Export limit exceeded: 19792 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (9419 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-29009 2026-04-15 6.1 Medium
Cross-site request forgery (CSRF) vulnerability in easy-popup-show all versions allows a remote unauthenticated attacker to hijack the authentication of the administrator and to perform unintended operations if the administrator views a malicious page while logged in.
CVE-2024-29019 1 Esphome 1 Esphome 2026-04-15 8.1 High
ESPHome is a system to control microcontrollers remotely through Home Automation systems. API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete). It is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform. This vulnerability allows bypassing authentication on API calls accessing configuration file operations on the behalf of a logged user. In order to trigger the vulnerability, the victim must visit a weaponized page. In addition to this, it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5/ CVE-2024-27287 to obtain a complete takeover of the user account. Version 2024.3.0 contains a patch for this issue.
CVE-2024-12206 2026-04-15 4.3 Medium
The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stm_header_builder page. This makes it possible for unauthenticated attackers to delete arbitrary headers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-45161 1 Blu-castle 1 Bcum221e 2026-04-15 4.6 Medium
A CSRF issue was discovered in the administrative web GUI in Blu-Castle BCUM221E 1.0.0P220507. This can be exploited via a URL, an image load, an XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
CVE-2025-24875 2026-04-15 6.8 Medium
SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameSite=None). This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues.
CVE-2025-52463 2026-04-15 N/A
Cross-site request forgery vulnerability exists in Active! mail 6 BuildInfo: 6.60.06008562 and earlier. If this vulnerability is exploited, unintended E-mail may be sent when a user accesses a specially crafted URL while being logged in.
CVE-2025-60535 1 Wallosapp 1 Wallos 2026-04-15 7.3 High
A Cross-Site Request Forgery (CSRF) in the component /endpoints/currency/currency of Wallos v4.1.1 allows attackers to execute arbitrary operations via a crafted GET request.
CVE-2024-30252 2026-04-15 2.6 Low
Livemarks is a browser extension that provides RSS feed bookmark folders. Versions of Livemarks prior to 3.7 are vulnerable to cross-site request forgery. A malicious website may be able to coerce the extension to send an authenticated GET request to an arbitrary URL. An authenticated request is a request where the cookies of the browser are sent along with the request. The `subscribe.js` script uses the first parameter from the current URL location as the URL of the RSS feed to subscribe to and checks that the RSS feed is valid XML. `subscribe.js` is accessible by an attacker website due to its use in `subscribe.html`, an HTML page that is declared as a `web_accessible_resource` in `manifest.json`. This issue may lead to `Privilege Escalation`. A CSRF breaks the integrity of servers running on a private network. A user of the browser extension may have a private server with dangerous functionality, which is assumed to be safe due to network segmentation. Upon receiving an authenticated request instantiated from an attacker, this integrity is broken. Version 3.7 fixes this issue by removing subscribe.html from `web_accessible_resources`.
CVE-2024-4541 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
The Custom Product List Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation when modifying products. This makes it possible for unauthenticated attackers to add, delete, bulk edit, approve or cancel products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-60168 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Cross-Site Request Forgery (CSRF) vulnerability in integrationshotelrunner HotelRunner Booking Widget hotelrunner allows Stored XSS.This issue affects HotelRunner Booking Widget: from n/a through <= 1.6.
CVE-2025-5185 2026-04-15 4.3 Medium
A vulnerability was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.
CVE-2024-45504 2026-04-15 6.5 Medium
Cross-site request forgery (CSRF) vulnerability in multiple Alps System Integration products and the OEM products allow a remote unauthenticated attacker to hijack the authentication of the user and to perform unintended operations if the user views a malicious page while logged in.
CVE-2024-6310 2026-04-15 8.8 High
The Advanced AJAX Page Loader plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.7.7. This is due to missing nonce validation in the 'admin_init_AAPL' function and missing file type validation in the 'AAPL_options_validate' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-2319 2026-04-15 8.8 High
The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.11.13 to 5.25.08. This is due to missing or incorrect nonce validation on the 'ELISQLREPORTS_menu' function. This makes it possible for unauthenticated attackers to execute code on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Version 5.25.10 adds a nonce check, which makes this vulnerability exploitable by admins only.
CVE-2024-35657 2026-04-15 5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Plechev Andrey WP-Recall.This issue affects WP-Recall: from n/a through 16.26.6.
CVE-2024-40119 1 Nepstech 1 Ntpl-xpon1gfevn Firmware 2026-04-15 8.8 High
Nepstech Wifi Router xpon (terminal) model NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the password change function, which allows remote attackers to change the admin password without the user's consent, leading to a potential account takeover.
CVE-2024-12636 2026-04-15 4.3 Medium
The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.6. This is due to missing or incorrect nonce validation on the 'create_popup_delete_process' function. This makes it possible for unauthenticated attackers to delete popups via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2021-47722 1 Zucchetti 1 Axess Cloki Access Control 2026-04-15 3.5 Low
Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking authenticated users into loading the page.
CVE-2025-42908 1 Sap 1 Netweaver Application Server For Abap 2026-04-15 5.4 Medium
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restricted functionality. There is no impact to availability from this vulnerability.
CVE-2020-9322 1 Statamic 1 Statamic 2026-04-15 8.8 High
The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO.