Export limit exceeded: 340511 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9646 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-25190 | 2 Rul10, Sourceforge | 2 Easyndexer, Easyndexer | 2026-03-16 | 5.3 Medium |
| Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. Attackers can craft malicious web pages that submit POST requests to createuser.php with parameters including username, password, name, surname, and privileges set to 1 for administrator access. | ||||
| CVE-2025-12189 | 2 Breadbutter, Wordpress | 2 Bread \& Butter, Wordpress | 2026-03-16 | 4.3 Medium |
| The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-39744 | 3 Ibm, Linux, Microsoft | 5 Aix, Sterling Connect\, Sterling Connect Direct Web Services and 2 more | 2026-03-13 | 4.3 Medium |
| IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | ||||
| CVE-2023-36517 | 1 Kevonadonis | 1 Wp Abstracts | 2026-03-13 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Kevon Adonis WP Abstracts plugin <= 2.6.2 versions. | ||||
| CVE-2025-10010 | 2 Cpsd, Cpsd It Services | 2 Cryptopro Secure Disk, Cryptopro Secure Disk For Bitlocker | 2026-03-13 | 6.8 Medium |
| The CPSD CryptoPro Secure Disk application boots a small Linux operating system to perform user authentication before using BitLocker to decrypt the Windows partition. The system is located on a separate unencrypted partition which can be reached by anyone with access to the hard disk. Multiple checks are performed to validate the integrity of the Linux operating system and the CryptoPro Secure Disk application files. When files are changed an error is shown on system start. One of the checks is the Linux kernel's Integrity Measurement Architecture (IMA). It was identified that configuration files are not validated by the IMA and can then (if not checked by other measures) be changed. This allows an attacker to execute arbitrary code in the context of the root user and enables an attacker to e.g., plant a backdoor and access data during execution. | ||||
| CVE-2023-2307 | 1 Qwik | 1 Qwik | 2026-03-13 | 4.7 Medium |
| Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0. | ||||
| CVE-2025-64166 | 2 Mercurius-js, Mercurius Project | 2 Mercurius, Mercurius | 2026-03-13 | 5.4 Medium |
| Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0. | ||||
| CVE-2026-28281 | 1 Instantcms | 2 Icms2, Instantcms | 2026-03-13 | 7.1 High |
| InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1. | ||||
| CVE-2021-35486 | 1 Nokia | 2 Impact, Impact Mobile | 2026-03-13 | 8.1 High |
| A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie is validated. | ||||
| CVE-2026-28495 | 1 Getsimple-ce | 1 Getsimple Cms | 2026-03-12 | 9.7 Critical |
| GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server. | ||||
| CVE-2026-29113 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-03-12 | 4.3 Medium |
| Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7. | ||||
| CVE-2025-59793 | 1 Rocketsoftware | 1 Trufusion Enterprise | 2026-03-11 | 9.9 Critical |
| Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly sanitize the jobDirectory parameter, which allows path traversal sequences to be included. This allows writing files to arbitrary local filesystem locations and may subsequently lead to remote code execution. | ||||
| CVE-2025-70031 | 1 Sunbird-ed | 1 Sunbirded-portal | 2026-03-11 | 8.8 High |
| An issue pertaining to CWE-352: Cross-Site Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. | ||||
| CVE-2026-1508 | 2 Court Reservation, Wordpress | 2 Court Reservation, Wordpress | 2026-03-11 | 4.3 Medium |
| The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack | ||||
| CVE-2018-25200 | 2 Tomalofficial, Zsoft | 2 Php Oop Cms Blog, Oop Cms Blog | 2026-03-11 | 5.3 Medium |
| OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by crafting malicious POST requests. Attackers can submit forms to the addUser.php endpoint with parameters including userName, password, email, and role set to administrative privileges to gain unauthorized access. | ||||
| CVE-2026-3770 | 2 Oretnom23, Sourcecodester | 2 Computer Laboratory Management System, Computer Laboratory Management System | 2026-03-10 | 4.3 Medium |
| A flaw has been found in SourceCodester Computer Laboratory Management System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used. | ||||
| CVE-2026-24281 | 1 Apache | 1 Zookeeper | 2026-03-10 | 5.9 Medium |
| Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols. | ||||
| CVE-2026-1468 | 1 Opensolution | 1 Quick.cms | 2026-03-09 | N/A |
| QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with victim's privileges. This software does not implement any protection against this type of attack. All forms available in this software are potentially vulnerable. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2026-29784 | 1 Ghost | 1 Ghost | 2026-03-09 | 7.5 High |
| Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3. | ||||
| CVE-2026-1644 | 2 Glowlogix, Wordpress | 2 Wp Frontend Profile, Wordpress | 2026-03-09 | 4.3 Medium |
| The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | ||||