Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3808 | 1 Zhenfeng13 | 1 My-bbs | 2025-10-15 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been found in zhenfeng13 My-BBS 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints might be affected.
|
|||||
| CVE-2024-6040 | 1 Lollms | 1 Lollms Web Ui | 2025-10-15 | N/A | 8.8 HIGH |
|
In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.
|
|||||
| CVE-2025-8606 | 2025-10-14 | N/A | 2.4 LOW | ||
|
The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 1.3.23. This is due to missing or incorrect nonce validation on the activate_plugin and deactivate_plugin functions. This makes it possible for attackers to trick authenticated administrators into activating or deactivating specified plugins via a forged request, such as clicking on a malicious link or visiting a compromised page.
|
|||||
| CVE-2025-9626 | 2025-10-14 | N/A | 4.3 MEDIUM | ||
|
The Page Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the admin_process_widget_page_change function. This makes it possible for unauthenticated attackers to modify widget page block configurations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-10376 | 2025-10-14 | N/A | 4.3 MEDIUM | ||
|
The Course Redirects for Learndash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4. This is due to missing nonce validation when processing form submissions on the settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-9621 | 2025-10-14 | N/A | 4.3 MEDIUM | ||
|
The WidgetPack Comment System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation on the wpcmt_sync action in the wpcmt_request_handler function. This makes it possible for unauthenticated attackers to trigger comment synchronization events via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-10375 | 2025-10-14 | N/A | 4.3 MEDIUM | ||
|
The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site ...
Show More |
|||||
| CVE-2025-42908 | 2025-10-14 | N/A | 5.4 MEDIUM | ||
|
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access ...
Show More |
|||||
| CVE-2025-60535 | 2025-10-14 | N/A | 7.3 HIGH | ||
|
A Cross-Site Request Forgery (CSRF) in the component /endpoints/currency/currency of Wallos v4.1.1 allows attackers to execute arbitrary operations via a crafted GET request.
|
|||||
| CVE-2024-29026 | 1 Owncast Project | 1 Owncast | 2025-10-14 | N/A | 8.2 HIGH |
|
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.
|
|||||
| CVE-2025-58430 | 1 Nadh | 1 Listmonk | 2025-10-10 | N/A | 6.1 MEDIUM |
|
listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerability. Cross-site request forgery and cross-site scripting chained together can re ...
Show More |
|||||
| CVE-2025-1084 | 1 Mindskip | 1 Xzs-mysql | 2025-10-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-27912 | 1 Datalust | 1 Seq | 2025-10-10 | N/A | 8.8 HIGH |
|
An issue was discovered in Datalust Seq before 2024.3.13545. Missing Content-Type validation can lead to CSRF when (1) Entra ID or OpenID Connect authentication is in use and a user visits a compromised/malicious site, or (2) when username/password or Active Directory authentication is in use and a user visits a compromised/malicious site under the same effective top-level domain as the Seq server. Exploitation of the vulnerability allows the attacker to conduct impersonation attacks and perform ...
Show More |
|||||
| CVE-2025-6106 | 1 72crm | 1 Wukong Crm | 2025-10-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in WuKongOpenSource WukongCRM 9.0 and classified as problematic. This issue affects some unknown processing of the file AdminRoleController.java. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-3561 | 1 Ghostxbh | 1 Uzy-ssm-mall | 2025-10-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in ghostxbh uzy-ssm-mall 1.0.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-2863 | 1 Arteche | 2 Satech Bcu, Satech Bcu Firmware | 2025-10-10 | N/A | 7.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in the web application of saTECH BCU firmware version 2.1.3, which could allow an unauthenticated local attacker to exploit active administrator sessions and perform malicious actions. The malicious actions that can be executed by the attacker depend on the logged-in user, and may include rebooting the device or modifying roles and permissions.
|
|||||
| CVE-2025-60956 | 1 Endruntechnologies | 2 Sonoma D12, Sonoma D12 Firmware | 2025-10-10 | N/A | 8.0 HIGH |
|
Cross Site Request Forgery (CSRF) vulnerability in EndRun Technologies Sonoma D12 Network Time Server (GPS) F/W 6010-0071-000 Ver 4.00 allows attackers to execute arbitrary code, cause a denial of service, gain escalated privileges, and gain sensitive information.
|
|||||
| CVE-2024-2134 | 1 Bdtask | 1 Hospital Automanager | 2025-10-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been found in Bdtask Hospita AutoManager up to 20240223 and classified as problematic. This vulnerability affects unknown code of the file /investigation/delete/ of the component Investigation Report Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255496. NOTE: The vendor was contacted early about this disclosure but di ...
Show More |
|||||
| CVE-2025-54782 | 1 Nestjs | 1 Devtools-integration | 2025-10-09 | N/A | 8.8 HIGH |
|
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute a ...
Show More |
|||||
| CVE-2025-50902 | 1 Old-peanut | 1 Open-shop | 2025-10-09 | N/A | 8.8 HIGH |
|
Cross Site Request Forgery (CSRF) vulnerability in old-peanut Open-Shop (aka old-peanut/wechat_applet__open_source) thru 1.0.0 allows attackers to gain sensitive information via crafted HTTP Post message.
|
|||||
| CVE-2025-11442 | 1 Jhumanj | 1 Opnform | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A security flaw has been discovered in JhumanJ OpnForm up to 1.9.3. The impacted element is an unknown function of the component API Endpoint. The manipulation results in cross-site request forgery. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor has stated that API calls require authentication through Authorization Bearer Tokens, so classic CSRF attacks do not apply here. An attacker would need to possess the JWT through mean ...
Show More |
|||||
| CVE-2025-11166 | 2025-10-09 | N/A | 5.4 MEDIUM | ||
|
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geom ...
Show More |
|||||
| CVE-2025-3257 | 1 Xujiangfei | 1 Admintwo | 2025-10-09 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in xujiangfei admintwo 1.0. This affects an unknown part of the file /user/updateSet. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-36452 | 1 Webmin | 1 Webmin | 2025-10-08 | N/A | 3.1 LOW |
|
Cross-site request forgery vulnerability exists in ajaxterm module of Webmin versions prior to 2.003. If this vulnerability is exploited, unintended operations may be performed when a user views a malicious page while logged in. As a result, data within a system may be referred, a webpage may be altered, or a server may be permanently halted.
|
|||||
| CVE-2025-11029 | 1 Vvveb | 1 Vvveb | 2025-10-07 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A weakness has been identified in givanz Vvveb up to 1.0.7.2. This vulnerability affects unknown code. Executing manipulation can lead to cross-site request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. Once again the project maintainer reacted very professional: "I accept the existence of these vulnerabilities. (...) I fixed the code to remove these vulnerabilities and will push the code to github and make a new release."
|
|||||
| CVE-2025-22963 | 1 Sismics | 1 Teedy | 2025-10-07 | N/A | 7.5 HIGH |
|
Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin.
|
|||||
| CVE-2025-61604 | 1 Wegia | 1 Wegia | 2025-10-07 | N/A | 7.1 HIGH |
|
WeGIA is an open source web manager with a focus on charitable institutions. Versions 3.4.12 and below contain a Cross-Site Request Forgery (CSRF) vulnerability. The delete operation for the Almoxarifado entity is exposed via HTTP GET without CSRF protection, allowing a third-party site to trigger the action using the victim’s authenticated session. This issue is fixed in version 3.5.0.
|
|||||
| CVE-2022-4552 | 1 Armandofiore | 1 Fl3r Feelbox | 2025-10-07 | N/A | 6.1 MEDIUM |
|
The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
|
|||||
| CVE-2022-4553 | 1 Armandofiore | 1 Fl3r Feelbox | 2025-10-07 | N/A | 4.3 MEDIUM |
|
The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check when updating reseting moods which could allow attackers to make logged in admins perform such action via a CSRF attack and delete the lydl_posts & lydl_poststimestamp DB tables
|
|||||
| CVE-2014-2369 | 1 Omron | 6 Ns10 Hmi Terminal, Ns12 Hmi Terminal, Ns15 Hmi Terminal and 3 more | 2025-10-06 | 4.6 MEDIUM | N/A |
|
Cross-site request forgery (CSRF) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.
|
|||||
| CVE-2025-9897 | 2025-10-06 | N/A | 4.3 MEDIUM | ||
|
The AP Background plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to missing or incorrect nonce validation on the advParallaxBackAdminSaveSlider function. This makes it possible for unauthenticated attackers to create or modify background sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-10311 | 2025-10-06 | N/A | 4.3 MEDIUM | ||
|
The Comment Info Detector plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing nonce validation on the options.php file when handling form submissions. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-9886 | 2025-10-06 | N/A | 4.3 MEDIUM | ||
|
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-9213 | 2025-10-06 | N/A | 8.8 HIGH | ||
|
The TextBuilder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 1.0.0 to 1.1.1. This is due to missing or incorrect nonce validation on the 'handleToken' function. This makes it possible for unauthenticated attackers to update a user's authorization token via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Once the token is updated, an attacker can update the user's password and email address.
|
|||||
| CVE-2025-8669 | 2025-10-06 | N/A | 4.3 MEDIUM | ||
|
The Customify theme for WordPress is vulnerable to Cross-Site Request Forgery in version 0.4.11. This is due to missing or incorrect nonce validation on the reset_customize_section function. This makes it possible for unauthenticated attackers to reset theme customization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-9895 | 2025-10-06 | N/A | 4.3 MEDIUM | ||
|
The Notification Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the 'subscriber-list-empty.php' file. This makes it possible for unauthenticated attackers to empty the subscriber list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-9884 | 2025-10-06 | N/A | 6.1 MEDIUM | ||
|
The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-9630 | 2025-10-06 | N/A | 4.3 MEDIUM | ||
|
The WP SinoType plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the sinotype_config function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-9892 | 2025-10-06 | N/A | 5.3 MEDIUM | ||
|
The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-9945 | 2025-10-06 | N/A | 4.3 MEDIUM | ||
|
The Optimize More! – CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the reset_plugin function. This makes it possible for unauthenticated attackers to reset the plugin's optimization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||