Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-12901 | 2025-11-12 | N/A | 4.3 MEDIUM | ||
|
The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
|
|||||
| CVE-2025-62258 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-11-10 | N/A | 6.5 MEDIUM |
|
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter.
|
|||||
| CVE-2020-10181 | 1 Sumavision | 2 Enhanced Multimedia Router, Enhanced Multimedia Router Firmware | 2025-11-07 | 7.5 HIGH | 9.8 CRITICAL |
|
goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request.
|
|||||
| CVE-2025-12479 | 1 Azure-access | 4 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 1 more | 2025-11-07 | N/A | 8.8 HIGH |
|
Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
|
|||||
| CVE-2025-12221 | 1 Azure-access | 4 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 1 more | 2025-11-07 | N/A | 8.8 HIGH |
|
Busybox 1.31.1 - Multiple Known Vulnerabilities.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
|
|||||
| CVE-2025-7078 | 1 07fly | 2 07flycms, Customer Relationship Management | 2025-11-06 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-10691 | 2025-11-06 | N/A | 4.3 MEDIUM | ||
|
The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the show_editsub_page() function. This makes it possible for unauthenticated attackers to delete arbitrary subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2023-53688 | 1 Nagios | 1 Nagios Xi | 2025-11-05 | N/A | 5.4 MEDIUM |
|
Nagios XI versions prior to 5.11.3 are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF) via the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, allowing injection of malicious script that executes in the context of a victim's browser (XSS). Additionally, the component does not enforce sufficient anti-CSRF protections on state-changing operations, enabling an attacker to induce authenticated users to perform ...
Show More |
|||||
| CVE-2025-64149 | 1 Jenkins | 1 Publish To Bitbucket | 2025-11-04 | N/A | 5.4 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2025-64141 | 1 Jenkins | 1 Nexus Task Runner | 2025-11-04 | N/A | 4.3 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.
|
|||||
| CVE-2025-64138 | 1 Jenkins | 1 Start Windocks Container | 2025-11-04 | N/A | 4.3 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Start Windocks Containers Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL.
|
|||||
| CVE-2025-64136 | 1 Jenkins | 1 Themis | 2025-11-04 | N/A | 4.3 MEDIUM |
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Themis Plugin 1.4.1 and earlier allows attackers to connect to an attacker-specified HTTP server.
|
|||||
| CVE-2025-47410 | 1 Apache | 1 Geode | 2025-11-04 | N/A | 8.8 HIGH |
|
Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user.
This issue affects Apache Geode: versions 1.10 through 1.15.1
Users are recommended to upgrade to version 1.15.2, which fixes the issue.
|
|||||
| CVE-2024-40815 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-11-04 | N/A | 7.5 HIGH |
|
A race condition was addressed with additional validation. This issue is fixed in macOS Ventura 13.6.8, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, macOS Sonoma 14.6. A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication.
|
|||||
| CVE-2024-34502 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2025-11-04 | N/A | 9.8 CRITICAL |
|
An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token.
|
|||||
| CVE-2023-47677 | 2 Level1, Realtek | 3 Wbr-6013, Wbr-6013 Firmware, Rtl819x Jungle Software Development Kit | 2025-11-04 | N/A | 8.8 HIGH |
|
A cross-site request forgery (csrf) vulnerability exists in the boa CSRF protection functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted network request can lead to CSRF. An attacker can send an HTTP request to trigger this vulnerability.
|
|||||
| CVE-2020-11919 | 1 Svakom | 2 Svakom Siime Eye, Svakom Siime Eye Firmware | 2025-11-04 | N/A | 8.0 HIGH |
|
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection.
|
|||||
| CVE-2019-20460 | 2025-11-04 | N/A | 8.8 HIGH | ||
|
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests don't require (anti-)CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CSRF attacks can be used to send text directly to the RAW printer interface. For example, an attack could deliver a worrisome printout to an end user.
|
|||||
| CVE-2025-12456 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
|
The Centangle-Team plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, due to insufficient input sanitization and output escaping on cai_name_color parameter, t ...
