Skip to main content

CSRF

8444 CVEs technique

Monthly

CVE-2026-33681 PHP HIGH This Week

WWBN AVideo, an open source video platform, contains a critical path traversal vulnerability in the pluginRunDatabaseScript.json.php endpoint that allows authenticated administrators to execute arbitrary SQL queries against the application database. Versions up to and including 26.0 are affected. The vulnerability can also be exploited via CSRF attacks against authenticated admin sessions, enabling unauthenticated attackers to achieve remote code execution or complete database compromise.

Path Traversal PHP CSRF
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33649 PHP HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo open source video platform versions up to and including 26.0 allows unauthenticated attackers to escalate privileges to near-admin access by tricking an administrator into visiting a malicious page. The vulnerability exists in the setPermission.json.php endpoint which accepts state-changing operations via GET requests without CSRF token validation, compounded by the application's explicit SameSite=None cookie setting. No patched version is currently available, and with a CVSS score of 8.1 (High), this represents a significant risk for installations with administrative users who browse external content.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-4590 LOW POC Monitor

A cross-site request forgery (CSRF) vulnerability exists in Kalcaddle Kodbox 1.64 affecting the loginSubmit API endpoint within the OAuth bind controller. An unauthenticated remote attacker can manipulate the 'third' parameter to forge requests that modify application state, though the attack requires user interaction and high complexity. A public proof-of-concept exploit has been released, and the vendor has not responded to early disclosure notifications.

CSRF PHP
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-3635 npm MEDIUM PATCH This Month

Fastify versions 5.8.2 and earlier contain a header spoofing vulnerability in the trustProxy implementation where the request.protocol and request.host getters incorrectly trust X-Forwarded-Proto and X-Forwarded-Host headers even from untrusted connections when a restrictive trust function is configured. An attacker who can connect directly to a Fastify instance (bypassing the intended proxy) can spoof protocol and host values, potentially bypassing HTTPS enforcement, manipulating secure cookie behavior, and defeating CSRF origin checks. This vulnerability affects applications relying on these headers for security decisions and has a CVSS score of 6.1 with adjacent attack vector and high complexity, indicating moderate real-world exploitability.

CSRF Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31849 HIGH This Week

This vulnerability is a Cross-Site Request Forgery (CSRF) flaw affecting the Nexxt Solutions Nebula 300+ device firmware through version 12.01.01.37, where state-changing administrative endpoints lack proper CSRF protections. An attacker can trick an authenticated administrator into submitting malicious requests that modify critical device settings, including security configurations, without the administrator's knowledge or consent. No CVSS score or EPSS data is currently available, and the vulnerability has not been confirmed as actively exploited in the wild, though the lack of CSRF protections on administrative functions represents a significant trust boundary violation.

CSRF Nebula 300
NVD VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-2723 MEDIUM This Month

The Post Snippits WordPress plugin for all versions up to and including 1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on settings page handlers that manage snippet creation, modification, and deletion. Unauthenticated attackers can exploit this by crafting malicious requests that, when clicked by an administrator, allow injection of arbitrary scripts and modification of plugin settings, potentially leading to site compromise. The vulnerability has a CVSS score of 6.1 with a network attack vector requiring user interaction.

WordPress CSRF
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-4143 MEDIUM This Month

The Neos Connector for Fakturama WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation in the ncff_add_plugin_page() function, allowing unauthenticated attackers to modify plugin settings. Affected versions include all releases up to and including 0.0.14. An attacker can exploit this by tricking a site administrator into clicking a malicious link or visiting a crafted webpage, resulting in unauthorized modification of plugin configuration without the administrator's knowledge or consent.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14037 HIGH This Week

The Invelity Product Feeds plugin for WordPress contains an arbitrary file deletion vulnerability through path traversal in versions up to and including 1.2.6. Authenticated administrators can be socially engineered into clicking malicious links that delete arbitrary server files due to missing validation in the createManageFeedPage function. No evidence of active exploitation (not in KEV) exists, though the vulnerability is publicly documented with technical details available via WordPress plugin repository references.

CSRF WordPress Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-1503 MEDIUM This Month

The login_register plugin for WordPress versions up to 1.2.0 contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability due to missing nonce validation and insufficient input sanitization on the settings page. Unauthenticated attackers can craft malicious links to trick administrators into injecting arbitrary JavaScript that persists and executes for all users accessing affected pages. While the CVSS score is moderate at 4.3, the vulnerability requires user interaction (administrator click) but enables persistent script injection with potential for credential theft or further compromise.

WordPress XSS CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3331 MEDIUM PATCH This Month

The Lobot Slider Administrator WordPress plugin (versions up to 0.6.0) contains a Cross-Site Request Forgery (CSRF) vulnerability in the fourty_slider_options_page function due to missing or incorrect nonce validation. This allows unauthenticated attackers to modify plugin slider-page configuration by tricking site administrators into clicking malicious links, potentially altering slider settings and website presentation. The vulnerability carries a moderate CVSS score of 4.3 with low attack complexity, requiring only user interaction and no privileges.

WordPress CSRF
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1392 MEDIUM This Month

The SR WP Minify HTML plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation in the sr_minify_html_theme() function, affecting all versions up to and including 2.1. An unauthenticated attacker can exploit this vulnerability to modify plugin settings by tricking a site administrator into clicking a malicious link, potentially allowing unauthorized changes to site minification configuration. While the CVSS score of 4.3 is moderate and no KEV status or active exploitation has been confirmed, the vulnerability remains exploitable against WordPress installations with this plugin active.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3332 MEDIUM This Month

The Xhanch - My Advanced Settings WordPress plugin (versions up to 1.1.2) contains a Cross-Site Request Forgery vulnerability in its settings update handler due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings if they can trick an administrator into clicking a malicious link. The vulnerability is particularly dangerous because unescaped output of the `favicon_url` and `ga_acc_id` settings enables a CSRF-to-Stored XSS chain, where injected payloads persist and affect all site visitors. While no active exploitation in the wild has been confirmed in public records and the CVSS score of 4.3 is relatively low, the attack requires only user interaction and results in stored cross-site scripting on the front-end.

Google WordPress CSRF XSS
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1390 MEDIUM This Month

The Redirect Countdown WordPress plugin for all versions up to and including 1.0 contains a Cross-Site Request Forgery vulnerability in the countdown_settings_content() function due to missing nonce validation. An unauthenticated attacker can trick a site administrator into clicking a malicious link to modify critical plugin settings including countdown timeout, redirect URL, and custom text. With a CVSS score of 4.3 and network-accessible attack vector, this vulnerability has moderate real-world impact despite low baseline severity, as it directly affects site functionality and user experience.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1378 MEDIUM This Month

The WP Posts Re-order WordPress plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.0 due to missing nonce validation in the cpt_plugin_options() function. An unauthenticated attacker can exploit this to modify critical plugin settings including capability, autosort, and adminsort configurations by tricking a site administrator into clicking a malicious link. The vulnerability has a CVSS score of 4.3 (medium severity) with low attack complexity and requires user interaction, and while no public exploit code has been reported, the straightforward nature of CSRF attacks means proof-of-concept development is trivial.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1393 MEDIUM This Month

The Add Google Social Profiles to Knowledge Graph Box WordPress plugin (all versions up to 1.0) contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on its settings update functionality. An unauthenticated attacker can forge malicious requests to modify the plugin's Knowledge Graph settings if they can trick a site administrator into clicking a malicious link. While the CVSS score of 4.3 is moderate, the attack requires user interaction and has no confidentiality impact, making it a lower-severity real-world threat despite being easily exploitable.

Google WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3572 MEDIUM This Month

The iTracker360 WordPress plugin (versions up to 2.2.0) contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability in its settings form submission handler. An unauthenticated attacker can craft a malicious link or webpage that, when clicked by an administrator, injects arbitrary JavaScript code into the plugin's stored settings due to missing nonce verification and insufficient input sanitization/output escaping. This vulnerability is classified as medium severity (CVSS 6.1) and poses a real risk to WordPress sites using this plugin, as exploitation requires only user interaction and network access with no special privileges.

WordPress XSS CSRF
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-33507 PHP HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.

PHP RCE CSRF Command Injection Path Traversal +1
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-33492 PHP HIGH GHSA This Week

AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.

Session Fixation PHP CSRF Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-33479 PHP HIGH This Week

The Gallery plugin in AVideo contains an unauthenticated remote code execution vulnerability through CSRF-enabled PHP code injection. Attackers can exploit an eval() function that directly executes unsanitized user input by tricking an admin into visiting a malicious page, with the session cookie's SameSite=None configuration enabling cross-site request forgery. A detailed proof-of-concept exploit exists demonstrating command execution through crafted form submissions.

