Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-37450 | 1 Rarathemes | 1 Benevolent | 2026-01-08 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Benevolent allows Cross Site Request Forgery.This issue affects Benevolent: from n/a through 1.3.4.
|
|||||
| CVE-2024-37435 | 1 Rarathemes | 1 Perfect Portfolio | 2026-01-08 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Perfect Portfolio allows Cross Site Request Forgery.This issue affects Perfect Portfolio: from n/a through 1.2.0.
|
|||||
| CVE-2024-31205 | 1 Saleor | 1 Saleor | 2026-01-07 | N/A | 4.2 MEDIUM |
|
Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user provides an empty string in `refreshToken` mutation, while the token persists in `JWT_REFRESH_TOKEN_COOKIE_NAME` cookie, application omits validation against CSRF token and returns valid access token. Versions 3.14.64, 3.15.3 ...
Show More |
|||||
| CVE-2024-31371 | 1 Xylusthemes | 1 Wp Event Aggregator | 2026-01-07 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Xylus Themes WP Event Aggregator.This issue affects WP Event Aggregator: from n/a through 1.7.6.
|
|||||
| CVE-2024-33688 | 1 Extendthemes | 1 Teluro | 2026-01-07 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes Teluro.This issue affects Teluro: from n/a through 1.0.31.
|
|||||
| CVE-2024-34809 | 1 Extendthemes | 1 Empowerwp | 2026-01-07 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes EmpowerWP.This issue affects EmpowerWP: from n/a through 1.0.21.
|
|||||
| CVE-2022-47443 | 1 Danielpowney | 1 Multi Rating | 2026-01-07 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Daniel Powney Multi Rating plugin <= 5.0.5 versions.
|
|||||
| CVE-2024-31429 | 1 Blossomthemes | 1 Sarada | 2026-01-07 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Sarada Lite.This issue affects Sarada Lite: from n/a through 1.1.2.
|
|||||
| CVE-2024-37243 | 1 Blossomthemes | 1 Vandana | 2026-01-07 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vandana Lite allows Cross Site Request Forgery.This issue affects Vandana Lite: from n/a through 1.1.9.
|
|||||
| CVE-2023-50931 | 1 Savignano | 1 S-notify | 2026-01-06 | N/A | 8.3 HIGH |
|
An issue was discovered in savignano S/Notify before 2.0.1 for Bitbucket. While an administrative user is logged on, the configuration settings of S/Notify can be modified via a CSRF attack. The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website. If executed while an administrator is logged on to Bitbucket, an attacker could exploit this to modify the configuration of the S/Notify app on that host. This can, in particular, l ...
Show More |
|||||
| CVE-2023-50932 | 1 Savignano | 1 S-notify | 2026-01-06 | N/A | 8.3 HIGH |
|
An issue was discovered in savignano S/Notify before 4.0.2 for Confluence. While an administrative user is logged on, the configuration settings of S/Notify can be modified via a CSRF attack. The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website. If executed while an administrator is logged on to Confluence, an attacker could exploit this to modify the configuration of the S/Notify app on that host. This can, in particular, ...
Show More |
|||||
| CVE-2025-14163 | 1 Leap13 | 1 Premium Addons For Elementor | 2026-01-05 | N/A | 4.3 MEDIUM |
|
The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.
|
|||||
| CVE-2024-6719 | 1 Webgarh | 1 Offload Videos | 2026-01-05 | N/A | 8.1 HIGH |
|
The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack
|
|||||
| CVE-2025-65203 | 1 Keepassxc | 1 Keepassxc-browser | 2026-01-05 | N/A | 7.1 HIGH |
|
KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials.
|
|||||
| CVE-2025-35030 | 1 Mieweb | 1 Enterprise Health | 2026-01-02 | N/A | 8.1 HIGH |
|
Medical Informatics Engineering Enterprise Health has a cross site request forgery vulnerability that allows an unauthenticated attacker to trick administrative users into clicking a crafted URL and perform actions on behalf of that administrative user. This issue is fixed as of 2025-04-08.
|
|||||
| CVE-2024-6230 | 1 Wp-master | 1 Pardakht-delkhah | 2026-01-02 | N/A | 6.5 MEDIUM |
|
The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack
|
|||||
| CVE-2024-2232 | 1 2code | 1 Himer | 2026-01-02 | N/A | 8.1 HIGH |
|
The lacks CSRF checks allowing a user to invite any user to any group (including private groups)
|
|||||
| CVE-2025-66906 | 1 Turms-im | 1 Turms | 2026-01-02 | N/A | 6.1 MEDIUM |
|
Cross Site Request Forgery (CSRF) vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges.
|
|||||
| CVE-2025-66953 | 1 Nardamiteq | 2 Upc2, Upc2 Firmware | 2026-01-02 | N/A | 8.8 HIGH |
|
CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and specifically the /system_setup.htm, /set_clock.htm, /receiver_setup.htm, /cal.htm?..., and /channel_setup.htm endpoints
|
|||||
| CVE-2025-67013 | 1 Etlsystems | 54 C0401d1uia-22476, C0401d1uia-22476 Firmware, C0401d1ula-22419 and 51 more | 2026-01-02 | N/A | 6.5 MEDIUM |
|
The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery (CSRF) protection mechanisms (no tokens, no Origin/Referer validation) on critical configuration endpoints.
|
|||||
| CVE-2024-30855 | 1 Dedecms | 1 Dedecms | 2026-01-02 | N/A | 8.8 HIGH |
|
DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php.
|
|||||
| CVE-2021-40965 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 9.3 HIGH | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.
|
|||||
| CVE-2022-23044 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | N/A | 8.8 HIGH |
|
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF.
|
|||||
| CVE-2025-57310 | 1 Salmen | 1 Simple Faucet Script | 2025-12-31 | N/A | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) vulnerability in Salmen2/Simple-Faucet-Script v1.07 via crafted POST request to admin.php?p=ads&c=1 allowing attackers to execute arbitrary code.
|
|||||
| CVE-2020-36901 | 1 Medivision | 2 Medivision Digital Signage, Medivision Digital Signage Firmware | 2025-12-30 | N/A | 8.8 HIGH |
|
UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that submits a form to the /query/user/itSet endpoint to add a new admin user with elevated privileges.
|
|||||
| CVE-2019-25242 | 1 Iwt | 2 Facesentry Access Control System, Facesentry Access Control System Firmware | 2025-12-30 | N/A | 4.3 MEDIUM |
|
FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage.
|
|||||
| CVE-2025-59949 | 1 Freshrss | 1 Freshrss | 2025-12-30 | N/A | 5.3 MEDIUM |
|
FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue.
|
|||||
| CVE-2023-44475 | 1 Add Shortcodes Actions And Filters Project | 1 Add Shortcodes Actions And Filters | 2025-12-30 | N/A | 5.4 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in Michael Simpson Add Shortcodes Actions And Filters plugin <= 2.0.9 versions.
|
|||||
| CVE-2025-63952 | 1 Magewell | 26 Pro Convert 12g Sdi 4k Plus, Pro Convert 12g Sdi 4k Plus Firmware, Pro Convert Aes67 and 23 more | 2025-12-30 | N/A | 5.7 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request.
|
|||||
| CVE-2025-63953 | 1 Magewell | 10 Ultra Encode Aio, Ultra Encode Aio Firmware, Ultra Encode Hdmi and 7 more | 2025-12-30 | N/A | 6.5 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request.
|
|||||
| CVE-2025-56400 | 1 Tuya | 3 Smartlife, Tuya, Tuya Smart | 2025-12-30 | N/A | 8.8 HIGH |
|
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the vict ...
Show More |
|||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | N/A | 9.6 CRITICAL |
|
Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component
|
|||||
| CVE-2025-62190 | 1 Mattermost | 1 Mattermost Server | 2025-12-29 | N/A | 4.3 MEDIUM |
|
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link
|
|||||
| CVE-2021-47722 | 2025-12-29 | N/A | 3.5 LOW | ||
|
Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking authenticated users into loading the page.
|
|||||
| CVE-2019-25250 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
|
Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site.
|
|||||
| CVE-2019-25233 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
|
AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions.
|
|||||
| CVE-2018-25152 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
|
Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials.
|
|||||
| CVE-2018-25127 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
|
SOCA Access Control System 180612 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that submit forged requests to create admin accounts by tricking logged-in users into visiting a malicious site.
|
|||||
| CVE-2019-25238 | 2025-12-29 | N/A | 4.3 MEDIUM | ||
|
V-SOL GPON/EPON OLT Platform 2.03 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to create admin users, enable SSH, or modify system settings by tricking authenticated administrators into loading a specially crafted page.
|
|||||
| CVE-2019-25247 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
|
Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft a malicious web page with a hidden form to add an admin user by tricking a logged-in user into submitting the form.
|
|||||