Show More |
|||||
| CVE-2025-12403 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
|
The Associados Amazon Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8. This is due to missing or incorrect nonce validation on the brzon_admin_panel() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12070 | 2025-11-04 | N/A | 4.3 MEDIUM | ||
|
The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12416 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
|
The Pagerank Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the pr_save_settings() function and insufficient input sanitization. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected scripts wi ...
Show More |
|||||
| CVE-2025-12415 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
|
The MapMap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the admin_shortcode_submit, admin_configuration_submit, and admin_shortcode_delete functions. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a ...
Show More |
|||||
| CVE-2025-12400 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
|
The LMB^Box Smileys plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on the manage_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12410 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
|
The SH Contextual Help plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation in the sh_contextual_help_dashboard_widget() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12069 | 2025-11-04 | N/A | 4.3 MEDIUM | ||
|
The WP Global Screen Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing nonce validation on the `updatewpglobalscreenoptions` action handler. This makes it possible for unauthenticated attackers to modify global screen options for all users via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12412 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
|
The Top Bar Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on th tbn_ajax_add() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12402 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
|
The LinkedIn Resume plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.00. This is due to missing or incorrect nonce validation on the linkedinresume_printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12452 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
|
The Visit Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the widgets.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12413 | 2025-11-04 | N/A | 5.4 MEDIUM | ||
|
The Social Media WPCF7 Stop Words plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.3. This is due to missing or incorrect nonce validation on the smWpCfSwOptions() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12401 | 2025-11-04 | N/A | 6.1 MEDIUM | ||
|
The Label Plugins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the label_plugins_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-12188 | 2025-11-04 | N/A | 4.3 MEDIUM | ||
|
The Posts Navigation Links for Sections and Headings – Free by WP Masters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'wpm_navigation_links_settings' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-56009 | 1 Keenetic | 1 Keeneticos | 2025-11-04 | N/A | 5.3 MEDIUM |
|
Cross site request forgery (CSRF) vulnerability in KeeneticOS before 4.3 at "/rci" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit.
|
|||||
| CVE-2024-44293 | 1 Apple | 1 Macos | 2025-11-03 | N/A | 5.5 MEDIUM |
|
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.1. A user may be able to view sensitive user information.
|
|||||
| CVE-2024-28141 | 2025-11-03 | N/A | 6.3 MEDIUM | ||
|
The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. E.g. an attacker can forge malicious links to reset the admin password or create new users.
|
|||||
| CVE-2025-31205 | 1 Apple | 7 Ipados, Iphone Os, Macos and 4 more | 2025-11-03 | N/A | 6.5 MEDIUM |
|
The issue was addressed with improved checks. This issue is fixed in watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. A malicious website may exfiltrate data cross-origin.
|
|||||
| CVE-2025-24223 | 1 Apple | 7 Ipados, Iphone Os, Macos and 4 more | 2025-11-03 | N/A | 8.0 HIGH |
|
The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. Processing maliciously crafted web content may lead to memory corruption.
|
|||||
| CVE-2025-54969 | 1 Baesystems | 1 Socet Gxp | 2025-10-31 | N/A | 6.1 MEDIUM |
|
An issue was discovered in BAE SOCET GXP before 4.6.0.2. The SOCET GXP Job Status Service does not implement CSRF protections. An attacker who social engineers a valid user into clicking a malicious link or visiting a malicious website may be able to submit requests to the Job Status Service without the user's knowledge.
|
|||||
| CVE-2025-8223 | 1 Jerryshensjf | 1 Jpacookieshop | 2025-10-31 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. This affects an unknown part of the file AdminTypeCustController.java. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailab ...
Show More |
|||||
| CVE-2025-7330 | 1 Rockwellautomation | 2 1783-natr, 1783-natr Firmware | 2025-10-30 | N/A | 6.5 MEDIUM |
|
A cross-site request forgery security issue exists in the product and version listed. The vulnerability stems from missing CSRF checks on the impacted form. This allows for unintended configuration modification if an attacker can convince a logged in admin to visit a crafted link.
|
|||||