PHP RCE CSRF Code Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-32989 HIGH POC This Week

Precurio Intranet Portal 4.4 contains a CSRF vulnerability that allows attackers to trick authenticated users into uploading malicious files to the server, potentially leading to remote code execution with web server privileges. A public exploit is available via PacketStorm (file ID 215644), significantly lowering the barrier for exploitation. The vulnerability carries a CVSS score of 8.8 with network-based attack vector requiring only user interaction.

CSRF RCE Precurio Intranet Portal
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2024-32537 HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site Request Forgery.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Flash Video Player
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33070 LOW PATCH Monitor

FileRise, a self-hosted web file manager and WebDAV server, contains a missing-authentication vulnerability in the deleteShareLink endpoint that allows unauthenticated attackers to delete arbitrary file share links by providing only the share token, resulting in denial of service to legitimate users accessing shared files. All versions prior to 3.8.0 are affected. While the CVSS score is moderate at 3.7 due to high attack complexity, the vulnerability has a published proof-of-concept via the GitHub security advisory and represents a trivial attack surface requiring only knowledge of a share token.

PHP Denial Of Service CSRF Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-32817 PHP CRITICAL PATCH Act Now

Admidio versions 5.0.0 through 5.0.6 contain a critical authorization bypass vulnerability in the documents and files module that allows unauthorized deletion of folders and files. When the module is configured in public mode, unauthenticated attackers can permanently destroy the entire document library via simple HTTP GET requests without CSRF protection. The vulnerability combines missing authorization checks (CWE-862) with CSRF weaknesses, resulting in a CVSS score of 9.1 (Critical) with network-based attack vector requiring no privileges or user interaction.

CSRF PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33372 MEDIUM This Month

Zimbra Collaboration Server 10.0 and 10.1 accept CSRF tokens from request bodies instead of enforcing header-based validation, allowing attackers to perform unauthorized actions by deceiving authenticated users into submitting malicious requests. This CSRF bypass affects webmail users and could enable account compromise or sensitive data modification without user awareness. No patch is currently available.

CSRF
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32818 PHP MEDIUM PATCH This Month

Admidio versions 5.0.0 through 5.0.6 contain an authorization bypass vulnerability in the forum module that allows any authenticated user to permanently delete forum topics and posts without proper permission checks. An attacker with basic forum access can delete any topic or post by knowing its UUID, which is publicly visible in URLs, completely circumventing the authorization controls that are properly enforced in edit/save operations. This vulnerability was fixed in version 5.0.7, and exploitation requires only low privileges (authenticated user status) with no user interaction.

PHP CSRF Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32816 PHP MEDIUM PATCH This Month

Admidio versions 5.0.0 through 5.0.6 contain a critical cross-site request forgery (CSRF) vulnerability in the groups-roles management module that allows unauthenticated attackers to trick privileged users into permanently deleting organizational roles, deactivating groups, or revoking memberships through forged POST requests. The vulnerability affects users with rol_assign_roles privileges, and exploited attacks result in permanent data loss including cascading deletion of role memberships, event associations, and access rights with no built-in undo mechanism. A patch is available in version 5.0.7, and the vulnerability is not currently tracked in active exploitation databases but poses significant organizational impact due to the permanent nature of role deletion and the low barrier to discovery of target role UUIDs from publicly accessible card views.

PHP CSRF
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-33252 Go HIGH PATCH This Week

The Go SDK's Streamable HTTP transport fails to validate the Origin header and Content-Type on POST requests, allowing attackers to send cross-site requests that bypass CORS protections and trigger MCP tool execution on vulnerable servers without authorization. This affects deployments using stateless or sessionless configurations where an attacker can host a malicious website to send arbitrary MCP requests to a victim's local server. A patch is available that implements Content-Type validation and configurable origin verification.

CSRF Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-33231 PyPI HIGH PATCH GHSA This Week

The NLTK (Natural Language Toolkit) WordNet Browser HTTP server contains an unauthenticated shutdown vulnerability that allows any remote attacker to terminate the service with a single GET request to the '/SHUTDOWN THE SERVER' endpoint. This affects users running nltk.app.wordnet_app in its default mode, where the server binds to all network interfaces without authentication. A proof-of-concept exploit is publicly available demonstrating the denial-of-service attack, though EPSS and KEV data are not yet available for this recent CVE.

CSRF Denial Of Service Docker Python Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4068 MEDIUM This Month

The Add Custom Fields to Media WordPress plugin versions up to 2.0.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the field deletion functionality that allows unauthenticated attackers to delete arbitrary custom media fields. The vulnerability exists because the plugin validates nonces for the 'add field' operation but fails to validate nonces on the 'delete field' operation, which processes the $_GET['delete'] parameter directly. An attacker can exploit this by tricking a site administrator into clicking a malicious link, resulting in unauthorized deletion of custom media field configurations with no authentication required beyond social engineering.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32731 npm CRITICAL PATCH Act Now

Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments.

Path Traversal Node.js CSRF Denial Of Service Google +3
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-22323 HIGH PATCH This Week

A CSRF vulnerability in A CSRF vulnerability in the Link Aggregation configuration interface (CVSS 7.1) that allows an unauthenticated remote attacker. High severity vulnerability requiring prompt remediation.

CSRF Fl Switch 2005 Fl Switch 2008 Fl Switch 2016 Fl Switch 2105 +73
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-55040 HIGH This Week

MuraCMS versions through 10.1.10 contain a Cross-Site Request Forgery (CSRF) vulnerability in the cForm.importform function that lacks proper token validation, allowing attackers to deceive authenticated administrators into uploading and installing malicious form definitions. An attacker can craft a malicious webpage that, when visited by an authenticated MuraCMS administrator, automatically generates and submits a forged file upload request containing a ZIP archive with attacker-controlled form definitions. Successful exploitation results in the installation of data-harvesting forms on the target website that can steal sensitive user information collected through legitimate-appearing web forms. No active exploitation in the wild has been documented (KEV status unknown), and no formal CVSS score has been assigned, though the vulnerability requires user interaction (administrator must visit the malicious page) which moderates the overall risk profile.

CSRF File Upload
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-55044 HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in the cTrash.restore function of MuraCMS through version 10.1.10, which lacks CSRF token validation. An authenticated administrator can be tricked into restoring deleted content to arbitrary locations within the CMS by visiting a malicious webpage, enabling attackers to resurrect malicious or sensitive content, manipulate website structure, or restore intentionally-removed materials. No CVSS score, EPSS data, or known exploits-in-the-wild confirmation are available at this time, though the vulnerability is documented as requiring user interaction (an admin must visit a crafted page) and authenticated session context.

CSRF
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-55045 HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in MuraCMS through version 10.1.10 affecting the cUsers.updateAddress function, which lacks proper CSRF token validation. Attackers can exploit this by crafting malicious webpages that, when visited by an authenticated administrator, automatically submit hidden forms to add, modify, or delete user address records without the administrator's knowledge or consent. Successful exploitation enables unauthorized manipulation of user address data, potentially redirecting sensitive communications to attacker-controlled addresses, compromising user privacy, and disrupting legitimate business operations through injection of malicious contact information.

CSRF
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-55041 HIGH This Week

MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the user management Add To Group functionality that allows attackers to escalate privileges by adding authenticated users to arbitrary groups without proper authorization validation. An authenticated administrator visiting a malicious webpage can be tricked into adding any user to the Admin group or other privileged groups, though escalation to the Super Admin (s2) group is blocked. This vulnerability enables both horizontal privilege escalation across different user groups and vertical privilege escalation to administrative roles, posing a significant risk to multi-user MuraCMS installations where administrator accounts are targeted.

Privilege Escalation CSRF
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-55046 HIGH This Week

MuraCMS versions through 10.1.10 contain a Cross-Site Request Forgery (CSRF) vulnerability in the cTrash.empty function that lacks proper token validation, allowing attackers to permanently delete all content in the trash system. An authenticated administrator visiting a malicious webpage can be tricked into permanently destroying all deleted content without their knowledge or consent, resulting in catastrophic, irreversible data loss. While no CVSS score or EPSS data is currently available, the vulnerability's attack vector is network-based with low complexity, affecting any authenticated administrator, and the technical impact of complete data destruction in the trash system constitutes a critical business continuity threat.

CSRF
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-55043 MEDIUM This Month

MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators into unknowingly creating and exporting site bundles containing complete sensitive data to publicly accessible web directories. Affected administrators have no knowledge the attack occurred, enabling complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content. While no CVSS score or EPSS probability is available and KEV status is unknown, the vulnerability's silent nature combined with its ability to compromise all site data without authentication represents a critical confidentiality and integrity risk.

Information Disclosure CSRF
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32839 MEDIUM This Month

Cross-site request forgery in Edimax GS-5008PL firmware version 1.00.54 and earlier allows unauthenticated remote attackers to trick administrators into performing unauthorized actions such as password changes, firmware uploads, device reboots, factory resets, and network configuration modifications by visiting attacker-controlled websites. The vulnerability exists due to missing CSRF token validation and insufficient request integrity checks. No patch is currently available for affected devices.

CSRF Edimax Gs 5008pl
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33038 PHP HIGH PATCH This Week

A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.

PHP RCE SQLi Authentication Bypass CSRF +1
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27978 npm MEDIUM PATCH This Month

Server Action CSRF validation in Next.js incorrectly treats null origins from sandboxed contexts as missing origins, allowing attackers to bypass verification and trick victim browsers into executing state-changing actions with their credentials. This affects applications relying on origin checks for CSRF protection without additional safeguards. A patch is available that enforces strict origin validation unless null is explicitly allowlisted.

CSRF Red Hat
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32813 PHP HIGH PATCH This Week

A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.

CSRF SQLi PHP Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-32812 PHP MEDIUM PATCH This Month

An unauthenticated Server-Side Request Forgery (SSRF) and Local File Read vulnerability exists in the Admidio SSO metadata fetch endpoint, which accepts arbitrary URLs via GET parameter and passes them directly to file_get_contents() after validating only with PHP's FILTER_VALIDATE_URL-a format checker that does not block dangerous URI schemes. An authenticated administrator can exploit this to read arbitrary local files (including database credentials from config.php), probe internal network services, or fetch cloud instance metadata (such as AWS IAM credentials from 169.254.169.254). A proof-of-concept demonstrating all attack vectors has been published; CVSS 6.8 reflects high confidentiality impact but is mitigated by the requirement for administrator privileges.

CSRF Elastic PHP Microsoft SSRF +1
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-32755 PHP MEDIUM PATCH This Month

Admidio's profile membership management function fails to validate CSRF tokens on the save_membership action, allowing an attacker to forge requests that modify membership start and end dates for any member of roles led by the victim. While other membership-related actions (stop_membership, remove_former_membership) include CSRF protection, save_membership was omitted from validation, enabling silent privilege escalation or access revocation through cross-site request forgery. A proof-of-concept exists demonstrating immediate exploitation by embedding a form on an external page.

CSRF PHP
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-32756 PHP HIGH PATCH This Week

A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.

CSRF PHP RCE Information Disclosure File Upload
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-32268 PHP HIGH PATCH This Week

The DefaultController->actionLoadContainerData() endpoint in the Microsoft plugin permits unauthenticated attackers possessing a valid CSRF token to enumerate accessible storage buckets and extract sensitive data from Azure error messages. This authorization bypass affects users running unpatched versions prior to 2.1.1, exposing cloud storage infrastructure details and potentially sensitive system information through verbose error responses.

Information Disclosure Authentication Bypass Microsoft CSRF
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-29521 MEDIUM This Month

Hereta ETH-IMC408M devices running firmware 1.0.15 and earlier are vulnerable to cross-site request forgery attacks that allow unauthenticated remote attackers to modify device configuration through setup.cgi, including adding RADIUS accounts and altering network settings. The vulnerability exploits missing CSRF protections combined with automatic inclusion of HTTP Basic Authentication credentials, requiring only user interaction to trigger the attack. No patch is currently available.

CSRF Eth Imc408M Firmware
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-32266 PHP LOW PATCH Monitor

Unauthenticated users can view a list of buckets the plugin has access to.

CSRF Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.4
EPSS
0.0%
CVE-2026-32265 PHP MEDIUM PATCH This Month

The BucketsController endpoint in this plugin suffers from an information disclosure vulnerability where unauthenticated attackers possessing a valid CSRF token can enumerate the list of accessible buckets. This exposure allows reconnaissance of cloud storage resources available to the plugin without requiring authentication. Update to version 2.2.5 to resolve this issue.

CSRF Information Disclosure
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-69238 MEDIUM PATCH This Month

Raytha CMS contains a Cross-Site Request Forgery (CSRF) vulnerability across multiple endpoints that fails to enforce token verification on POST requests. An authenticated user can be tricked into visiting a malicious website crafted by an attacker, which automatically submits unauthorized requests (such as data deletion) to the Raytha CMS application without requiring explicit user confirmation. This vulnerability affects Raytha CMS versions prior to 1.4.6 and has a CVSS score of 6.9 with medium real-world exploitability.

CSRF Raytha
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2017-20221 MEDIUM POC This Month

A cross-site request forgery (CSRF) vulnerability exists in Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 that allows authenticated attackers to execute arbitrary system commands without additional validation. An attacker can craft a malicious webpage that, when visited by a logged-in router administrator, triggers unauthorized administrative actions with full router privileges. While the CVSS score of 4.3 is moderate and no active exploitation has been widely reported, the ability to achieve command execution on network infrastructure devices represents a meaningful risk to affected deployments.

CSRF Sdt Cs3b1
NVD Exploit-DB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2016-20035 MEDIUM POC This Month

Wowza Streaming Engine version 4.5.0 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions without user interaction. An attacker can craft a malicious webpage that, when visited by a logged-in administrator, automatically submits POST requests to create new administrative accounts with attacker-controlled credentials, effectively granting the attacker full administrative access to the streaming infrastructure. This vulnerability carries a CVSS score of 5.3 (medium severity) but represents significant real-world risk due to the simplicity of exploitation and the high-impact outcome of account creation.

CSRF Wowza Streaming Engine
NVD Exploit-DB VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2016-20034 HIGH POC This Week

A privilege escalation vulnerability in Wowza Streaming Engine 4.5.0 allows authenticated read-only users to elevate their privileges to administrator level by manipulating POST parameters (accessLevel='admin', advUser='true'/'on') sent to the user edit endpoint. A public exploit is available on exploit-db, though the vulnerability has not been added to CISA's KEV catalog, suggesting limited real-world exploitation despite the high CVSS score of 8.8.

Privilege Escalation CSRF Wowza Streaming Engine
NVD Exploit-DB VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2015-20117 MEDIUM POC This Month

RealtyScript 4.0.2 contains a cross-site request forgery (CSRF) vulnerability in its user management endpoints that allows unauthenticated attackers to create arbitrary user accounts and escalate privileges to SUPERUSER level without authentication. The vulnerability affects the /admin/addusers.php and /admin/editadmins.php endpoints, which process hidden form data without CSRF token validation. An attacker can craft malicious web pages or emails containing hidden forms that, when visited by an authenticated administrator, silently create new administrative accounts under the attacker's control, leading to complete system compromise.

CSRF PHP Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2015-20113 MEDIUM POC This Month

RealtyScript 4.0.2 by Next Click Ventures contains both cross-site request forgery (CSRF) and persistent cross-site scripting (XSS) vulnerabilities that allow unauthenticated attackers to perform unauthorized administrative actions and inject malicious scripts into the application. An attacker can craft malicious web pages that trick authenticated users into performing unintended administrative actions, or inject persistent scripts that execute in the application context for all users. With a CVSS score of 5.3 and a network-based attack vector requiring no privileges or user interaction beyond initial application access, this represents a moderate integrity risk to affected deployments.

XSS CSRF Realtyscript
NVD Exploit-DB VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2013-20005 MEDIUM POC This Month

Qool CMS 2.0 RC2 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions on behalf of authenticated users. An attacker can craft malicious web pages that, when visited by a logged-in administrator, silently forge POST requests to the /admin/adduser endpoint to create root-level user accounts, resulting in unauthorized administrative access. The CVSS 5.3 score reflects moderate integrity impact with network attack vector and no privilege requirement, though the vulnerability requires user interaction (visiting a malicious page) to be exploited.

CSRF XSS Qool Cms
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2016-20028 MEDIUM POC This Month

ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery (CSRF) vulnerability that allows authenticated attackers to perform unauthorized administrative actions, specifically adding superadmin accounts without proper validation. An attacker can craft malicious HTTP requests that, when visited by a logged-in administrator, silently create new superadmin credentials, effectively granting the attacker persistent unauthorized administrative access. This vulnerability requires user interaction (a logged-in admin must visit an attacker-controlled page) but does not require elevated privileges to trigger, presenting a moderate but real risk to organizations using this biometric access control system.

CSRF Zkteco Zkbiosecurity
NVD Exploit-DB VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-32456 MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in Janis Elsts Admin Menu Editor plugin for WordPress, affecting versions up to and including 1.14.1. An attacker can forge requests to modify administrator menu configurations without explicit consent, potentially leading to unauthorized changes to the WordPress admin interface. The vulnerability has a CVSS score of 4.3 (Low-Medium severity) and requires user interaction (UI:R) but can be exploited by an unauthenticated attacker over the network.

CSRF Admin Menu Editor
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32443 MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in Josh Kohlbach's Product Feed PRO for WooCommerce plugin affecting versions up to 13.5.2, allowing unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators through malicious web requests. While the CVSS score is 6.5 (Medium), the EPSS score of 0.01% (1st percentile) indicates minimal real-world exploitation probability, suggesting this is a low-priority vulnerability despite the integrity impact. No KEV status or active exploitation evidence is documented.

WordPress CSRF
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32420 MEDIUM This Month

GamiPress versions 7.6.6 and earlier contain a Cross-Site Request Forgery (CSRF) vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through maliciously crafted requests. An attacker can exploit this to modify plugin settings, create or delete gamification elements, or alter user data without the target user's knowledge or consent. The vulnerability requires user interaction (clicking a malicious link) but has no authentication requirement for the attack itself, making it a moderate-risk issue suitable for opportunistic exploitation against WordPress administrators.

CSRF Gamipress
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32344 MEDIUM This Month

Corpiva through version 1.0.96 is vulnerable to cross-site request forgery attacks that allow unauthenticated attackers to perform unauthorized actions on behalf of legitimate users. An attacker can exploit this vulnerability by tricking a user into visiting a malicious webpage while authenticated to Corpiva, resulting in unwanted state changes such as configuration modifications or data manipulation. No patch is currently available for this vulnerability.

CSRF Corpiva
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32343 MEDIUM This Month

Easy Table of Contents versions up to 2.0.80 are vulnerable to cross-site request forgery attacks that allow unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through malicious web pages. The vulnerability requires user interaction to trigger but could result in unauthorized modifications to website content or settings. No patch is currently available for this issue.

CSRF Easy Table Of Contents
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32342 MEDIUM This Month

Quiz Maker version 6.7.1.2 and earlier contains a Cross-Site Request Forgery vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through malicious web pages. An attacker can exploit this to modify quiz content or settings by tricking users into visiting a crafted link while logged into the application. No patch is currently available for this vulnerability.

CSRF Quiz Maker
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32330 MEDIUM This Month

Photo Gallery by 10Web versions up to 1.8.37 contain a cross-site request forgery vulnerability that enables unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction and allows attackers to modify or delete gallery content with no direct access needed. No patch is currently available for this vulnerability.

CSRF Photo Gallery By 10web
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32328 MEDIUM PATCH This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in shufflehound's Lemmony application versions prior to 1.7.1, allowing unauthenticated attackers to perform unauthorized actions on behalf of legitimate users through crafted web requests. An attacker can exploit this vulnerability to cause integrity and availability impact by forcing a victim's browser to make unwanted requests to the Lemmony application. The attack requires user interaction (clicking a malicious link) but has a low attack complexity and network accessibility, making it a practical threat in multi-user web environments.

CSRF Lemmony
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2888 MEDIUM This Month

The Formidable Forms WordPress plugin versions up to 6.28 contain an authorization bypass vulnerability in the Stripe payment integration that allows unauthenticated attackers to manipulate PaymentIntent amounts before payment completion. An attacker can exploit the publicly exposed nonce in the `frm_strp_amount` AJAX handler to overwrite POST data and recalculate dynamic pricing fields, enabling payment of reduced amounts for goods or services. While the CVSS score is moderate at 5.3, the vulnerability has direct financial impact on e-commerce deployments and poses a meaningful risk to sites using dynamic pricing with Formidable Forms and Stripe.

Authentication Bypass WordPress CSRF
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-22215 MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains a cross-site request forgery (CSRF) vulnerability in the getFollowsPage() function that allows unauthenticated attackers to trigger unauthorized actions on behalf of legitimate users without valid nonce validation. An attacker can exploit this by crafting malicious requests to enumerate user follow relationships and manipulate follow data, potentially exposing private social graph information and allowing unauthorized modifications to user follow lists. While the CVSS score of 4.3 indicates low to moderate severity with limited direct impact, the vulnerability requires user interaction (UI:R) but has network-accessible attack surface with no authentication requirement, making it practically exploitable in targeted phishing campaigns.

CSRF Wpdiscuz
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22202 HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.

CSRF Wpdiscuz
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-31954 NONE Awaiting Data

Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.

CSRF Emlog
NVD GitHub VulDB
EPSS
0.0%
CVE-2026-30868 MEDIUM This Month

OPNsense prior to version 26.1.4 contains a CSRF vulnerability where state-changing API endpoints accept HTTP GET requests without proper anti-CSRF protections, allowing authenticated users to be tricked into triggering unintended system operations. An attacker can craft a malicious website that, when visited by an authenticated OPNsense administrator, performs unauthorized configuration changes or service reloads through the vulnerable endpoints. No patch is currently available for this medium-severity vulnerability affecting OPNsense firewall deployments.

CSRF Opnsense
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-3903 MEDIUM This Month

The Modular DS WordPress plugin through version 2.5.1 lacks CSRF protections on its OAuth disconnection function, allowing unauthenticated attackers to sever the plugin's SSO connection by tricking administrators into clicking a malicious link. This vulnerability affects all website administrators using the plugin and could disrupt authentication mechanisms if exploited. No patch is currently available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2626 HIGH This Week

divi-booster WordPre versions up to 5.0.2 is affected by cross-site request forgery (csrf) (CVSS 8.1).

WordPress PHP CSRF Deserialization
NVD WPScan
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-2324 MEDIUM This Month

The LatePoint Calendar Booking Plugin for WordPress versions up to 5.2.7 contains a cross-site request forgery vulnerability in the reload_preview() function due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings and inject malicious scripts if a site administrator can be tricked into clicking a malicious link. An attacker exploiting this vulnerability can alter configurations and inject web-based payloads that execute in the administrator's browser session. No patch is currently available for this vulnerability.

WordPress CSRF
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-29113 PHP MEDIUM PATCH This Month

Unauthenticated attackers can generate preview tokens in Craft CMS versions prior to 4.17.4 and 5.9.7 by exploiting a CSRF vulnerability in the /actions/preview/create-token endpoint, which lacks proper token validation and HTTP method restrictions. An attacker can force a logged-in editor to create an attacker-controlled preview token that grants unauthorized access to unpublished content. This attack requires user interaction but allows the attacker to view sensitive content without authentication.

CSRF Craft Cms
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28495 CRITICAL POC Act Now

GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.

PHP RCE CSRF Getsimple Cms
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-28281 HIGH This Week

InstantCMS is a free and open source content management system. versions up to 2.18.1 is affected by cross-site request forgery (csrf) (CVSS 7.1).

CSRF Instantcms
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-1508 MEDIUM This Month

Court Reservation WordPre versions up to 1.10.9 is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-31816 CRITICAL POC Act Now

Authorization bypass in Budibase 3.31.4 and earlier. The authorized() middleware can be bypassed, enabling injection attacks. PoC available.

CSRF Budibase
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-70031 HIGH This Week

An issue pertaining to CWE-352: Cross-Site Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. [CVSS 8.8 HIGH]

CSRF Sunbirded Portal
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3770 LOW POC Monitor

Computer Laboratory Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF Computer Laboratory Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-29784 npm HIGH PATCH This Week

Cross-site request forgery (CSRF) in Ghost CMS versions 5.101.6 through 6.19.2 permits attackers to reuse one-time codes across different login sessions via the /session/verify endpoint, potentially enabling account takeover through phishing attacks. The vulnerability affects Ghost deployments on Node.js and related platforms, requiring no user authentication but relying on user interaction. A patch is available in Ghost version 6.19.3 and later.

Node.js CSRF Ghost
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1087 MEDIUM This Month

The Guardian News Feed WordPress plugin through version 1.2 lacks CSRF protections on its settings update function, allowing unauthenticated attackers to modify plugin configuration including API credentials through social engineering. Site administrators can be tricked into clicking a malicious link that silently changes settings with their authenticated session. No patch is currently available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1086 MEDIUM This Month

Font Pairing Preview For Landing Pages (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1085 MEDIUM This Month

WordPress True Ranker plugin versions up to 2.2.9 lack proper CSRF protections on the account disconnection function, enabling unauthenticated attackers to disconnect an administrator's True Ranker account by tricking them into clicking a malicious link. An attacker exploiting this vulnerability could disrupt SEO monitoring capabilities for affected sites without requiring authentication or special privileges.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1073 MEDIUM This Month

Purchase Button For Affiliate Link (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress PHP CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2494 MEDIUM This Month

The ProfileGrid WordPress plugin through version 5.9.8.2 lacks nonce validation on membership request management functions, allowing unauthenticated attackers to forge requests that approve or deny group membership through social engineering of site administrators. An attacker can exploit this CSRF vulnerability to manipulate group membership status by tricking an admin into clicking a malicious link. No patch is currently available for this medium-severity vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1644 MEDIUM This Month

The WP Frontend Profile WordPress plugin through version 1.3.8 lacks CSRF protections on the update_action function, enabling unauthenticated attackers to manipulate user registration approvals or rejections by deceiving administrators into clicking malicious links. This allows attackers to perform unauthorized account management actions without authentication, potentially disrupting legitimate user onboarding processes. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2018-25200 MEDIUM POC This Month

OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF Php Oop Cms Blog
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2018-25190 MEDIUM POC This Month

Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2018-25186 MEDIUM POC This Month

Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modify admin user credentials by submitting forged POST requests to the profile endpoint. [CVSS 5.3 MEDIUM]

CSRF
NVD Exploit-DB VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2018-25177 MEDIUM POC This Month

Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to reset administrator passwords without authentication by submitting crafted POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
EPSS 0% CVSS 7.2
HIGH This Week

WWBN AVideo, an open source video platform, contains a critical path traversal vulnerability in the pluginRunDatabaseScript.json.php endpoint that allows authenticated administrators to execute arbitrary SQL queries against the application database. Versions up to and including 26.0 are affected. The vulnerability can also be exploited via CSRF attacks against authenticated admin sessions, enabling unauthenticated attackers to achieve remote code execution or complete database compromise.

Path Traversal PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo open source video platform versions up to and including 26.0 allows unauthenticated attackers to escalate privileges to near-admin access by tricking an administrator into visiting a malicious page. The vulnerability exists in the setPermission.json.php endpoint which accepts state-changing operations via GET requests without CSRF token validation, compounded by the application's explicit SameSite=None cookie setting. No patched version is currently available, and with a CVSS score of 8.1 (High), this represents a significant risk for installations with administrative users who browse external content.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW POC Monitor

A cross-site request forgery (CSRF) vulnerability exists in Kalcaddle Kodbox 1.64 affecting the loginSubmit API endpoint within the OAuth bind controller. An unauthenticated remote attacker can manipulate the 'third' parameter to forge requests that modify application state, though the attack requires user interaction and high complexity. A public proof-of-concept exploit has been released, and the vendor has not responded to early disclosure notifications.

CSRF PHP
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Fastify versions 5.8.2 and earlier contain a header spoofing vulnerability in the trustProxy implementation where the request.protocol and request.host getters incorrectly trust X-Forwarded-Proto and X-Forwarded-Host headers even from untrusted connections when a restrictive trust function is configured. An attacker who can connect directly to a Fastify instance (bypassing the intended proxy) can spoof protocol and host values, potentially bypassing HTTPS enforcement, manipulating secure cookie behavior, and defeating CSRF origin checks. This vulnerability affects applications relying on these headers for security decisions and has a CVSS score of 6.1 with adjacent attack vector and high complexity, indicating moderate real-world exploitability.

CSRF Red Hat
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

This vulnerability is a Cross-Site Request Forgery (CSRF) flaw affecting the Nexxt Solutions Nebula 300+ device firmware through version 12.01.01.37, where state-changing administrative endpoints lack proper CSRF protections. An attacker can trick an authenticated administrator into submitting malicious requests that modify critical device settings, including security configurations, without the administrator's knowledge or consent. No CVSS score or EPSS data is currently available, and the vulnerability has not been confirmed as actively exploited in the wild, though the lack of CSRF protections on administrative functions represents a significant trust boundary violation.

CSRF Nebula 300
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

The Post Snippits WordPress plugin for all versions up to and including 1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on settings page handlers that manage snippet creation, modification, and deletion. Unauthenticated attackers can exploit this by crafting malicious requests that, when clicked by an administrator, allow injection of arbitrary scripts and modification of plugin settings, potentially leading to site compromise. The vulnerability has a CVSS score of 6.1 with a network attack vector requiring user interaction.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Neos Connector for Fakturama WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation in the ncff_add_plugin_page() function, allowing unauthenticated attackers to modify plugin settings. Affected versions include all releases up to and including 0.0.14. An attacker can exploit this by tricking a site administrator into clicking a malicious link or visiting a crafted webpage, resulting in unauthorized modification of plugin configuration without the administrator's knowledge or consent.

WordPress CSRF
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Invelity Product Feeds plugin for WordPress contains an arbitrary file deletion vulnerability through path traversal in versions up to and including 1.2.6. Authenticated administrators can be socially engineered into clicking malicious links that delete arbitrary server files due to missing validation in the createManageFeedPage function. No evidence of active exploitation (not in KEV) exists, though the vulnerability is publicly documented with technical details available via WordPress plugin repository references.

CSRF WordPress Path Traversal
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The login_register plugin for WordPress versions up to 1.2.0 contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability due to missing nonce validation and insufficient input sanitization on the settings page. Unauthenticated attackers can craft malicious links to trick administrators into injecting arbitrary JavaScript that persists and executes for all users accessing affected pages. While the CVSS score is moderate at 4.3, the vulnerability requires user interaction (administrator click) but enables persistent script injection with potential for credential theft or further compromise.

WordPress XSS CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Lobot Slider Administrator WordPress plugin (versions up to 0.6.0) contains a Cross-Site Request Forgery (CSRF) vulnerability in the fourty_slider_options_page function due to missing or incorrect nonce validation. This allows unauthenticated attackers to modify plugin slider-page configuration by tricking site administrators into clicking malicious links, potentially altering slider settings and website presentation. The vulnerability carries a moderate CVSS score of 4.3 with low attack complexity, requiring only user interaction and no privileges.

WordPress CSRF
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The SR WP Minify HTML plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation in the sr_minify_html_theme() function, affecting all versions up to and including 2.1. An unauthenticated attacker can exploit this vulnerability to modify plugin settings by tricking a site administrator into clicking a malicious link, potentially allowing unauthorized changes to site minification configuration. While the CVSS score of 4.3 is moderate and no KEV status or active exploitation has been confirmed, the vulnerability remains exploitable against WordPress installations with this plugin active.

WordPress CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Xhanch - My Advanced Settings WordPress plugin (versions up to 1.1.2) contains a Cross-Site Request Forgery vulnerability in its settings update handler due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings if they can trick an administrator into clicking a malicious link. The vulnerability is particularly dangerous because unescaped output of the `favicon_url` and `ga_acc_id` settings enables a CSRF-to-Stored XSS chain, where injected payloads persist and affect all site visitors. While no active exploitation in the wild has been confirmed in public records and the CVSS score of 4.3 is relatively low, the attack requires only user interaction and results in stored cross-site scripting on the front-end.

Google WordPress CSRF +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

The Redirect Countdown WordPress plugin for all versions up to and including 1.0 contains a Cross-Site Request Forgery vulnerability in the countdown_settings_content() function due to missing nonce validation. An unauthenticated attacker can trick a site administrator into clicking a malicious link to modify critical plugin settings including countdown timeout, redirect URL, and custom text. With a CVSS score of 4.3 and network-accessible attack vector, this vulnerability has moderate real-world impact despite low baseline severity, as it directly affects site functionality and user experience.

WordPress CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP Posts Re-order WordPress plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.0 due to missing nonce validation in the cpt_plugin_options() function. An unauthenticated attacker can exploit this to modify critical plugin settings including capability, autosort, and adminsort configurations by tricking a site administrator into clicking a malicious link. The vulnerability has a CVSS score of 4.3 (medium severity) with low attack complexity and requires user interaction, and while no public exploit code has been reported, the straightforward nature of CSRF attacks means proof-of-concept development is trivial.

WordPress CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Add Google Social Profiles to Knowledge Graph Box WordPress plugin (all versions up to 1.0) contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on its settings update functionality. An unauthenticated attacker can forge malicious requests to modify the plugin's Knowledge Graph settings if they can trick a site administrator into clicking a malicious link. While the CVSS score of 4.3 is moderate, the attack requires user interaction and has no confidentiality impact, making it a lower-severity real-world threat despite being easily exploitable.

Google WordPress CSRF
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

The iTracker360 WordPress plugin (versions up to 2.2.0) contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability in its settings form submission handler. An unauthenticated attacker can craft a malicious link or webpage that, when clicked by an administrator, injects arbitrary JavaScript code into the plugin's stored settings due to missing nonce verification and insufficient input sanitization/output escaping. This vulnerability is classified as medium severity (CVSS 6.1) and poses a real risk to WordPress sites using this plugin, as exploitation requires only user interaction and network access with no special privileges.

WordPress XSS CSRF
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.

PHP RCE CSRF +3
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.

Session Fixation PHP CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The Gallery plugin in AVideo contains an unauthenticated remote code execution vulnerability through CSRF-enabled PHP code injection. Attackers can exploit an eval() function that directly executes unsanitized user input by tricking an admin into visiting a malicious page, with the session cookie's SameSite=None configuration enabling cross-site request forgery. A detailed proof-of-concept exploit exists demonstrating command execution through crafted form submissions.

PHP RCE CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

Precurio Intranet Portal 4.4 contains a CSRF vulnerability that allows attackers to trick authenticated users into uploading malicious files to the server, potentially leading to remote code execution with web server privileges. A public exploit is available via PacketStorm (file ID 215644), significantly lowering the barrier for exploitation. The vulnerability carries a CVSS score of 8.8 with network-based attack vector requiring only user interaction.

CSRF RCE Precurio Intranet Portal
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site Request Forgery.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Flash Video Player
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

FileRise, a self-hosted web file manager and WebDAV server, contains a missing-authentication vulnerability in the deleteShareLink endpoint that allows unauthenticated attackers to delete arbitrary file share links by providing only the share token, resulting in denial of service to legitimate users accessing shared files. All versions prior to 3.8.0 are affected. While the CVSS score is moderate at 3.7 due to high attack complexity, the vulnerability has a published proof-of-concept via the GitHub security advisory and represents a trivial attack surface requiring only knowledge of a share token.

PHP Denial Of Service CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Admidio versions 5.0.0 through 5.0.6 contain a critical authorization bypass vulnerability in the documents and files module that allows unauthorized deletion of folders and files. When the module is configured in public mode, unauthenticated attackers can permanently destroy the entire document library via simple HTTP GET requests without CSRF protection. The vulnerability combines missing authorization checks (CWE-862) with CSRF weaknesses, resulting in a CVSS score of 9.1 (Critical) with network-based attack vector requiring no privileges or user interaction.

CSRF PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Zimbra Collaboration Server 10.0 and 10.1 accept CSRF tokens from request bodies instead of enforcing header-based validation, allowing attackers to perform unauthorized actions by deceiving authenticated users into submitting malicious requests. This CSRF bypass affects webmail users and could enable account compromise or sensitive data modification without user awareness. No patch is currently available.

CSRF
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Admidio versions 5.0.0 through 5.0.6 contain an authorization bypass vulnerability in the forum module that allows any authenticated user to permanently delete forum topics and posts without proper permission checks. An attacker with basic forum access can delete any topic or post by knowing its UUID, which is publicly visible in URLs, completely circumventing the authorization controls that are properly enforced in edit/save operations. This vulnerability was fixed in version 5.0.7, and exploitation requires only low privileges (authenticated user status) with no user interaction.

PHP CSRF Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Admidio versions 5.0.0 through 5.0.6 contain a critical cross-site request forgery (CSRF) vulnerability in the groups-roles management module that allows unauthenticated attackers to trick privileged users into permanently deleting organizational roles, deactivating groups, or revoking memberships through forged POST requests. The vulnerability affects users with rol_assign_roles privileges, and exploited attacks result in permanent data loss including cascading deletion of role memberships, event associations, and access rights with no built-in undo mechanism. A patch is available in version 5.0.7, and the vulnerability is not currently tracked in active exploitation databases but poses significant organizational impact due to the permanent nature of role deletion and the low barrier to discovery of target role UUIDs from publicly accessible card views.

PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

The Go SDK's Streamable HTTP transport fails to validate the Origin header and Content-Type on POST requests, allowing attackers to send cross-site requests that bypass CORS protections and trigger MCP tool execution on vulnerable servers without authorization. This affects deployments using stateless or sessionless configurations where an attacker can host a malicious website to send arbitrary MCP requests to a victim's local server. A patch is available that implements Content-Type validation and configurable origin verification.

CSRF Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The NLTK (Natural Language Toolkit) WordNet Browser HTTP server contains an unauthenticated shutdown vulnerability that allows any remote attacker to terminate the service with a single GET request to the '/SHUTDOWN THE SERVER' endpoint. This affects users running nltk.app.wordnet_app in its default mode, where the server binds to all network interfaces without authentication. A proof-of-concept exploit is publicly available demonstrating the denial-of-service attack, though EPSS and KEV data are not yet available for this recent CVE.

CSRF Denial Of Service Docker +2
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Add Custom Fields to Media WordPress plugin versions up to 2.0.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the field deletion functionality that allows unauthenticated attackers to delete arbitrary custom media fields. The vulnerability exists because the plugin validates nonces for the 'add field' operation but fails to validate nonces on the 'delete field' operation, which processes the $_GET['delete'] parameter directly. An attacker can exploit this by tricking a site administrator into clicking a malicious link, resulting in unauthorized deletion of custom media field configurations with no authentication required beyond social engineering.

WordPress CSRF
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments.

Path Traversal Node.js CSRF +5
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

A CSRF vulnerability in A CSRF vulnerability in the Link Aggregation configuration interface (CVSS 7.1) that allows an unauthenticated remote attacker. High severity vulnerability requiring prompt remediation.

CSRF Fl Switch 2005 Fl Switch 2008 +75
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

MuraCMS versions through 10.1.10 contain a Cross-Site Request Forgery (CSRF) vulnerability in the cForm.importform function that lacks proper token validation, allowing attackers to deceive authenticated administrators into uploading and installing malicious form definitions. An attacker can craft a malicious webpage that, when visited by an authenticated MuraCMS administrator, automatically generates and submits a forged file upload request containing a ZIP archive with attacker-controlled form definitions. Successful exploitation results in the installation of data-harvesting forms on the target website that can steal sensitive user information collected through legitimate-appearing web forms. No active exploitation in the wild has been documented (KEV status unknown), and no formal CVSS score has been assigned, though the vulnerability requires user interaction (administrator must visit the malicious page) which moderates the overall risk profile.

CSRF File Upload
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in the cTrash.restore function of MuraCMS through version 10.1.10, which lacks CSRF token validation. An authenticated administrator can be tricked into restoring deleted content to arbitrary locations within the CMS by visiting a malicious webpage, enabling attackers to resurrect malicious or sensitive content, manipulate website structure, or restore intentionally-removed materials. No CVSS score, EPSS data, or known exploits-in-the-wild confirmation are available at this time, though the vulnerability is documented as requiring user interaction (an admin must visit a crafted page) and authenticated session context.

CSRF
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in MuraCMS through version 10.1.10 affecting the cUsers.updateAddress function, which lacks proper CSRF token validation. Attackers can exploit this by crafting malicious webpages that, when visited by an authenticated administrator, automatically submit hidden forms to add, modify, or delete user address records without the administrator's knowledge or consent. Successful exploitation enables unauthorized manipulation of user address data, potentially redirecting sensitive communications to attacker-controlled addresses, compromising user privacy, and disrupting legitimate business operations through injection of malicious contact information.

CSRF
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the user management Add To Group functionality that allows attackers to escalate privileges by adding authenticated users to arbitrary groups without proper authorization validation. An authenticated administrator visiting a malicious webpage can be tricked into adding any user to the Admin group or other privileged groups, though escalation to the Super Admin (s2) group is blocked. This vulnerability enables both horizontal privilege escalation across different user groups and vertical privilege escalation to administrative roles, posing a significant risk to multi-user MuraCMS installations where administrator accounts are targeted.

Privilege Escalation CSRF
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

MuraCMS versions through 10.1.10 contain a Cross-Site Request Forgery (CSRF) vulnerability in the cTrash.empty function that lacks proper token validation, allowing attackers to permanently delete all content in the trash system. An authenticated administrator visiting a malicious webpage can be tricked into permanently destroying all deleted content without their knowledge or consent, resulting in catastrophic, irreversible data loss. While no CVSS score or EPSS data is currently available, the vulnerability's attack vector is network-based with low complexity, affecting any authenticated administrator, and the technical impact of complete data destruction in the trash system constitutes a critical business continuity threat.

CSRF
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators into unknowingly creating and exporting site bundles containing complete sensitive data to publicly accessible web directories. Affected administrators have no knowledge the attack occurred, enabling complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content. While no CVSS score or EPSS probability is available and KEV status is unknown, the vulnerability's silent nature combined with its ability to compromise all site data without authentication represents a critical confidentiality and integrity risk.

Information Disclosure CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in Edimax GS-5008PL firmware version 1.00.54 and earlier allows unauthenticated remote attackers to trick administrators into performing unauthorized actions such as password changes, firmware uploads, device reboots, factory resets, and network configuration modifications by visiting attacker-controlled websites. The vulnerability exists due to missing CSRF token validation and insufficient request integrity checks. No patch is currently available for affected devices.

CSRF Edimax Gs 5008pl
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.

PHP RCE SQLi +3
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Server Action CSRF validation in Next.js incorrectly treats null origins from sandboxed contexts as missing origins, allowing attackers to bypass verification and trick victim browsers into executing state-changing actions with their credentials. This affects applications relying on origin checks for CSRF protection without additional safeguards. A patch is available that enforces strict origin validation unless null is explicitly allowlisted.

CSRF Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

A second-order SQL injection vulnerability exists in Admidio's MyList configuration feature, allowing authenticated users to inject arbitrary SQL commands through list column configurations that are safely stored but unsafely read back. The vulnerability enables attackers to read sensitive data including password hashes, modify database contents, or achieve full database compromise. A detailed proof-of-concept is available demonstrating exploitation requiring only standard user privileges.

CSRF SQLi PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

An unauthenticated Server-Side Request Forgery (SSRF) and Local File Read vulnerability exists in the Admidio SSO metadata fetch endpoint, which accepts arbitrary URLs via GET parameter and passes them directly to file_get_contents() after validating only with PHP's FILTER_VALIDATE_URL-a format checker that does not block dangerous URI schemes. An authenticated administrator can exploit this to read arbitrary local files (including database credentials from config.php), probe internal network services, or fetch cloud instance metadata (such as AWS IAM credentials from 169.254.169.254). A proof-of-concept demonstrating all attack vectors has been published; CVSS 6.8 reflects high confidentiality impact but is mitigated by the requirement for administrator privileges.

CSRF Elastic PHP +3
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Admidio's profile membership management function fails to validate CSRF tokens on the save_membership action, allowing an attacker to forge requests that modify membership start and end dates for any member of roles led by the victim. While other membership-related actions (stop_membership, remove_former_membership) include CSRF protection, save_membership was omitted from validation, enabling silent privilege escalation or access revocation through cross-site request forgery. A proof-of-concept exists demonstrating immediate exploitation by embedding a form on an external page.

CSRF PHP
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A critical unrestricted file upload vulnerability in Admidio's Documents & Files module allows authenticated users with upload permissions to bypass file extension restrictions by submitting an invalid CSRF token, enabling upload of PHP scripts that lead to Remote Code Execution. The vulnerability affects Admidio versions prior to the patch and has a published proof-of-concept demonstrating webshell upload and command execution. With a CVSS score of 8.8 and detailed exploitation steps available, this represents a high-priority risk for organizations using Admidio for document management.

CSRF PHP RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

The DefaultController->actionLoadContainerData() endpoint in the Microsoft plugin permits unauthenticated attackers possessing a valid CSRF token to enumerate accessible storage buckets and extract sensitive data from Azure error messages. This authorization bypass affects users running unpatched versions prior to 2.1.1, exposing cloud storage infrastructure details and potentially sensitive system information through verbose error responses.

Information Disclosure Authentication Bypass Microsoft +1
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Hereta ETH-IMC408M devices running firmware 1.0.15 and earlier are vulnerable to cross-site request forgery attacks that allow unauthenticated remote attackers to modify device configuration through setup.cgi, including adding RADIUS accounts and altering network settings. The vulnerability exploits missing CSRF protections combined with automatic inclusion of HTTP Basic Authentication credentials, requiring only user interaction to trigger the attack. No patch is currently available.

CSRF Eth Imc408M Firmware
NVD VulDB
EPSS 0% CVSS 2.4
LOW PATCH Monitor

Unauthenticated users can view a list of buckets the plugin has access to.

CSRF Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

The BucketsController endpoint in this plugin suffers from an information disclosure vulnerability where unauthenticated attackers possessing a valid CSRF token can enumerate the list of accessible buckets. This exposure allows reconnaissance of cloud storage resources available to the plugin without requiring authentication. Update to version 2.2.5 to resolve this issue.

CSRF Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Raytha CMS contains a Cross-Site Request Forgery (CSRF) vulnerability across multiple endpoints that fails to enforce token verification on POST requests. An authenticated user can be tricked into visiting a malicious website crafted by an attacker, which automatically submits unauthorized requests (such as data deletion) to the Raytha CMS application without requiring explicit user confirmation. This vulnerability affects Raytha CMS versions prior to 1.4.6 and has a CVSS score of 6.9 with medium real-world exploitability.

CSRF Raytha
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A cross-site request forgery (CSRF) vulnerability exists in Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 that allows authenticated attackers to execute arbitrary system commands without additional validation. An attacker can craft a malicious webpage that, when visited by a logged-in router administrator, triggers unauthorized administrative actions with full router privileges. While the CVSS score of 4.3 is moderate and no active exploitation has been widely reported, the ability to achieve command execution on network infrastructure devices represents a meaningful risk to affected deployments.

CSRF Sdt Cs3b1
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Wowza Streaming Engine version 4.5.0 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions without user interaction. An attacker can craft a malicious webpage that, when visited by a logged-in administrator, automatically submits POST requests to create new administrative accounts with attacker-controlled credentials, effectively granting the attacker full administrative access to the streaming infrastructure. This vulnerability carries a CVSS score of 5.3 (medium severity) but represents significant real-world risk due to the simplicity of exploitation and the high-impact outcome of account creation.

CSRF Wowza Streaming Engine
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

A privilege escalation vulnerability in Wowza Streaming Engine 4.5.0 allows authenticated read-only users to elevate their privileges to administrator level by manipulating POST parameters (accessLevel='admin', advUser='true'/'on') sent to the user edit endpoint. A public exploit is available on exploit-db, though the vulnerability has not been added to CISA's KEV catalog, suggesting limited real-world exploitation despite the high CVSS score of 8.8.

Privilege Escalation CSRF Wowza Streaming Engine
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

RealtyScript 4.0.2 contains a cross-site request forgery (CSRF) vulnerability in its user management endpoints that allows unauthenticated attackers to create arbitrary user accounts and escalate privileges to SUPERUSER level without authentication. The vulnerability affects the /admin/addusers.php and /admin/editadmins.php endpoints, which process hidden form data without CSRF token validation. An attacker can craft malicious web pages or emails containing hidden forms that, when visited by an authenticated administrator, silently create new administrative accounts under the attacker's control, leading to complete system compromise.

CSRF PHP Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

RealtyScript 4.0.2 by Next Click Ventures contains both cross-site request forgery (CSRF) and persistent cross-site scripting (XSS) vulnerabilities that allow unauthenticated attackers to perform unauthorized administrative actions and inject malicious scripts into the application. An attacker can craft malicious web pages that trick authenticated users into performing unintended administrative actions, or inject persistent scripts that execute in the application context for all users. With a CVSS score of 5.3 and a network-based attack vector requiring no privileges or user interaction beyond initial application access, this represents a moderate integrity risk to affected deployments.

XSS CSRF Realtyscript
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Qool CMS 2.0 RC2 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions on behalf of authenticated users. An attacker can craft malicious web pages that, when visited by a logged-in administrator, silently forge POST requests to the /admin/adduser endpoint to create root-level user accounts, resulting in unauthorized administrative access. The CVSS 5.3 score reflects moderate integrity impact with network attack vector and no privilege requirement, though the vulnerability requires user interaction (visiting a malicious page) to be exploited.

CSRF XSS Qool Cms
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery (CSRF) vulnerability that allows authenticated attackers to perform unauthorized administrative actions, specifically adding superadmin accounts without proper validation. An attacker can craft malicious HTTP requests that, when visited by a logged-in administrator, silently create new superadmin credentials, effectively granting the attacker persistent unauthorized administrative access. This vulnerability requires user interaction (a logged-in admin must visit an attacker-controlled page) but does not require elevated privileges to trigger, presenting a moderate but real risk to organizations using this biometric access control system.

CSRF Zkteco Zkbiosecurity
NVD Exploit-DB VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in Janis Elsts Admin Menu Editor plugin for WordPress, affecting versions up to and including 1.14.1. An attacker can forge requests to modify administrator menu configurations without explicit consent, potentially leading to unauthorized changes to the WordPress admin interface. The vulnerability has a CVSS score of 4.3 (Low-Medium severity) and requires user interaction (UI:R) but can be exploited by an unauthenticated attacker over the network.

CSRF Admin Menu Editor
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in Josh Kohlbach's Product Feed PRO for WooCommerce plugin affecting versions up to 13.5.2, allowing unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators through malicious web requests. While the CVSS score is 6.5 (Medium), the EPSS score of 0.01% (1st percentile) indicates minimal real-world exploitation probability, suggesting this is a low-priority vulnerability despite the integrity impact. No KEV status or active exploitation evidence is documented.

WordPress CSRF
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

GamiPress versions 7.6.6 and earlier contain a Cross-Site Request Forgery (CSRF) vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through maliciously crafted requests. An attacker can exploit this to modify plugin settings, create or delete gamification elements, or alter user data without the target user's knowledge or consent. The vulnerability requires user interaction (clicking a malicious link) but has no authentication requirement for the attack itself, making it a moderate-risk issue suitable for opportunistic exploitation against WordPress administrators.

CSRF Gamipress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Corpiva through version 1.0.96 is vulnerable to cross-site request forgery attacks that allow unauthenticated attackers to perform unauthorized actions on behalf of legitimate users. An attacker can exploit this vulnerability by tricking a user into visiting a malicious webpage while authenticated to Corpiva, resulting in unwanted state changes such as configuration modifications or data manipulation. No patch is currently available for this vulnerability.

CSRF Corpiva
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Easy Table of Contents versions up to 2.0.80 are vulnerable to cross-site request forgery attacks that allow unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through malicious web pages. The vulnerability requires user interaction to trigger but could result in unauthorized modifications to website content or settings. No patch is currently available for this issue.

CSRF Easy Table Of Contents
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Quiz Maker version 6.7.1.2 and earlier contains a Cross-Site Request Forgery vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through malicious web pages. An attacker can exploit this to modify quiz content or settings by tricking users into visiting a crafted link while logged into the application. No patch is currently available for this vulnerability.

CSRF Quiz Maker
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Photo Gallery by 10Web versions up to 1.8.37 contain a cross-site request forgery vulnerability that enables unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction and allows attackers to modify or delete gallery content with no direct access needed. No patch is currently available for this vulnerability.

CSRF Photo Gallery By 10web
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in shufflehound's Lemmony application versions prior to 1.7.1, allowing unauthenticated attackers to perform unauthorized actions on behalf of legitimate users through crafted web requests. An attacker can exploit this vulnerability to cause integrity and availability impact by forcing a victim's browser to make unwanted requests to the Lemmony application. The attack requires user interaction (clicking a malicious link) but has a low attack complexity and network accessibility, making it a practical threat in multi-user web environments.

CSRF Lemmony
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

The Formidable Forms WordPress plugin versions up to 6.28 contain an authorization bypass vulnerability in the Stripe payment integration that allows unauthenticated attackers to manipulate PaymentIntent amounts before payment completion. An attacker can exploit the publicly exposed nonce in the `frm_strp_amount` AJAX handler to overwrite POST data and recalculate dynamic pricing fields, enabling payment of reduced amounts for goods or services. While the CVSS score is moderate at 5.3, the vulnerability has direct financial impact on e-commerce deployments and poses a meaningful risk to sites using dynamic pricing with Formidable Forms and Stripe.

Authentication Bypass WordPress CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

wpDiscuz before version 7.6.47 contains a cross-site request forgery (CSRF) vulnerability in the getFollowsPage() function that allows unauthenticated attackers to trigger unauthorized actions on behalf of legitimate users without valid nonce validation. An attacker can exploit this by crafting malicious requests to enumerate user follow relationships and manipulate follow data, potentially exposing private social graph information and allowing unauthorized modifications to user follow lists. While the CVSS score of 4.3 indicates low to moderate severity with limited direct impact, the vulnerability requires user interaction (UI:R) but has network-accessible attack surface with no authentication requirement, making it practically exploitable in targeted phishing campaigns.

CSRF Wpdiscuz
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

High severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection.

CSRF Wpdiscuz
NVD VulDB
EPSS 0%
NONE Awaiting Data

Emlog is an open source website building system. In 2.6.6 and earlier, the delete_async action (asynchronous delete) lacks a call to LoginAuth::checkToken(), enabling CSRF attacks.

CSRF Emlog
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

OPNsense prior to version 26.1.4 contains a CSRF vulnerability where state-changing API endpoints accept HTTP GET requests without proper anti-CSRF protections, allowing authenticated users to be tricked into triggering unintended system operations. An attacker can craft a malicious website that, when visited by an authenticated OPNsense administrator, performs unauthorized configuration changes or service reloads through the vulnerable endpoints. No patch is currently available for this medium-severity vulnerability affecting OPNsense firewall deployments.

CSRF Opnsense
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Modular DS WordPress plugin through version 2.5.1 lacks CSRF protections on its OAuth disconnection function, allowing unauthenticated attackers to sever the plugin's SSO connection by tricking administrators into clicking a malicious link. This vulnerability affects all website administrators using the plugin and could disrupt authentication mechanisms if exploited. No patch is currently available.

WordPress CSRF
NVD
EPSS 0% CVSS 8.1
HIGH This Week

divi-booster WordPre versions up to 5.0.2 is affected by cross-site request forgery (csrf) (CVSS 8.1).

WordPress PHP CSRF +1
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM This Month

The LatePoint Calendar Booking Plugin for WordPress versions up to 5.2.7 contains a cross-site request forgery vulnerability in the reload_preview() function due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings and inject malicious scripts if a site administrator can be tricked into clicking a malicious link. An attacker exploiting this vulnerability can alter configurations and inject web-based payloads that execute in the administrator's browser session. No patch is currently available for this vulnerability.

WordPress CSRF
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthenticated attackers can generate preview tokens in Craft CMS versions prior to 4.17.4 and 5.9.7 by exploiting a CSRF vulnerability in the /actions/preview/create-token endpoint, which lacks proper token validation and HTTP method restrictions. An attacker can force a logged-in editor to create an attacker-controlled preview token that grants unauthorized access to unpublished content. This attack requires user interaction but allows the attacker to view sensitive content without authentication.

CSRF Craft Cms
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

GetSimple CMS massiveAdmin plugin has a CSRF vulnerability enabling attackers to perform admin actions through crafted malicious pages.

PHP RCE CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

InstantCMS is a free and open source content management system. versions up to 2.18.1 is affected by cross-site request forgery (csrf) (CVSS 7.1).

CSRF Instantcms
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Court Reservation WordPre versions up to 1.10.9 is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD WPScan VulDB
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

Authorization bypass in Budibase 3.31.4 and earlier. The authorized() middleware can be bypassed, enabling injection attacks. PoC available.

CSRF Budibase
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

An issue pertaining to CWE-352: Cross-Site Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. [CVSS 8.8 HIGH]

CSRF Sunbirded Portal
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Computer Laboratory Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF Computer Laboratory Management System
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site request forgery (CSRF) in Ghost CMS versions 5.101.6 through 6.19.2 permits attackers to reuse one-time codes across different login sessions via the /session/verify endpoint, potentially enabling account takeover through phishing attacks. The vulnerability affects Ghost deployments on Node.js and related platforms, requiring no user authentication but relying on user interaction. A patch is available in Ghost version 6.19.3 and later.

Node.js CSRF Ghost
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

The Guardian News Feed WordPress plugin through version 1.2 lacks CSRF protections on its settings update function, allowing unauthenticated attackers to modify plugin configuration including API credentials through social engineering. Site administrators can be tricked into clicking a malicious link that silently changes settings with their authenticated session. No patch is currently available.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Font Pairing Preview For Landing Pages (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

WordPress True Ranker plugin versions up to 2.2.9 lack proper CSRF protections on the account disconnection function, enabling unauthenticated attackers to disconnect an administrator's True Ranker account by tricking them into clicking a malicious link. An attacker exploiting this vulnerability could disrupt SEO monitoring capabilities for affected sites without requiring authentication or special privileges.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Purchase Button For Affiliate Link (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress PHP CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The ProfileGrid WordPress plugin through version 5.9.8.2 lacks nonce validation on membership request management functions, allowing unauthenticated attackers to forge requests that approve or deny group membership through social engineering of site administrators. An attacker can exploit this CSRF vulnerability to manipulate group membership status by tricking an admin into clicking a malicious link. No patch is currently available for this medium-severity vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP Frontend Profile WordPress plugin through version 1.3.8 lacks CSRF protections on the update_action function, enabling unauthenticated attackers to manipulate user registration approvals or rejections by deceiving administrators into clicking malicious links. This allows attackers to perform unauthorized account management actions without authentication, potentially disrupting legitimate user onboarding processes. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF Php Oop Cms Blog
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modify admin user credentials by submitting forged POST requests to the profile endpoint. [CVSS 5.3 MEDIUM]

CSRF
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to reset administrator passwords without authentication by submitting crafted POST requests. [CVSS 5.3 MEDIUM]

PHP CSRF
NVD Exploit-DB
Prev Page 7 of 94 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy