Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-20228 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2025-07-21 | N/A | 6.5 MEDIUM |
|
In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF).
|
|||||
| CVE-2024-7760 | 1 Aimstack | 1 Aim | 2025-07-21 | N/A | 9.6 CRITICAL |
|
aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.
|
|||||
| CVE-2025-26211 | 1 Gibbonedu | 1 Gibbon | 2025-07-18 | N/A | 3.7 LOW |
|
Gibbon before 29.0.00 allows CSRF.
|
|||||
| CVE-2025-48255 | 1 Videowhisper | 1 Videowhisper Live Streaming Integration | 2025-07-17 | N/A | 4.3 MEDIUM |
|
Cross-Site Request Forgery (CSRF) vulnerability in videowhisper Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP allows Cross Site Request Forgery. This issue affects Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP: from n/a through 6.2.4.
|
|||||
| CVE-2025-3557 | 1 Scriptandtools | 1 Ecommerce-website-in-php | 2025-07-17 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, has been found in ScriptAndTools eCommerce-website-in-PHP 3.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints are affected. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-10906 | 1 Dbgpt | 1 Db-gpt | 2025-07-17 | N/A | 8.1 HIGH |
|
In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all requests. This configuration makes all endpoints exposed by the server vulnerable to Cross-Site Request Forgery (CSRF). An attacker can exploit this vulnerability to interact with any endpoints of the instance, even if the instance is not publicly exposed to the network.
|
|||||
| CVE-2025-50090 | 1 Oracle | 1 E-business Suite | 2025-07-17 | N/A | 5.4 MEDIUM |
|
Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additi ...
Show More |
|||||
| CVE-2024-56474 | 2 Ibm, Linux | 3 Aix, Txseries For Multiplatforms, Linux Kernel | 2025-07-16 | N/A | 4.3 MEDIUM |
|
IBM TXSeries for Multiplatforms 9.1 and 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
|
|||||
| CVE-2025-46610 | 1 Artec-it | 1 Enterprise Mail Archive | 2025-07-16 | N/A | 8.8 HIGH |
|
ARTEC EMA Mail 6.92 allows CSRF.
|
|||||
| CVE-2025-54022 | 2025-07-16 | N/A | 6.5 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates allows Cross Site Request Forgery. This issue affects Coupon Affiliates: from n/a through 6.4.0.
|
|||||
| CVE-2025-54041 | 2025-07-16 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in WP Swings Wallet System for WooCommerce allows Cross Site Request Forgery. This issue affects Wallet System for WooCommerce: from n/a through 2.6.7.
|
|||||
| CVE-2025-54038 | 2025-07-16 | N/A | 5.4 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in jetmonsters Restaurant Menu by MotoPress allows Cross Site Request Forgery. This issue affects Restaurant Menu by MotoPress: from n/a through 2.4.6.
|
|||||
| CVE-2025-48153 | 2025-07-16 | N/A | 7.1 HIGH | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Atakan Au Import CDN-Remote Images allows Stored XSS. This issue affects Import CDN-Remote Images: from n/a through 2.1.2.
|
|||||
| CVE-2025-54010 | 2025-07-16 | N/A | 9.6 CRITICAL | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets allows Cross Site Request Forgery. This issue affects FluentSnippets: from n/a through 10.50.
|
|||||
| CVE-2025-54035 | 2025-07-16 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Software Newsletters allows Cross Site Request Forgery. This issue affects Newsletters: from n/a through 4.10.
|
|||||
| CVE-2025-54042 | 2025-07-16 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in xfinitysoft WP Post Hide allows Cross Site Request Forgery. This issue affects WP Post Hide: from n/a through 1.0.9.
|
|||||
| CVE-2025-54039 | 2025-07-16 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Toast Plugins Animator allows Cross Site Request Forgery. This issue affects Animator: from n/a through 3.0.16.
|
|||||
| CVE-2025-54033 | 2025-07-16 | N/A | 6.5 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in BlocksWP Theme Builder For Elementor allows Cross Site Request Forgery. This issue affects Theme Builder For Elementor: from n/a through 1.2.3.
|
|||||
| CVE-2025-54020 | 2025-07-16 | N/A | 5.4 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Erik AntiSpam for Contact Form 7 allows Cross Site Request Forgery. This issue affects AntiSpam for Contact Form 7: from n/a through 0.6.3.
|
|||||
| CVE-2025-54030 | 2025-07-16 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in GSheetConnector by WesternDeal WooCommerce Google Sheet Connector allows Cross Site Request Forgery. This issue affects WooCommerce Google Sheet Connector: from n/a through 1.3.20.
|
|||||
| CVE-2025-54036 | 2025-07-16 | N/A | 4.3 MEDIUM | ||
|
Cross-Site Request Forgery (CSRF) vulnerability in Webba Appointment Booking Webba Booking allows Cross Site Request Forgery. This issue affects Webba Booking: from n/a through 5.1.20.
|
|||||
| CVE-2024-5712 | 1 Stitionai | 1 Devika | 2025-07-15 | N/A | 8.1 HIGH |
|
A Cross-Site Request Forgery (CSRF) vulnerability was identified in the stitionai/devika application, affecting the latest version. This vulnerability allows attackers to perform unauthorized actions in the context of a victim's browser, such as deleting projects or changing application settings, without any CSRF protection implemented. Successful exploitation disrupts the integrity and availability of the application and its data.
|
|||||
| CVE-2024-5616 | 1 Mudler | 1 Localai | 2025-07-15 | N/A | 4.3 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview', without the victim's consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality.
|
|||||
| CVE-2025-7667 | 2025-07-15 | N/A | 8.1 HIGH | ||
|
The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'restrict-file-access' page. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into perfor ...
Show More |
|||||
| CVE-2024-10819 | 1 Binary-husky | 1 Gpt Academic | 2025-07-14 | N/A | 8.8 HIGH |
|
A Cross-Site Request Forgery (CSRF) vulnerability in version 3.83 of binary-husky/gpt_academic allows an attacker to trick a user into uploading files without their consent, exploiting their session. This can lead to unauthorized file uploads and potential system compromise. The uploaded file can contain malicious scripts, leading to stored Cross-Site Scripting (XSS) attacks. Through stored XSS, an attacker can steal information about the victim and perform any action on their behalf.
|
|||||
| CVE-2024-4751 | 1 Goprayer | 1 Prayer | 2025-07-11 | N/A | 4.3 MEDIUM |
|
The WP Prayer II WordPress plugin through 2.4.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
|
|||||
| CVE-2025-36576 | 1 Dell | 1 Wyse Management Suite | 2025-07-11 | N/A | 2.7 LOW |
|
Dell Wyse Management Suite, versions prior to WMS 5.2, contain a Cross-Site Request Forgery (CSRF) vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Server-side request forgery.
|
|||||
| CVE-2023-6980 | 1 Veronalabs | 1 Wp Sms | 2025-07-11 | N/A | 4.3 MEDIUM |
|
The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5. This is due to missing or incorrect nonce validation on the 'delete' action of the wp-sms-subscribers page. This makes it possible for unauthenticated attackers to delete subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-20195 | 1 Cisco | 1 Ios Xe | 2025-07-11 | N/A | 4.3 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a CSRF attack and execute commands on the CLI of an affected device.
This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an already authenticated user to follow a crafted link. A successful exploit could allow the attacker to clea ...
Show More |
|||||
| CVE-2024-7386 | 1 Wpdownloadmanager | 1 Premium Packages - Sell Digital Products Securely | 2025-07-10 | N/A | 4.3 MEDIUM |
|
The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the addRefund() function. This makes it possible for unauthenticated attackers to perform actions such as initiating refunds via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
|
|||||
| CVE-2024-10593 | 1 Wpforms | 1 Wpforms | 2025-07-10 | N/A | 4.3 MEDIUM |
|
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.1.6. This is due to missing or incorrect nonce validation on the process_admin_ui function. This makes it possible for unauthenticated attackers to delete WPForm logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-5924 | 1 Skywavesolutions | 1 Wp Firebase Push Notification | 2025-07-10 | N/A | 4.3 MEDIUM |
|
The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-4966 | 1 Hk1993 | 1 Wp Online Users Stats | 2025-07-10 | N/A | 6.1 MEDIUM |
|
The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-7379 | 2025-07-10 | N/A | N/A | ||
|
A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206.
|
|||||
| CVE-2025-5938 | 1 Themebon | 1 Digital Marketing And Agency Templates Addons For Elementor | 2025-07-10 | N/A | 5.3 MEDIUM |
|
The Digital Marketing and Agency Templates Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the import_templates() function. This makes it possible for unauthenticated attackers to trigger an import via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|
|||||
| CVE-2025-48921 | 1 Getopensocial | 1 Open Social | 2025-07-09 | N/A | 8.8 HIGH |
|
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.This issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13.
|
|||||
| CVE-2025-7133 | 1 Codeastro | 1 Online Movie Ticket Booking System | 2025-07-09 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in CodeAstro Online Movie Ticket Booking System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-41597 | 1 Processwire | 1 Processwire | 2025-07-09 | N/A | 4.2 MEDIUM |
|
Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality.
|
|||||
| CVE-2025-25772 | 1 Ujcms | 1 Jspxcms | 2025-07-09 | N/A | 5.1 MEDIUM |
|
A Cross-Site Request Forgery (CSRF) in the component /back/UserController.java of Jspxcms v9.0 to v9.5 allows attackers to arbitrarily add Administrator accounts via a crafted request.
|
|||||
| CVE-2025-47204 | 1 Davidstutz | 1 Bootstrap Multiselect | 2025-07-09 | N/A | 6.1 MEDIUM |
|
An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).
|
|||||