa CMS 7.5.2 and earlier allows remote attackers to manipulate user address records through forged requests when authenticated administrators interact with malicious content. The cUsers.updateAddress function lacks proper anti-CSRF token validation, enabling unauthorized addition, modification, or deletion of email addresses, phone numbers, and other contact data. Patches available in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation; no public exploit identified at time of analysis.

CSRF
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-44011 PHP HIGH POC PATCH GHSA This Week

Remote code execution in Craft CMS allows any authenticated user to execute arbitrary system commands via malicious Yii object configuration. This vulnerability exploits uncleansed field layout data in the condition handling path, bypassing previous CVE-2024-4990 mitigations. Attackers can inject behaviors through POST requests to admin endpoints like /admin/actions/element-search/search, triggering command execution via AttributeTypecastBehavior abuse. Publicly available exploit code exists in the GitHub advisory (GHSA-qrgm-p9w5-rrfw) with detailed proof-of-concept. Affects Craft CMS 4.0.0-RC1 through 4.16.16 and 5.0.0-RC1 through 5.8.20. Vendor-released patches: 4.16.17 and 5.8.21.

Mozilla CSRF
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-31957 LOW Monitor

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated users with sufficient privileges to perform unauthorized actions or access sensitive data through malicious web requests. The vulnerability requires user interaction (such as clicking a malicious link) and affects confidentiality but not integrity or availability, resulting in a CVSS score of 2.6. No active exploitation has been publicly reported.

Information Disclosure CSRF Bigfix Service Management Sm
NVD
CVSS 3.1
2.6
EPSS
0.0%
CVE-2026-43883 PHP MEDIUM PATCH GHSA This Month

Insecure Direct Object Reference (IDOR) in AVideo's PayPalYPT plugin allows any authenticated user to cancel arbitrary PayPal billing agreements belonging to other users by supplying a victim's agreement ID to the `agreementCancel.json.php` endpoint. An attacker can silently suspend a victim's recurring subscription without authorization, causing revenue loss to the platform operator and service interruption to the victim. The vulnerability exists because the endpoint only checks that the user is logged in, but fails to verify ownership of the agreement being canceled, despite a sister endpoint (`PayPalAgreementCancel.json.php`) implementing the correct authorization check.

Authentication Bypass PHP CSRF
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-43882 PHP MEDIUM PATCH GHSA This Month

Unauthenticated CRLF injection in AVideo's Scheduler plugin allows remote attackers to inject arbitrary calendar events into ICS files served from the victim's trusted domain, enabling high-credibility calendar phishing attacks. The vulnerable endpoint accepts attacker-controlled parameters without sanitization, passes them through an incomplete escape function that does not neutralize carriage-return/line-feed bytes, and constructs RFC 5545-compliant ICS calendar files containing injected VEVENT blocks. Exploitation requires only that the Scheduler plugin be enabled (common default) and user interaction to import the malicious .ics file; no authentication or special configuration is needed. A vendor-released patch is available.

Microsoft PHP CSRF Mozilla Apple +1
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-43881 PHP MEDIUM PATCH GHSA This Month

Unauthenticated user enumeration in AVideo objects/users.json.php allows remote attackers to disclose all registered user accounts via an isCompany parameter that bypasses admin-only access controls, and a users_id parameter that acts as a sequential-ID existence oracle. An unauthenticated attacker can harvest the complete user directory-including display names, numeric IDs, profile URLs, photos, and active/inactive status-in a single unbounded GET request, enabling credential stuffing and phishing campaigns. The vulnerability affects AVideo through version 29.0; vendor patch available.

Authentication Bypass Oracle CSRF PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-43880 PHP MEDIUM PATCH GHSA This Month

Unauthenticated arbitrary email sending via sendEmail.json.php allows remote attackers to send phishing emails from the site's legitimate sender address to arbitrary recipients by omitting the contactForm parameter, bypassing authentication and CSRF protections. The endpoint is explicitly allow-listed as a public write action and requires only a solved captcha, enabling an attacker to impersonate the site operator and send messages with forged From/Reply-To headers that pass SPF/DKIM/DMARC validation for the site's domain, ideal for targeted credential harvesting and brand impersonation attacks.

PHP CSRF
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-43879 PHP MEDIUM PATCH GHSA This Month

Blind server-side request forgery (SSRF) in AVideo's donation webhook system allows authenticated users to configure webhook URLs pointing to internal/loopback/metadata services (127.0.0.1, 169.254.169.254, RFC1918 addresses). When any user donates via the CustomizeUser plugin, the AVideo server issues an unauthenticated POST request to the attacker-supplied URL without validating it against the codebase's existing isSSRFSafeURL() helper. The vulnerability is compounded by CURLOPT_FOLLOWLOCATION being enabled without per-hop revalidation, permitting HTTP 307 redirects from attacker-controlled hosts to bypass even future URL validation. CVSS 5.4 (network-accessible, requires authentication, low complexity); no public proof-of-concept or active KEV exploitation confirmed at analysis time, but the vulnerability is trivially exploitable with two attacker-controlled accounts and the PoC is fully documented in the advisory.

Redis SSRF CSRF PHP
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-42611 PHP HIGH PATCH GHSA This Week

Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking.

PHP CSRF XSS Mozilla RCE
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-42610 PHP MEDIUM PATCH GHSA This Month

Sensitive information disclosure in Grav CMS v1.8.0-beta.29 allows low-privileged users with page editing permissions to bypass Twig sandbox restrictions and extract administrative password hashes and security salts via the exposed `grav['accounts']` service. A content editor can inject a Twig template with `{{ grav['accounts'].load('admin').get('hashed_password') }}` to retrieve plaintext Bcrypt hashes accessible for offline brute-force attack. Vendor-released patch available (2.0.0-beta.2 and commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47); publicly available proof-of-concept exists demonstrating practical exploitation.

Authentication Bypass PHP Information Disclosure CSRF
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42607 PHP CRITICAL POC PATCH GHSA Act Now

Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.

Microsoft PHP CSRF Python RCE +2
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-43938 NuGet HIGH PATCH GHSA This Week

Remote unauthenticated attackers can execute JavaScript in administrator sessions of YAF.NET forum software (versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4) by injecting malicious User-Agent headers via any endpoint that triggers exception logging, notably /api/Attachments/GetAttachment. The stored XSS payload fires when administrators view the Event Log admin panel, enabling full forum takeover through admin-session hijacking. A working proof-of-concept exists requiring only a single anonymous HTTP request. EPSS and KEV data not available; CVSS 8.1 (High) reflects network vector, low complexity, and no authentication requirement, though the UI:R metric indicates the admin must visit the log page for execution.

XSS CSRF
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43878 PHP MEDIUM PATCH GHSA This Month

Reflected XSS in AVideo's Meet plugin allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unescaped user and pass query parameters into a JavaScript string literal. The vulnerability is reachable without authentication on any public Meet schedule with no password (the default configuration), enabling session cookie theft and account takeover of authenticated users. CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects network delivery requiring user interaction but changed scope due to cookie exfiltration across the AVideo application origin.

XSS PHP CSRF
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-43877 PHP MEDIUM PATCH GHSA This Month

Cross-site request forgery in AVideo's userSavePhoto.php endpoint allows unauthenticated remote attackers to overwrite any logged-in user's profile photo with arbitrary bytes by luring them to a malicious webpage. The vulnerability exploits a missing CSRF token and a default cookie policy of SameSite=None on HTTPS deployments, combined with unvalidated base64 decoding that accepts any file content. Each successful attack also triggers a global cache invalidation, enabling denial-of-service via cache thrashing.

PHP CSRF RCE
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-43876 PHP MEDIUM PATCH GHSA This Month

Stored HTML injection in AVideo's notifySubscribers endpoint allows any authenticated uploader to broadcast platform-branded phishing emails to up to 10,000 channel subscribers without sanitization, escaping, or rate limits. The attacker-supplied HTML is injected directly into the email template via str_replace and rendered by PHPMailer, arriving with the platform's official contact email address, logo, and site title, enabling credential theft and reconnaissance at scale with no visible indication that content originated from an uploader rather than the platform operator.

Canonical XSS PHP CSRF
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-43875 PHP MEDIUM PATCH GHSA This Month

Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.

PHP CSRF Google
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-43874 PHP HIGH PATCH GHSA This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python XSS RCE +2
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-40864 PyPI MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in JupyterHub 4.1.0 through 5.4.4 bypasses XSRF protection for HTTP form endpoints by misclassifying requests with Sec-Fetch-Mode: no-cors as same-origin, allowing unauthenticated attackers to trigger server spawning or, if they are JupyterHub users with share permissions, coerce victims into accepting access shares to the attacker's server. The JSON API is not affected. No active exploitation confirmed, but CVSS 5.4 reflects moderate integrity and availability impact via user interaction.

CSRF
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-6702 MEDIUM This Month

Cross-Site Request Forgery in Publish 2 Ping.fm WordPress plugin up to version 1.1 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a crafted link, exploiting missing nonce validation on the admin settings page. The vulnerability requires user interaction (admin click) and affects the plugin's confidentiality and integrity but not availability. No public exploit code or active exploitation has been confirmed.

PHP CSRF WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6700 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in DX Sources plugin for WordPress up to version 2.0.1 allows unauthenticated attackers to modify plugin configuration options by tricking a logged-in administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the settings_page_build function, enabling attackers to alter plugin settings without administrative consent. No active exploitation has been confirmed at the time of analysis.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6701 MEDIUM This Month

Cross-Site Request Forgery in addfreespace WordPress plugin versions up to 0.1.3 allows unauthenticated attackers to update plugin settings and inject malicious scripts by tricking site administrators into clicking a forged link, exploiting missing nonce validation on settings update functions. The vulnerability requires user interaction (administrator click) and has low impact scope (integrity only, no confidentiality or availability loss), making it a moderate-risk CSRF attack vector in typical WordPress deployments.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42257 Ruby MEDIUM PATCH GHSA This Month

Command injection in net-imap library allows attackers to inject arbitrary IMAP commands by supplying unvalidated user input to multiple methods that send raw, unescaped strings to the IMAP server. The #search, #uid_search, #fetch, #uid_fetch, #store, #uid_store, and #setquota methods accept string arguments that bypass normal validation and encoding, enabling CRLF injection to break command context. Applications that dynamically construct search criteria, fetch attributes, or quota limits from user input are at significant risk; a developer passing unsanitized input could allow an attacker to append malicious IMAP commands such as DELETE or other state-modifying operations.

Authentication Bypass Command Injection CSRF Suse
NVD GitHub VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-42606 PHP HIGH PATCH GHSA This Week

Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

Docker CSRF PHP Nginx
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42091 Go MEDIUM PATCH This Month

goshs SimpleHTTPServer versions prior to 2.0.2 allow arbitrary file write via cross-origin PUT requests due to missing CSRF token validation on the PUT handler combined with permissive wildcard CORS headers. An attacker can trick a victim into visiting a malicious website which then writes arbitrary files to a goshs instance running on localhost or an internal network, bypassing network isolation protections. Publicly available exploit code exists, and the vulnerability affects all v2.x releases before 2.0.2 and all v1.x releases (no patch available for v1.x).

CSRF Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39807 MEDIUM POC PATCH GHSA This Month

Transport-state spoofing in Bandit 1.0.0 through 1.10.x allows unauthenticated remote attackers to forge HTTPS connections over plaintext HTTP by supplying a malicious URI scheme in HTTP/1.1 absolute-form request targets or HTTP/2 :scheme pseudo-headers. The vulnerable determine_scheme/2 function returns client-supplied scheme values verbatim, causing downstream Plug middlewares to make incorrect security decisions: Plug.SSL skips HTTP→HTTPS redirects, secure cookies are transmitted unencrypted, and CSRF/SameSite protections may be bypassed. CVSS 6.3 (network-accessible, low complexity). Vendor patch available (version 1.11.0+).

CSRF Bandit
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-3140 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Ultimate Dashboard for WordPress up to version 3.8.14 allows unauthenticated attackers to toggle plugin modules on or off by tricking site administrators into clicking a malicious link. The vulnerability stems from flawed nonce validation in the 'handle_module_actions' function, enabling attackers to modify plugin configuration without user consent. No public exploit code or active exploitation has been identified at this time.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3772 HIGH This Week

Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.

CSRF PHP WordPress
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-36956 HIGH This Week

Cross-site request forgery in Dbit N300 T1 Pro wireless router V1.0.0 allows remote unauthenticated attackers to execute arbitrary administrative actions by convincing an authenticated administrator to visit a malicious webpage. The router lacks anti-CSRF tokens and Origin/Referer validation on configuration endpoints like /api/setWlan, enabling complete router compromise through social engineering. Publicly available exploit code exists (SSVC: poc status) with EPSS data not provided, indicating proof-of-concept demonstration but no confirmed active exploitation at time of analysis.

CSRF N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-36960 HIGH This Week

Cross-site request forgery in U-SPEED N300 Router V1.0.0 allows remote attackers to execute administrative actions through victim browsers when authenticated administrators visit attacker-controlled webpages. The router's web management interface lacks CSRF tokens and Origin/Referer validation, enabling attackers to craft malicious pages that trigger state-changing operations using the victim's valid session cookie. A proof-of-concept exploit exists (GitHub repository linked), though no active exploitation is confirmed in CISA KEV at time of analysis. CVSS 8.8 severity reflects high impact across confidentiality, integrity, and availability when exploitation succeeds.

CSRF N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41669 PHP HIGH PATCH GHSA This Week

SAML signature validation in Admidio's Identity Provider implementation can be completely bypassed due to discarded return values in authentication flows. The validateSignature() method returns error strings on failure but both call sites (SSO and Single Logout handlers) discard the return value, allowing unsigned or invalidly-signed SAML requests to proceed. Attackers can forge AuthnRequests to exfiltrate logged-in users' personal data (username, email, real name, role memberships) to attacker-controlled endpoints, or forge LogoutRequests to terminate victim sessions and cascade logout across federated Service Providers. The smc_require_auth_signed configuration setting provides no protection. Public exploit code exists (PoC in GitHub advisory). CVSS 8.2 reflects network-accessible attack with no authentication required, though practical exploitation of the SSO path requires victim to have an active session. No active exploitation confirmed at time of analysis.

PHP CSRF Jwt Attack Denial Of Service
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-41663 PHP LOW PATCH GHSA Monitor

## Summary Several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because `SameSite=Lax` cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. ## Details In `modules/preferences.php`, the `backup`, `test_email`, and `htaccess` modes accept GET parameters with no CSRF token check: ```php // modules/preferences.php - backup mode case 'backup': // Creates full database dump and serves as download // No CSRF token validation $backupFile = $gDb->backup(); // ... sends file to client break; case 'test_email': // Sends test email from the server // No CSRF token validation break; case 'htaccess': // Writes .htaccess file to disk // No CSRF token validation break; ``` The `save` mode in the same file validates CSRF via `getFormObject()`, confirming the developers intended CSRF protection but did not apply it to these other modes. Because these are GET requests, `SameSite=Lax` browsers include session cookies on top-level cross-origin navigations, making CSRF exploitation trivial. ## Proof of Concept Simplified attacker page (`csrf.html` hosted on attacker origin): ```html <html> <body> <h1>Loading...</h1> <!-- Trigger backup creation on victim's browser --> <script>window.location = 'https://target-admidio.example.com/adm_program/modules/preferences.php?mode=backup';</script> </body> </html> ``` When an administrator visits this page, the browser navigates to the Admidio backup URL with full session cookies. The server generates a database dump and serves it as a download to the victim's browser. Note: the backup downloads to the victim's machine, not to the attacker. The attacker cannot read the response cross-origin. For `htaccess` mode, the CSRF overwrites the `.htaccess` file on the server, disrupting the application. For `test_email` mode, it triggers email sends from the server, which an attacker can abuse for spam or to probe internal email infrastructure. ## Impact An attacker tricks an Admidio administrator into visiting a malicious page that triggers state-changing operations on the server: - **Backup creation**: forces the server to generate a full database dump. The backup downloads to the victim's browser, not to the attacker. However, repeated backup triggers can cause disk I/O and storage pressure on the server. - **htaccess modification**: overwrites the server's `.htaccess` file, breaking URL routing or disabling security headers. - **Test email**: fires email sends from the server, usable as a spam relay or to probe internal mail configuration. The core issue is that state-changing operations run via unprotected GET requests. The victim only needs to visit a single attacker-controlled page while logged in. ## Recommended Fix 1. Change `backup`, `test_email`, and `htaccess` operations to require POST requests. 2. Add CSRF token validation using the existing `getFormObject()` mechanism. 3. As defense in depth, set `SameSite=Strict` on session cookies or add a confirmation step for destructive operations like database backup. --- *Found by [aisafe.io](https://aisafe.io)*

PHP CSRF
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-41658 PHP MEDIUM PATCH GHSA This Month

Admidio inventory module allows any authenticated user to permanently delete inventory items and modify associated data by bypassing authorization checks present only in the UI layer. The backend handlers for item_delete, item_retire, item_reinstate, and picture operations validate CSRF tokens but never verify the requesting user is an inventory administrator, enabling destructive operations on any item visible to the user. This affects Admidio versions through 5.0.8, and no active exploitation has been reported at the time of analysis.

Authentication Bypass PHP CSRF
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41656 PHP MEDIUM PATCH GHSA This Month

Path traversal in Admidio's document add mode allows authenticated attackers to register arbitrary server files into document folders via unvalidated `name` parameter, enabling arbitrary file read when combined with CSRF. A low-privileged user can trick a documents administrator into clicking a malicious link to register sensitive files like `install/config.php` (containing database credentials) into a publicly accessible documents folder, then download those files using the attacker's own session. The vulnerability chains insufficient input validation (accepts `../` sequences), missing CSRF protection on the `add` action, and `SameSite=Lax` cookies that permit cross-site GET requests from administrators.

PHP CSRF Path Traversal
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-42206 PHP MEDIUM PATCH GHSA This Month

Roadiz OpenID Connect authentication fails to store and validate the nonce parameter, allowing attackers to replay valid ID tokens or inject tokens from compromised identity providers to impersonate users. The package generates a nonce during authorization request initiation but never validates the returned nonce claim in the ID token, violating OIDC Core 1.0 specification requirements. Publicly available proof-of-concept demonstrates token replay within the token's validity window, affecting all Roadiz applications using the roadiz/openid package versions before 2.7.18, 2.6.31, 2.5.45, or 2.3.43.

PHP CSRF
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-41255 PyPI MEDIUM PATCH GHSA This Month

CKAN versions 2.10.0 through 2.10.9 and 2.11.0 through 2.11.4 allow unauthenticated requests to permanently disable CSRF protection on endpoints for the lifetime of the server process by triggering a state mutation in the flask-wtf CSRFProtect middleware. Combined with cross-site scripting, an attacker can exploit this to perform authenticated actions using other users' credentials. The vulnerability affects network-accessible CKAN instances with default configurations and has CVSS 6.1 with user interaction required.

XSS CSRF Python
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2018-25310 MEDIUM POC This Month

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF RCE Videoflow Digital Video Protection
NVD Exploit-DB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2018-25298 MEDIUM POC This Month

Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Authentication Bypass Merge Pacs
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42645 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Cross Site Request Forgery.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through <= 1.11.0.

CSRF Barcode Scanner With Inventory Order Manager
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-38934 HIGH This Week

Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php

PHP CSRF
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7108 LOW Monitor

Cross-site request forgery (CSRF) in code-projects Invoice System 1.0 for Laravel allows remote attackers to perform unauthorized actions via crafted requests. The vulnerability requires user interaction (clicking a malicious link) but affects the system's integrity through unvalidated state-changing operations. Exploit code is publicly available, and the CVSS 5.3 score reflects moderate severity with limited integrity impact but no confidentiality or availability harm.

CSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-41425 PyPI MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in Authlib's Starlette OAuth client cache feature (versions prior to 1.6.11) allows unauthenticated remote attackers to forge requests that manipulate cached OAuth state, potentially leading to session hijacking or token theft. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity. Vendor-released patch: version 1.6.11.

CSRF Python Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3565 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Taqnix WordPress plugin versions up to 1.0.3 allows unauthenticated attackers to trick logged-in users into deleting their own accounts via a forged request. The vulnerability stems from a commented-out nonce verification check in the taqnix_delete_my_account() function, making account deletion unprotected against CSRF attacks. No public exploit code or active exploitation has been identified, though the attack requires user interaction (clicking a malicious link or visiting a compromised page).

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41317 MEDIUM PATCH This Month

Frappe Press `create_api_secret` endpoint accepts GET requests despite performing database writes, enabling Cross-Site Request Forgery (CSRF)-like attacks where unauthenticated remote attackers can create API secrets by tricking authenticated users into visiting a malicious URL. No public exploit code or active exploitation has been confirmed at the time of analysis.

CSRF Press
NVD GitHub
CVSS 4.0
6.6
EPSS
0.0%
CVE-2026-27841 HIGH CISA Act Now

Cross-Site Request Forgery in SenseLive X3050's web management interface enables authenticated attackers to force victims into executing unauthorized configuration changes and potentially disruptive operations. A remote attacker with low privileges can craft malicious web pages that, when visited by an authenticated administrator, trigger state-changing requests without the victim's knowledge, leading to high integrity and availability impact on the device. CISA ICS-CERT has issued an advisory (ICSA-26-111-12) for this industrial control system component, indicating coordination with the vendor and awareness within the critical infrastructure community.

CSRF X3050
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-41347 npm LOW PATCH Monitor

OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints.

CSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-40471 CRITICAL Act Now

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

CSRF
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-4922 HIGH POC PATCH This Week

Cross-Site Request Forgery (CSRF) in GitLab CE/EE allows remote unauthenticated attackers to execute GraphQL mutations as authenticated victims through crafted web pages. Affects all versions from 17.0 through 18.11.0, with publicly available exploit code (HackerOne report 3627285). Despite high CVSS 8.1, exploitation requires user interaction (phishing/social engineering) and is not automatable per CISA SSVC framework. No evidence of active exploitation in CISA KEV at time of analysis. Vendor patches released: 18.9.6, 18.10.4, and 18.11.1.

CSRF Gitlab
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-58922 MEDIUM PATCH This Month

Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada theme allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through malicious web pages, affecting versions before 7.13.2. The vulnerability requires user interaction (clicking a malicious link or visiting a crafted page) but carries low overall risk due to SSVC assessment indicating none-automatable exploitation with partial technical impact. No active exploitation has been confirmed in CISA KEV at time of analysis.

CSRF Avada
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4138 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in the DX Unanswered Comments WordPress plugin versions up to 1.7 allows unauthenticated attackers to modify critical plugin settings (authors list and comment count) by tricking a site administrator into clicking a malicious link, due to missing nonce validation in the settings form handler. The CVSS 4.3 score reflects low severity with integrity impact limited to plugin configuration rather than data or code execution, but successful exploitation could alter site functionality if an attacker controls which comments are flagged as unanswered.

PHP CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6294 MEDIUM This Month

Cross-Site Request Forgery in Google PageRank Display plugin for WordPress (versions up to 1.4) allows unauthenticated attackers to trick logged-in administrators into changing plugin settings via a crafted request, due to missing nonce validation in the settings form handler. The vulnerability has a CVSS score of 4.3 (network-based, low complexity, requires user interaction) and enables modification of plugin configuration such as display style without administrator knowledge.

CSRF WordPress Google
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4121 MEDIUM This Month

The Kcaptcha WordPress plugin versions up to 1.0.1 fails to validate nonces on the settings page, allowing unauthenticated attackers to modify CAPTCHA configuration (enable/disable on login, registration, lost password, and comment forms) via cross-site request forgery if a site administrator can be tricked into clicking a malicious link. The vulnerability requires user interaction (administrator click) but carries a CVSS score of 4.3 with integrity impact; no public exploit code or active exploitation has been identified at the time of analysis.

PHP CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4090 MEDIUM This Month

Inquiry Cart plugin for WordPress versions up to 3.4.2 allows unauthenticated attackers to modify plugin settings and inject malicious scripts into the admin area via Cross-Site Request Forgery (CSRF) attacks. The vulnerability exploits missing nonce verification in the settings form handler, requiring an administrator to be socially engineered into clicking a malicious link. Stored scripts execute with admin privileges, enabling account hijacking and complete site compromise.

CSRF WordPress
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-4118 MEDIUM This Month

Call To Action Plugin for WordPress versions up to 3.1.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the settings page that allows unauthenticated attackers to modify plugin configuration via forged requests. The vulnerability exists because the cbox_options_page() function lacks nonce validation (missing wp_nonce_field() and wp_verify_nonce() checks), enabling attackers to trick site administrators into clicking malicious links that alter call-to-action box settings including title, content, URL, colors, and other options. No public exploit code has been identified, but the attack requires minimal complexity (AC:L) and relies on user interaction (UI:R) to succeed.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4139 MEDIUM This Month

Cross-site request forgery in mCatFilter WordPress plugin up to version 0.5.2 allows unauthenticated attackers to modify all plugin settings including category exclusion rules, feed exclusion flags, and tag page exclusion flags by tricking site administrators into clicking a malicious link. The vulnerability exists because the compute_post() function processes $_POST data without nonce verification or capability checks, executing on every page load via the plugins_loaded hook.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6396 MEDIUM This Month

Cross-Site Request Forgery in Fast & Fancy Filter - 3F WordPress plugin up to version 1.2.2 allows unauthenticated attackers to modify plugin filter settings, update arbitrary site options, or create filter posts by tricking site administrators into clicking a malicious link. The vulnerability exists in the saveFields() function which handles the fff_save_settins AJAX action without nonce verification, enabling attackers to forge requests that execute administrative actions on behalf of logged-in administrators.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4280 MEDIUM This Month

Local file inclusion in Breaking News WP plugin for WordPress (versions up to 1.3) allows authenticated attackers with Subscriber-level access to read arbitrary files on the server. The vulnerability stems from insufficient path validation in the brnwp_show_breaking_news_wp() shortcode handler, which passes unsanitized user input directly to PHP's include() function after stripping only text field characters but not directory traversal sequences. Attackers can exploit the unprotected brnwp_ajax_form AJAX endpoint to overwrite the brnwp_theme option with paths like ../../../../etc/passwd, then trigger file inclusion when the shortcode renders.

Path Traversal WordPress CSRF
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-4140 MEDIUM This Month

Cross-Site Request Forgery in Ni WooCommerce Order Export plugin for WordPress allows unauthenticated attackers to modify plugin settings by tricking an administrator into clicking a malicious link, due to missing nonce validation in the AJAX settings handler. Affected versions through 3.1.6 accept direct $_REQUEST input to update_option() without any CSRF protection or capability checks, enabling unauthorized configuration changes.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4133 MEDIUM This Month

Cross-site request forgery in TextP2P Texting Widget plugin for WordPress up to version 1.7 allows unauthenticated attackers to modify all plugin settings including API credentials and widget configuration by tricking site administrators into clicking a malicious link. The vulnerability stems from missing nonce validation in the settings update handler, enabling attackers to change chat titles, messages, colors, reCAPTCHA configuration, and other sensitive options without authentication or authorization verification. This requires user interaction (admin must click attacker-controlled link) but affects any WordPress site running the vulnerable plugin with an active administrator.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4131 MEDIUM This Month

WP Responsive Popup + Optin plugin for WordPress versions up to 1.4 is vulnerable to Cross-Site Request Forgery (CSRF) allowing unauthenticated attackers to modify all plugin settings, including the 'wpo_image_url' parameter, by tricking site administrators into clicking a malicious link. The vulnerability exists because the settings form in wpo_admin_page.php lacks WordPress nonce generation and verification functions. Exploitation requires administrator interaction but can alter critical plugin configuration with broader impact across the site.

PHP CSRF WordPress
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-40929 PHP MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.

PHP CSRF
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40928 PHP MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src="…">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix.

PHP CSRF
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40926 PHP HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints - `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` - enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.

PHP CSRF
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-40925 PHP HIGH GHSA This Week

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-40909 PHP HIGH GHSA This Week

Path traversal in WWBN AVideo 29.0 and earlier allows authenticated administrators (or CSRF-tricked admins) to write arbitrary PHP files anywhere on the server filesystem, achieving remote code execution. The locale save endpoint fails to sanitize the 'flag' parameter used in file path construction and lacks CSRF protection despite SameSite=None cookies, enabling straightforward exploitation by lower-privilege attackers who chain CSRF against admin sessions. Upstream fix committed to GitHub (57f89ffb) but released patched version not independently confirmed. CVSS 8.7 reflects high impact but requires privileged access - real-world risk depends heavily on admin session hijacking opportunities.

PHP Path Traversal CSRF RCE
NVD GitHub
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-40875 HIGH PATCH This Week

Cross-site scripting in mailcow dockerized versions prior to 2026-03b enables remote attackers to execute malicious JavaScript in victim browsers through a chained Login CSRF and Self-XSS attack. Exploitation requires low-privileged attacker credentials and victim interaction, but can result in unauthorized access to victim email accounts and session hijacking (CVSS 7.0, AV:N/AC:H/PR:L/UI:P). The vulnerability stems from insufficient HTML escaping of X-Real-IP header values in the login history dashboard, combined with server trust of client-supplied IP headers. No active exploitation or public POC identified at time of analysis, but technical details disclosed via GitHub Security Advisory make weaponization feasible.

XSS Docker CSRF
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-41194 MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in FreeScout prior to version 1.8.215 allows unauthenticated remote attackers to disconnect OAuth integrations from a mailbox by tricking a logged-in admin into visiting a malicious web page, resulting in loss of email synchronization and potential service disruption. The vulnerability stems from the OAuth disconnect endpoint using GET HTTP method without CSRF token validation, enabling attackers to craft simple links or embed requests in third-party sites to trigger account modifications.

CSRF Freescout
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-6777 MEDIUM PATCH This Month

Denial of service in Firefox DNS networking component allows unauthenticated remote attackers to cause partial availability impact through crafted network requests. The vulnerability, classified as a cross-site request forgery (CSRF) issue within DNS handling, affects Firefox versions prior to 150 and has been patched by Mozilla.

CSRF Mozilla Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6755 MEDIUM PATCH This Month

A cross-site request forgery (CSRF) mitigation bypass in the DOM postMessage component of Firefox allows authenticated attackers to trigger denial of service against affected systems. The vulnerability bypasses existing CSRF protections through improper validation of postMessage origin checks, affecting Firefox versions prior to 150. No public exploit code has been identified, and exploitation requires authenticated network access without user interaction.

CSRF Mozilla Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40497 HIGH PATCH This Week

CSS injection in FreeScout mailbox signatures enables CSRF token exfiltration and privilege escalation from authenticated agents to administrators. The vulnerability exists in FreeScout versions prior to 1.8.213 where incomplete input sanitization fails to strip <style> tags from mailbox signature fields. Attackers with mailbox configuration access leverage CSS attribute selectors to steal CSRF tokens from viewing users, then perform arbitrary state-changing actions including admin account creation. EPSS data not available; no confirmed active exploitation (CISA KEV absent). Vendor patch released in version 1.8.213 with complete fix addressing previous incomplete remediation (GHSA-jqjf-f566-485j).

XSS Privilege Escalation CSRF Freescout
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-31014 MEDIUM POC This Month

Cross-site request forgery (CSRF) in Dovestones AD Self Update versions before 4.0.0.5 allows unauthenticated attackers to modify authenticated user account information by crafting malicious requests that exploit missing CSRF token validation. The vulnerability affects state-changing endpoints that accept both POST and GET requests without proper anti-CSRF protections, enabling account takeover when a victim visits a malicious page while logged in. Publicly available exploit code exists.

CSRF
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-6589 LOW POC Monitor

Cross-site request forgery (CSRF) in ComfyUI up to version 0.13.0 allows unauthenticated remote attackers to modify application state via crafted requests to the create_origin_only_middleware function in server.py. The vulnerability requires user interaction (clicking a malicious link or visiting an attacker-controlled site) but has low integrity impact and is publicly exploitable with proof-of-concept code available. The vendor has not responded to early disclosure notification.

CSRF Comfyui
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-40948 PyPI MEDIUM PATCH GHSA This Month

Session fixation and login-CSRF in apache-airflow-providers-keycloak prior to 0.7.0 allows remote attackers without prior authentication to hijack user sessions by delivering a crafted OAuth callback URL, enabling credential theft from stored Airflow connections. The vulnerability stems from missing OAuth 2.0 state parameter validation and lack of PKCE implementation, requiring only user interaction to trick victims into clicking a malicious link. EPSS score of 0.01% suggests minimal real-world exploitation despite moderate CVSS impact rating.

Apache CSRF
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-40581 HIGH This Week

Cross-Site Request Forgery (CSRF) in ChurchCRM versions before 7.2.0 allows remote attackers to permanently delete family records and all associated data (notes, pledges, persons, property) through the SelectDelete.php endpoint. The endpoint executes irreversible deletions via unauthenticated GET requests without CSRF token validation, requiring only that an authenticated administrator visit a malicious page. Attackers can weaponize this via phishing emails or malicious websites to trigger silent data destruction. Fixed in version 7.2.0 via PR #8613 and commit 3936162. No KEV listing or public POC identified at time of analysis, though exploitation is trivial given the simplicity of CSRF attacks against GET endpoints.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40484 CRITICAL Act Now

Remote code execution in ChurchCRM <7.2.0 allows authenticated administrators to upload PHP webshells through the database backup restore function, which copies files from archive Images/ directories to web-accessible paths without extension filtering. The vulnerability includes a CSRF bypass enabling forced exploitation through cross-site request forgery. Exploitation requires high privileges (administrator account) but is network-accessible with low complexity (CVSS:3.1/AV:N/AC:L/PR:H). No active exploitation confirmed (not in CISA KEV). Vendor-released fix available in version 7.2.0 via GitHub PR #8610 and commit 68be1d12.

PHP Privilege Escalation CSRF RCE
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-40458 Maven HIGH PATCH GHSA This Week

CSRF protection bypass in PAC4J authentication library allows remote attackers to forge state-changing requests without victim consent by exploiting hash collisions in Java's String.hashCode() function. Affects PAC4J 5.x before 5.7.10 and 6.x before 6.4.1, requiring victim interaction (visiting malicious site). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). CERT-PL disclosed the vulnerability with vendor patches now available.

CSRF Pac4J
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-6451 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in the cms-fuer-motorrad-werkstaetten WordPress plugin version 1.0.0 and earlier allows unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, and supplier catalogs by tricking logged-in users into clicking a malicious link. Eight AJAX handlers lack nonce validation and capability checks, enabling direct data destruction without authentication or authorization verification. User interaction is required (UI:R), limiting the attack to social engineering scenarios rather than direct network exploitation.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-5502 MEDIUM This Month

Tutor LMS plugin for WordPress versions up to 3.9.8 allow authenticated attackers to manipulate course content structure (detach lessons, move lessons between topics, reorder content) without proper authorization checks when the 'content_parent' parameter is omitted from requests to the tutor_update_course_content_order() function. Although the CVSS score of 5.3 reflects the absence of confidentiality impact, the vulnerability enables course instructors or subscribers to disrupt course integrity across the entire site despite lacking content management permissions, with no public exploit code confirmed but patch available in version 3.9.9.

Authentication Bypass WordPress CSRF
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3330 MEDIUM This Month

SQL injection in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows authenticated administrators to extract sensitive database information via unsanitized parameters (ip_search, startdate, enddate, username_search, useremail_search) in the Submissions display function. The vulnerability stems from the validate_data() method stripping WordPress's magic quotes protection and get_labels_parameters() concatenating user input directly into SQL queries without prepared statements. A CSRF vector exists because the vulnerable display task lacks nonce verification, enabling attackers to trick administrators into triggering the injection via a crafted link. Exploitation requires Administrator-level privileges but can be chained with CSRF for unauthorized triggering.

WordPress SQLi CSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-14868 HIGH This Week

Cross-Site Request Forgery (CSRF) in Career Section WordPress plugin versions ≤1.6 enables unauthenticated attackers to delete arbitrary server files through social engineering. Attackers trick authenticated WordPress administrators into clicking malicious links that exploit missing nonce validation in the delete action handler, leading to path traversal and unrestricted file deletion. CVSS 8.8 (High) with network attack vector but requires user interaction (UI:R). EPSS and KEV data not provided; public exploit code status unknown. Wordfence advisory and upstream patch commit available.

Path Traversal WordPress CSRF
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11.

CSRF
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Same-site Cross-Site Request Forgery (CSRF) in RedwoodSDK server actions allows attackers controlling same-site origins to invoke arbitrary server actions with victim session cookies in versions 1.0.0-beta.50 through 1.2.2. The vulnerability stems from missing origin validation despite HTTP method enforcement, enabling attackers to trigger state-changing operations through subdomain takeover, sibling-application XSS, or local development vectors. Vendor-released patch version 1.2.3 enforces Origin/Host matching validation. CVSS 5.3 reflects high integrity impact (UI:R) but constrained attack complexity (AC:H) and no information disclosure.

CSRF Sdk
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Remote code execution in FacturaScripts through authenticated file upload allows attackers with valid credentials to bypass MIME type validation by prepending GIF89a magic bytes to PHP files, resulting in executable files stored in a web-accessible directory. An attacker can upload a malicious PHP file disguised as a GIF image via the product image upload functionality, then directly execute arbitrary commands on the server. The vulnerability affects versions 2025.81 and earlier; publicly available proof-of-concept code exists demonstrating end-to-end exploitation.

PHP CSRF File Upload +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions with high integrity and confidentiality impact when authenticated users interact with malicious content. The CVSS 9.6 (Critical) score reflects scope change and full CIA triad compromise, though EPSS data and KEV status are unavailable. No public exploit code identified at time of analysis, but CSRF vulnerabilities are well-understood and easily weaponized once identified.

CSRF Divvydrive
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in PluginUs.Net BEAR plugin versions up to 1.1.5 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted web requests. The vulnerability requires user interaction (clicking a malicious link) but can modify application state without the user's knowledge or consent. No active exploitation has been publicly confirmed at the time of analysis.

CSRF Bear
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site request forgery (CSRF) in WPGraphQL plugin versions up to 2.5.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress users with user interaction (typically clicking a malicious link). The vulnerability affects the GraphQL endpoint's lack of token-based request verification, enabling attackers to craft requests that WordPress site visitors are tricked into executing without their knowledge. No public exploit code or active exploitation has been confirmed.

CSRF Wpgraphql
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

A Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability was due to the home blueprint being exempted from CSRF protection. This could allow modification of session query data in the context of the authenticated user. The issue was fixed by enabling CSRF protection for the affected blueprint and hardening query parsing. As reported by Bilal Teke.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Flight PHP micro-framework (< 3.18.1) silently converts GET requests into DELETE or PUT operations via unvalidated X-HTTP-Method-Override headers or _method query parameters, enabling trivial CSRF attacks against destructive endpoints. Attackers can trigger resource deletion using simple HTML image tags without JavaScript or user interaction. The vulnerability bypasses middleware filters that gate only POST/DELETE verbs, and creates CDN cache poisoning scenarios where cached GET responses reflect executed DELETE operations. Patch available in version 3.18.1 introducing opt-in method override control (flight.allow_method_override setting). No active exploitation confirmed at time of analysis; publicly available exploit code exists in GitHub advisory.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-Site Request Forgery in Masa CMS allows unauthenticated attackers to force logged-in administrators to create site bundles containing sensitive data including password hashes, user accounts, and configuration details. The bundles are saved to predictable public directories where any unauthenticated attacker can download them. This vulnerability affects versions 7.5.2 and earlier across multiple release branches. Fixed versions are available: 7.2.10, 7.3.15, 7.4.10, and 7.5.3. CVSS 7.1 HIGH with network attack vector requiring user interaction but no authentication.

CSRF
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-site request forgery (CSRF) in Masa CMS 7.5.2 and earlier allows remote attackers to restore deleted content through administrator sessions. By tricking an authenticated administrator into clicking a malicious link, attackers can restore previously deleted items from trash and relocate them anywhere in the site structure via the parentid parameter. This enables exposure of sensitive documents by moving them to public areas, restoration of malicious content, or disruption of site integrity. Fixed versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3 are available. EPSS data not available; no confirmed active exploitation (CISA KEV) at time of analysis.

CSRF
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Cross-Site Request Forgery in Masa CMS trash management allows remote attackers to permanently delete all trashed content through a logged-in administrator. An attacker tricks an authenticated admin into visiting a malicious page that submits a forged trash-emptying request, bypassing CSRF protections and causing irreversible data loss across all pending-deletion content. The vulnerability affects default administrative interfaces without requiring special configuration. No active exploitation confirmed at time of analysis, though the attack technique is well-documented for CSRF vulnerabilities. EPSS data not available.

CSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-site request forgery (CSRF) in Masa CMS 7.5.2 and earlier allows remote attackers to manipulate user address records through forged requests when authenticated administrators interact with malicious content. The cUsers.updateAddress function lacks proper anti-CSRF token validation, enabling unauthorized addition, modification, or deletion of email addresses, phone numbers, and other contact data. Patches available in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation; no public exploit identified at time of analysis.

CSRF
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Remote code execution in Craft CMS allows any authenticated user to execute arbitrary system commands via malicious Yii object configuration. This vulnerability exploits uncleansed field layout data in the condition handling path, bypassing previous CVE-2024-4990 mitigations. Attackers can inject behaviors through POST requests to admin endpoints like /admin/actions/element-search/search, triggering command execution via AttributeTypecastBehavior abuse. Publicly available exploit code exists in the GitHub advisory (GHSA-qrgm-p9w5-rrfw) with detailed proof-of-concept. Affects Craft CMS 4.0.0-RC1 through 4.16.16 and 5.0.0-RC1 through 5.8.20. Vendor-released patches: 4.16.17 and 5.8.21.

Mozilla CSRF
NVD GitHub
EPSS 0% CVSS 2.6
LOW Monitor

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated users with sufficient privileges to perform unauthorized actions or access sensitive data through malicious web requests. The vulnerability requires user interaction (such as clicking a malicious link) and affects confidentiality but not integrity or availability, resulting in a CVSS score of 2.6. No active exploitation has been publicly reported.

Information Disclosure CSRF Bigfix Service Management Sm
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Insecure Direct Object Reference (IDOR) in AVideo's PayPalYPT plugin allows any authenticated user to cancel arbitrary PayPal billing agreements belonging to other users by supplying a victim's agreement ID to the `agreementCancel.json.php` endpoint. An attacker can silently suspend a victim's recurring subscription without authorization, causing revenue loss to the platform operator and service interruption to the victim. The vulnerability exists because the endpoint only checks that the user is logged in, but fails to verify ownership of the agreement being canceled, despite a sister endpoint (`PayPalAgreementCancel.json.php`) implementing the correct authorization check.

Authentication Bypass PHP CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthenticated CRLF injection in AVideo's Scheduler plugin allows remote attackers to inject arbitrary calendar events into ICS files served from the victim's trusted domain, enabling high-credibility calendar phishing attacks. The vulnerable endpoint accepts attacker-controlled parameters without sanitization, passes them through an incomplete escape function that does not neutralize carriage-return/line-feed bytes, and constructs RFC 5545-compliant ICS calendar files containing injected VEVENT blocks. Exploitation requires only that the Scheduler plugin be enabled (common default) and user interaction to import the malicious .ics file; no authentication or special configuration is needed. A vendor-released patch is available.

Microsoft PHP CSRF +3
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated user enumeration in AVideo objects/users.json.php allows remote attackers to disclose all registered user accounts via an isCompany parameter that bypasses admin-only access controls, and a users_id parameter that acts as a sequential-ID existence oracle. An unauthenticated attacker can harvest the complete user directory-including display names, numeric IDs, profile URLs, photos, and active/inactive status-in a single unbounded GET request, enabling credential stuffing and phishing campaigns. The vulnerability affects AVideo through version 29.0; vendor patch available.

Authentication Bypass Oracle CSRF +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated arbitrary email sending via sendEmail.json.php allows remote attackers to send phishing emails from the site's legitimate sender address to arbitrary recipients by omitting the contactForm parameter, bypassing authentication and CSRF protections. The endpoint is explicitly allow-listed as a public write action and requires only a solved captcha, enabling an attacker to impersonate the site operator and send messages with forged From/Reply-To headers that pass SPF/DKIM/DMARC validation for the site's domain, ideal for targeted credential harvesting and brand impersonation attacks.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Blind server-side request forgery (SSRF) in AVideo's donation webhook system allows authenticated users to configure webhook URLs pointing to internal/loopback/metadata services (127.0.0.1, 169.254.169.254, RFC1918 addresses). When any user donates via the CustomizeUser plugin, the AVideo server issues an unauthenticated POST request to the attacker-supplied URL without validating it against the codebase's existing isSSRFSafeURL() helper. The vulnerability is compounded by CURLOPT_FOLLOWLOCATION being enabled without per-hop revalidation, permitting HTTP 307 redirects from attacker-controlled hosts to bypass even future URL validation. CVSS 5.4 (network-accessible, requires authentication, low complexity); no public proof-of-concept or active KEV exploitation confirmed at analysis time, but the vulnerability is trivially exploitable with two attacker-controlled accounts and the PoC is fully documented in the advisory.

Redis SSRF CSRF +1
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking.

PHP CSRF XSS +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Sensitive information disclosure in Grav CMS v1.8.0-beta.29 allows low-privileged users with page editing permissions to bypass Twig sandbox restrictions and extract administrative password hashes and security salts via the exposed `grav['accounts']` service. A content editor can inject a Twig template with `{{ grav['accounts'].load('admin').get('hashed_password') }}` to retrieve plaintext Bcrypt hashes accessible for offline brute-force attack. Vendor-released patch available (2.0.0-beta.2 and commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47); publicly available proof-of-concept exists demonstrating practical exploitation.

Authentication Bypass PHP Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.

Microsoft PHP CSRF +4
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote unauthenticated attackers can execute JavaScript in administrator sessions of YAF.NET forum software (versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4) by injecting malicious User-Agent headers via any endpoint that triggers exception logging, notably /api/Attachments/GetAttachment. The stored XSS payload fires when administrators view the Event Log admin panel, enabling full forum takeover through admin-session hijacking. A working proof-of-concept exists requiring only a single anonymous HTTP request. EPSS and KEV data not available; CVSS 8.1 (High) reflects network vector, low complexity, and no authentication requirement, though the UI:R metric indicates the admin must visit the log page for execution.

XSS CSRF
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in AVideo's Meet plugin allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unescaped user and pass query parameters into a JavaScript string literal. The vulnerability is reachable without authentication on any public Meet schedule with no password (the default configuration), enabling session cookie theft and account takeover of authenticated users. CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects network delivery requiring user interaction but changed scope due to cookie exfiltration across the AVideo application origin.

XSS PHP CSRF
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site request forgery in AVideo's userSavePhoto.php endpoint allows unauthenticated remote attackers to overwrite any logged-in user's profile photo with arbitrary bytes by luring them to a malicious webpage. The vulnerability exploits a missing CSRF token and a default cookie policy of SameSite=None on HTTPS deployments, combined with unvalidated base64 decoding that accepts any file content. Each successful attack also triggers a global cache invalidation, enabling denial-of-service via cache thrashing.

PHP CSRF RCE
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Stored HTML injection in AVideo's notifySubscribers endpoint allows any authenticated uploader to broadcast platform-branded phishing emails to up to 10,000 channel subscribers without sanitization, escaping, or rate limits. The attacker-supplied HTML is injected directly into the email template via str_replace and rendered by PHPMailer, arriving with the platform's official contact email address, logo, and site title, enabling credential theft and reconnaissance at scale with no visible indication that content originated from an uploader rather than the platform operator.

Canonical XSS PHP +1
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.

PHP CSRF Google
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python +4
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in JupyterHub 4.1.0 through 5.4.4 bypasses XSRF protection for HTTP form endpoints by misclassifying requests with Sec-Fetch-Mode: no-cors as same-origin, allowing unauthenticated attackers to trigger server spawning or, if they are JupyterHub users with share permissions, coerce victims into accepting access shares to the attacker's server. The JSON API is not affected. No active exploitation confirmed, but CVSS 5.4 reflects moderate integrity and availability impact via user interaction.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery in Publish 2 Ping.fm WordPress plugin up to version 1.1 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a crafted link, exploiting missing nonce validation on the admin settings page. The vulnerability requires user interaction (admin click) and affects the plugin's confidentiality and integrity but not availability. No public exploit code or active exploitation has been confirmed.

PHP CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in DX Sources plugin for WordPress up to version 2.0.1 allows unauthenticated attackers to modify plugin configuration options by tricking a logged-in administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the settings_page_build function, enabling attackers to alter plugin settings without administrative consent. No active exploitation has been confirmed at the time of analysis.

CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in addfreespace WordPress plugin versions up to 0.1.3 allows unauthenticated attackers to update plugin settings and inject malicious scripts by tricking site administrators into clicking a forged link, exploiting missing nonce validation on settings update functions. The vulnerability requires user interaction (administrator click) and has low impact scope (integrity only, no confidentiality or availability loss), making it a moderate-risk CSRF attack vector in typical WordPress deployments.

CSRF WordPress
NVD
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Command injection in net-imap library allows attackers to inject arbitrary IMAP commands by supplying unvalidated user input to multiple methods that send raw, unescaped strings to the IMAP server. The #search, #uid_search, #fetch, #uid_fetch, #store, #uid_store, and #setquota methods accept string arguments that bypass normal validation and encoding, enabling CRLF injection to break command context. Applications that dynamically construct search criteria, fetch attributes, or quota limits from user input are at significant risk; a developer passing unsanitized input could allow an attacker to append malicious IMAP commands such as DELETE or other state-modifying operations.

Authentication Bypass Command Injection CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

Docker CSRF PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

goshs SimpleHTTPServer versions prior to 2.0.2 allow arbitrary file write via cross-origin PUT requests due to missing CSRF token validation on the PUT handler combined with permissive wildcard CORS headers. An attacker can trick a victim into visiting a malicious website which then writes arbitrary files to a goshs instance running on localhost or an internal network, bypassing network isolation protections. Publicly available exploit code exists, and the vulnerability affects all v2.x releases before 2.0.2 and all v1.x releases (no patch available for v1.x).

CSRF Suse
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

Transport-state spoofing in Bandit 1.0.0 through 1.10.x allows unauthenticated remote attackers to forge HTTPS connections over plaintext HTTP by supplying a malicious URI scheme in HTTP/1.1 absolute-form request targets or HTTP/2 :scheme pseudo-headers. The vulnerable determine_scheme/2 function returns client-supplied scheme values verbatim, causing downstream Plug middlewares to make incorrect security decisions: Plug.SSL skips HTTP→HTTPS redirects, secure cookies are transmitted unencrypted, and CSRF/SameSite protections may be bypassed. CVSS 6.3 (network-accessible, low complexity). Vendor patch available (version 1.11.0+).

CSRF Bandit
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Ultimate Dashboard for WordPress up to version 3.8.14 allows unauthenticated attackers to toggle plugin modules on or off by tricking site administrators into clicking a malicious link. The vulnerability stems from flawed nonce validation in the 'handle_module_actions' function, enabling attackers to modify plugin configuration without user consent. No public exploit code or active exploitation has been identified at this time.

CSRF WordPress
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.

CSRF PHP WordPress
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-site request forgery in Dbit N300 T1 Pro wireless router V1.0.0 allows remote unauthenticated attackers to execute arbitrary administrative actions by convincing an authenticated administrator to visit a malicious webpage. The router lacks anti-CSRF tokens and Origin/Referer validation on configuration endpoints like /api/setWlan, enabling complete router compromise through social engineering. Publicly available exploit code exists (SSVC: poc status) with EPSS data not provided, indicating proof-of-concept demonstration but no confirmed active exploitation at time of analysis.

CSRF N A
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Cross-site request forgery in U-SPEED N300 Router V1.0.0 allows remote attackers to execute administrative actions through victim browsers when authenticated administrators visit attacker-controlled webpages. The router's web management interface lacks CSRF tokens and Origin/Referer validation, enabling attackers to craft malicious pages that trigger state-changing operations using the victim's valid session cookie. A proof-of-concept exploit exists (GitHub repository linked), though no active exploitation is confirmed in CISA KEV at time of analysis. CVSS 8.8 severity reflects high impact across confidentiality, integrity, and availability when exploitation succeeds.

CSRF N A
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

SAML signature validation in Admidio's Identity Provider implementation can be completely bypassed due to discarded return values in authentication flows. The validateSignature() method returns error strings on failure but both call sites (SSO and Single Logout handlers) discard the return value, allowing unsigned or invalidly-signed SAML requests to proceed. Attackers can forge AuthnRequests to exfiltrate logged-in users' personal data (username, email, real name, role memberships) to attacker-controlled endpoints, or forge LogoutRequests to terminate victim sessions and cascade logout across federated Service Providers. The smc_require_auth_signed configuration setting provides no protection. Public exploit code exists (PoC in GitHub advisory). CVSS 8.2 reflects network-accessible attack with no authentication required, though practical exploitation of the SSO path requires victim to have an active session. No active exploitation confirmed at time of analysis.

PHP CSRF Jwt Attack +1
NVD GitHub
EPSS 0% CVSS 3.5
LOW PATCH Monitor

## Summary Several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because `SameSite=Lax` cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. ## Details In `modules/preferences.php`, the `backup`, `test_email`, and `htaccess` modes accept GET parameters with no CSRF token check: ```php // modules/preferences.php - backup mode case 'backup': // Creates full database dump and serves as download // No CSRF token validation $backupFile = $gDb->backup(); // ... sends file to client break; case 'test_email': // Sends test email from the server // No CSRF token validation break; case 'htaccess': // Writes .htaccess file to disk // No CSRF token validation break; ``` The `save` mode in the same file validates CSRF via `getFormObject()`, confirming the developers intended CSRF protection but did not apply it to these other modes. Because these are GET requests, `SameSite=Lax` browsers include session cookies on top-level cross-origin navigations, making CSRF exploitation trivial. ## Proof of Concept Simplified attacker page (`csrf.html` hosted on attacker origin): ```html <html> <body> <h1>Loading...</h1> <!-- Trigger backup creation on victim's browser --> <script>window.location = 'https://target-admidio.example.com/adm_program/modules/preferences.php?mode=backup';</script> </body> </html> ``` When an administrator visits this page, the browser navigates to the Admidio backup URL with full session cookies. The server generates a database dump and serves it as a download to the victim's browser. Note: the backup downloads to the victim's machine, not to the attacker. The attacker cannot read the response cross-origin. For `htaccess` mode, the CSRF overwrites the `.htaccess` file on the server, disrupting the application. For `test_email` mode, it triggers email sends from the server, which an attacker can abuse for spam or to probe internal email infrastructure. ## Impact An attacker tricks an Admidio administrator into visiting a malicious page that triggers state-changing operations on the server: - **Backup creation**: forces the server to generate a full database dump. The backup downloads to the victim's browser, not to the attacker. However, repeated backup triggers can cause disk I/O and storage pressure on the server. - **htaccess modification**: overwrites the server's `.htaccess` file, breaking URL routing or disabling security headers. - **Test email**: fires email sends from the server, usable as a spam relay or to probe internal mail configuration. The core issue is that state-changing operations run via unprotected GET requests. The victim only needs to visit a single attacker-controlled page while logged in. ## Recommended Fix 1. Change `backup`, `test_email`, and `htaccess` operations to require POST requests. 2. Add CSRF token validation using the existing `getFormObject()` mechanism. 3. As defense in depth, set `SameSite=Strict` on session cookies or add a confirmation step for destructive operations like database backup. --- *Found by [aisafe.io](https://aisafe.io)*

PHP CSRF
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Admidio inventory module allows any authenticated user to permanently delete inventory items and modify associated data by bypassing authorization checks present only in the UI layer. The backend handlers for item_delete, item_retire, item_reinstate, and picture operations validate CSRF tokens but never verify the requesting user is an inventory administrator, enabling destructive operations on any item visible to the user. This affects Admidio versions through 5.0.8, and no active exploitation has been reported at the time of analysis.

Authentication Bypass PHP CSRF
NVD GitHub
EPSS 0% CVSS 4.5
MEDIUM PATCH This Month

Path traversal in Admidio's document add mode allows authenticated attackers to register arbitrary server files into document folders via unvalidated `name` parameter, enabling arbitrary file read when combined with CSRF. A low-privileged user can trick a documents administrator into clicking a malicious link to register sensitive files like `install/config.php` (containing database credentials) into a publicly accessible documents folder, then download those files using the attacker's own session. The vulnerability chains insufficient input validation (accepts `../` sequences), missing CSRF protection on the `add` action, and `SameSite=Lax` cookies that permit cross-site GET requests from administrators.

PHP CSRF Path Traversal
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Roadiz OpenID Connect authentication fails to store and validate the nonce parameter, allowing attackers to replay valid ID tokens or inject tokens from compromised identity providers to impersonate users. The package generates a nonce during authorization request initiation but never validates the returned nonce claim in the ID token, violating OIDC Core 1.0 specification requirements. Publicly available proof-of-concept demonstrates token replay within the token's validity window, affecting all Roadiz applications using the roadiz/openid package versions before 2.7.18, 2.6.31, 2.5.45, or 2.3.43.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

CKAN versions 2.10.0 through 2.10.9 and 2.11.0 through 2.11.4 allow unauthenticated requests to permanently disable CSRF protection on endpoints for the lifetime of the server process by triggering a state mutation in the flask-wtf CSRFProtect middleware. Combined with cross-site scripting, an attacker can exploit this to perform authenticated actions using other users' credentials. The vulnerability affects network-accessible CKAN instances with default configurations and has CVSS 6.1 with user interaction required.

XSS CSRF Python
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF RCE Videoflow Digital Video Protection
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Authentication Bypass Merge Pacs
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Cross Site Request Forgery.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through <= 1.11.0.

CSRF Barcode Scanner With Inventory Order Manager
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php

PHP CSRF
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site request forgery (CSRF) in code-projects Invoice System 1.0 for Laravel allows remote attackers to perform unauthorized actions via crafted requests. The vulnerability requires user interaction (clicking a malicious link) but affects the system's integrity through unvalidated state-changing operations. Exploit code is publicly available, and the CVSS 5.3 score reflects moderate severity with limited integrity impact but no confidentiality or availability harm.

CSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in Authlib's Starlette OAuth client cache feature (versions prior to 1.6.11) allows unauthenticated remote attackers to forge requests that manipulate cached OAuth state, potentially leading to session hijacking or token theft. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity. Vendor-released patch: version 1.6.11.

CSRF Python Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Taqnix WordPress plugin versions up to 1.0.3 allows unauthenticated attackers to trick logged-in users into deleting their own accounts via a forged request. The vulnerability stems from a commented-out nonce verification check in the taqnix_delete_my_account() function, making account deletion unprotected against CSRF attacks. No public exploit code or active exploitation has been identified, though the attack requires user interaction (clicking a malicious link or visiting a compromised page).

WordPress CSRF
NVD VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Frappe Press `create_api_secret` endpoint accepts GET requests despite performing database writes, enabling Cross-Site Request Forgery (CSRF)-like attacks where unauthenticated remote attackers can create API secrets by tricking authenticated users into visiting a malicious URL. No public exploit code or active exploitation has been confirmed at the time of analysis.

CSRF Press
NVD GitHub
EPSS 0% CVSS 8.4
HIGH Act Now

Cross-Site Request Forgery in SenseLive X3050's web management interface enables authenticated attackers to force victims into executing unauthorized configuration changes and potentially disruptive operations. A remote attacker with low privileges can craft malicious web pages that, when visited by an authenticated administrator, trigger state-changing requests without the victim's knowledge, leading to high integrity and availability impact on the device. CISA ICS-CERT has issued an advisory (ICSA-26-111-12) for this industrial control system component, indicating coordination with the vendor and awareness within the critical infrastructure community.

CSRF X3050
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints.

CSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

CSRF
NVD VulDB
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Cross-Site Request Forgery (CSRF) in GitLab CE/EE allows remote unauthenticated attackers to execute GraphQL mutations as authenticated victims through crafted web pages. Affects all versions from 17.0 through 18.11.0, with publicly available exploit code (HackerOne report 3627285). Despite high CVSS 8.1, exploitation requires user interaction (phishing/social engineering) and is not automatable per CISA SSVC framework. No evidence of active exploitation in CISA KEV at time of analysis. Vendor patches released: 18.9.6, 18.10.4, and 18.11.1.

CSRF Gitlab
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada theme allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through malicious web pages, affecting versions before 7.13.2. The vulnerability requires user interaction (clicking a malicious link or visiting a crafted page) but carries low overall risk due to SSVC assessment indicating none-automatable exploitation with partial technical impact. No active exploitation has been confirmed in CISA KEV at time of analysis.

CSRF Avada
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in the DX Unanswered Comments WordPress plugin versions up to 1.7 allows unauthenticated attackers to modify critical plugin settings (authors list and comment count) by tricking a site administrator into clicking a malicious link, due to missing nonce validation in the settings form handler. The CVSS 4.3 score reflects low severity with integrity impact limited to plugin configuration rather than data or code execution, but successful exploitation could alter site functionality if an attacker controls which comments are flagged as unanswered.

PHP CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in Google PageRank Display plugin for WordPress (versions up to 1.4) allows unauthenticated attackers to trick logged-in administrators into changing plugin settings via a crafted request, due to missing nonce validation in the settings form handler. The vulnerability has a CVSS score of 4.3 (network-based, low complexity, requires user interaction) and enables modification of plugin configuration such as display style without administrator knowledge.

CSRF WordPress Google
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Kcaptcha WordPress plugin versions up to 1.0.1 fails to validate nonces on the settings page, allowing unauthenticated attackers to modify CAPTCHA configuration (enable/disable on login, registration, lost password, and comment forms) via cross-site request forgery if a site administrator can be tricked into clicking a malicious link. The vulnerability requires user interaction (administrator click) but carries a CVSS score of 4.3 with integrity impact; no public exploit code or active exploitation has been identified at the time of analysis.

PHP CSRF WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Inquiry Cart plugin for WordPress versions up to 3.4.2 allows unauthenticated attackers to modify plugin settings and inject malicious scripts into the admin area via Cross-Site Request Forgery (CSRF) attacks. The vulnerability exploits missing nonce verification in the settings form handler, requiring an administrator to be socially engineered into clicking a malicious link. Stored scripts execute with admin privileges, enabling account hijacking and complete site compromise.

CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Call To Action Plugin for WordPress versions up to 3.1.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the settings page that allows unauthenticated attackers to modify plugin configuration via forged requests. The vulnerability exists because the cbox_options_page() function lacks nonce validation (missing wp_nonce_field() and wp_verify_nonce() checks), enabling attackers to trick site administrators into clicking malicious links that alter call-to-action box settings including title, content, URL, colors, and other options. No public exploit code has been identified, but the attack requires minimal complexity (AC:L) and relies on user interaction (UI:R) to succeed.

CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in mCatFilter WordPress plugin up to version 0.5.2 allows unauthenticated attackers to modify all plugin settings including category exclusion rules, feed exclusion flags, and tag page exclusion flags by tricking site administrators into clicking a malicious link. The vulnerability exists because the compute_post() function processes $_POST data without nonce verification or capability checks, executing on every page load via the plugins_loaded hook.

CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in Fast & Fancy Filter - 3F WordPress plugin up to version 1.2.2 allows unauthenticated attackers to modify plugin filter settings, update arbitrary site options, or create filter posts by tricking site administrators into clicking a malicious link. The vulnerability exists in the saveFields() function which handles the fff_save_settins AJAX action without nonce verification, enabling attackers to forge requests that execute administrative actions on behalf of logged-in administrators.

CSRF WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Local file inclusion in Breaking News WP plugin for WordPress (versions up to 1.3) allows authenticated attackers with Subscriber-level access to read arbitrary files on the server. The vulnerability stems from insufficient path validation in the brnwp_show_breaking_news_wp() shortcode handler, which passes unsanitized user input directly to PHP's include() function after stripping only text field characters but not directory traversal sequences. Attackers can exploit the unprotected brnwp_ajax_form AJAX endpoint to overwrite the brnwp_theme option with paths like ../../../../etc/passwd, then trigger file inclusion when the shortcode renders.

Path Traversal WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in Ni WooCommerce Order Export plugin for WordPress allows unauthenticated attackers to modify plugin settings by tricking an administrator into clicking a malicious link, due to missing nonce validation in the AJAX settings handler. Affected versions through 3.1.6 accept direct $_REQUEST input to update_option() without any CSRF protection or capability checks, enabling unauthorized configuration changes.

CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in TextP2P Texting Widget plugin for WordPress up to version 1.7 allows unauthenticated attackers to modify all plugin settings including API credentials and widget configuration by tricking site administrators into clicking a malicious link. The vulnerability stems from missing nonce validation in the settings update handler, enabling attackers to change chat titles, messages, colors, reCAPTCHA configuration, and other sensitive options without authentication or authorization verification. This requires user interaction (admin must click attacker-controlled link) but affects any WordPress site running the vulnerable plugin with an active administrator.

CSRF WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

WP Responsive Popup + Optin plugin for WordPress versions up to 1.4 is vulnerable to Cross-Site Request Forgery (CSRF) allowing unauthenticated attackers to modify all plugin settings, including the 'wpo_image_url' parameter, by tricking site administrators into clicking a malicious link. The vulnerability exists because the settings form in wpo_admin_page.php lacks WordPress nonce generation and verification functions. Exploitation requires administrator interaction but can alter critical plugin configuration with broader impact across the site.

PHP CSRF WordPress
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src="…">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints - `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` - enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 8.3
HIGH This Week

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Path traversal in WWBN AVideo 29.0 and earlier allows authenticated administrators (or CSRF-tricked admins) to write arbitrary PHP files anywhere on the server filesystem, achieving remote code execution. The locale save endpoint fails to sanitize the 'flag' parameter used in file path construction and lacks CSRF protection despite SameSite=None cookies, enabling straightforward exploitation by lower-privilege attackers who chain CSRF against admin sessions. Upstream fix committed to GitHub (57f89ffb) but released patched version not independently confirmed. CVSS 8.7 reflects high impact but requires privileged access - real-world risk depends heavily on admin session hijacking opportunities.

PHP Path Traversal CSRF +1
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Cross-site scripting in mailcow dockerized versions prior to 2026-03b enables remote attackers to execute malicious JavaScript in victim browsers through a chained Login CSRF and Self-XSS attack. Exploitation requires low-privileged attacker credentials and victim interaction, but can result in unauthorized access to victim email accounts and session hijacking (CVSS 7.0, AV:N/AC:H/PR:L/UI:P). The vulnerability stems from insufficient HTML escaping of X-Real-IP header values in the login history dashboard, combined with server trust of client-supplied IP headers. No active exploitation or public POC identified at time of analysis, but technical details disclosed via GitHub Security Advisory make weaponization feasible.

XSS Docker CSRF
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in FreeScout prior to version 1.8.215 allows unauthenticated remote attackers to disconnect OAuth integrations from a mailbox by tricking a logged-in admin into visiting a malicious web page, resulting in loss of email synchronization and potential service disruption. The vulnerability stems from the OAuth disconnect endpoint using GET HTTP method without CSRF token validation, enabling attackers to craft simple links or embed requests in third-party sites to trigger account modifications.

CSRF Freescout
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Denial of service in Firefox DNS networking component allows unauthenticated remote attackers to cause partial availability impact through crafted network requests. The vulnerability, classified as a cross-site request forgery (CSRF) issue within DNS handling, affects Firefox versions prior to 150 and has been patched by Mozilla.

CSRF Mozilla Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A cross-site request forgery (CSRF) mitigation bypass in the DOM postMessage component of Firefox allows authenticated attackers to trigger denial of service against affected systems. The vulnerability bypasses existing CSRF protections through improper validation of postMessage origin checks, affecting Firefox versions prior to 150. No public exploit code has been identified, and exploitation requires authenticated network access without user interaction.

CSRF Mozilla Red Hat +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

CSS injection in FreeScout mailbox signatures enables CSRF token exfiltration and privilege escalation from authenticated agents to administrators. The vulnerability exists in FreeScout versions prior to 1.8.213 where incomplete input sanitization fails to strip <style> tags from mailbox signature fields. Attackers with mailbox configuration access leverage CSS attribute selectors to steal CSRF tokens from viewing users, then perform arbitrary state-changing actions including admin account creation. EPSS data not available; no confirmed active exploitation (CISA KEV absent). Vendor patch released in version 1.8.213 with complete fix addressing previous incomplete remediation (GHSA-jqjf-f566-485j).

XSS Privilege Escalation CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM POC This Month

Cross-site request forgery (CSRF) in Dovestones AD Self Update versions before 4.0.0.5 allows unauthenticated attackers to modify authenticated user account information by crafting malicious requests that exploit missing CSRF token validation. The vulnerability affects state-changing endpoints that accept both POST and GET requests without proper anti-CSRF protections, enabling account takeover when a victim visits a malicious page while logged in. Publicly available exploit code exists.

CSRF
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site request forgery (CSRF) in ComfyUI up to version 0.13.0 allows unauthenticated remote attackers to modify application state via crafted requests to the create_origin_only_middleware function in server.py. The vulnerability requires user interaction (clicking a malicious link or visiting an attacker-controlled site) but has low integrity impact and is publicly exploitable with proof-of-concept code available. The vendor has not responded to early disclosure notification.

CSRF Comfyui
NVD VulDB GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Session fixation and login-CSRF in apache-airflow-providers-keycloak prior to 0.7.0 allows remote attackers without prior authentication to hijack user sessions by delivering a crafted OAuth callback URL, enabling credential theft from stored Airflow connections. The vulnerability stems from missing OAuth 2.0 state parameter validation and lack of PKCE implementation, requiring only user interaction to trick victims into clicking a malicious link. EPSS score of 0.01% suggests minimal real-world exploitation despite moderate CVSS impact rating.

Apache CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Cross-Site Request Forgery (CSRF) in ChurchCRM versions before 7.2.0 allows remote attackers to permanently delete family records and all associated data (notes, pledges, persons, property) through the SelectDelete.php endpoint. The endpoint executes irreversible deletions via unauthenticated GET requests without CSRF token validation, requiring only that an authenticated administrator visit a malicious page. Attackers can weaponize this via phishing emails or malicious websites to trigger silent data destruction. Fixed in version 7.2.0 via PR #8613 and commit 3936162. No KEV listing or public POC identified at time of analysis, though exploitation is trivial given the simplicity of CSRF attacks against GET endpoints.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in ChurchCRM <7.2.0 allows authenticated administrators to upload PHP webshells through the database backup restore function, which copies files from archive Images/ directories to web-accessible paths without extension filtering. The vulnerability includes a CSRF bypass enabling forced exploitation through cross-site request forgery. Exploitation requires high privileges (administrator account) but is network-accessible with low complexity (CVSS:3.1/AV:N/AC:L/PR:H). No active exploitation confirmed (not in CISA KEV). Vendor-released fix available in version 7.2.0 via GitHub PR #8610 and commit 68be1d12.

PHP Privilege Escalation CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

CSRF protection bypass in PAC4J authentication library allows remote attackers to forge state-changing requests without victim consent by exploiting hash collisions in Java's String.hashCode() function. Affects PAC4J 5.x before 5.7.10 and 6.x before 6.4.1, requiring victim interaction (visiting malicious site). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). CERT-PL disclosed the vulnerability with vendor patches now available.

CSRF Pac4J
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in the cms-fuer-motorrad-werkstaetten WordPress plugin version 1.0.0 and earlier allows unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, and supplier catalogs by tricking logged-in users into clicking a malicious link. Eight AJAX handlers lack nonce validation and capability checks, enabling direct data destruction without authentication or authorization verification. User interaction is required (UI:R), limiting the attack to social engineering scenarios rather than direct network exploitation.

CSRF WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Tutor LMS plugin for WordPress versions up to 3.9.8 allow authenticated attackers to manipulate course content structure (detach lessons, move lessons between topics, reorder content) without proper authorization checks when the 'content_parent' parameter is omitted from requests to the tutor_update_course_content_order() function. Although the CVSS score of 5.3 reflects the absence of confidentiality impact, the vulnerability enables course instructors or subscribers to disrupt course integrity across the entire site despite lacking content management permissions, with no public exploit code confirmed but patch available in version 3.9.9.

Authentication Bypass WordPress CSRF
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows authenticated administrators to extract sensitive database information via unsanitized parameters (ip_search, startdate, enddate, username_search, useremail_search) in the Submissions display function. The vulnerability stems from the validate_data() method stripping WordPress's magic quotes protection and get_labels_parameters() concatenating user input directly into SQL queries without prepared statements. A CSRF vector exists because the vulnerable display task lacks nonce verification, enabling attackers to trick administrators into triggering the injection via a crafted link. Exploitation requires Administrator-level privileges but can be chained with CSRF for unauthorized triggering.

WordPress SQLi CSRF
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) in Career Section WordPress plugin versions ≤1.6 enables unauthenticated attackers to delete arbitrary server files through social engineering. Attackers trick authenticated WordPress administrators into clicking malicious links that exploit missing nonce validation in the delete action handler, leading to path traversal and unrestricted file deletion. CVSS 8.8 (High) with network attack vector but requires user interaction (UI:R). EPSS and KEV data not provided; public exploit code status unknown. Wordfence advisory and upstream patch commit available.

Path Traversal WordPress CSRF
NVD VulDB
Prev Page 5 of 94 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy