Export limit exceeded: 29936 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9274 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-37217 | 1 Easy2pilot | 1 Easy2pilot | 2026-05-14 | 4.3 Medium |
| Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=add_user endpoint with POST requests containing username and password parameters to create new administrative accounts without explicit user consent. | ||||
| CVE-2026-44347 | 2 Warp-tech, Warpgate Project | 2 Warpgate, Warpgate | 2026-05-14 | 5.8 Medium |
| Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on the attacker's account (such as writing sensitive data to the attacker's SSH target, or logging into an HTTP target that the attacker set up). This vulnerability is fixed in 0.23.3. | ||||
| CVE-2026-42190 | 1 Redwoodjs | 2 Redwoodsdk, Sdk | 2026-05-14 | 5.3 Medium |
| RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3. | ||||
| CVE-2026-42289 | 1 Churchcrm | 1 Churchcrm | 2026-05-14 | 8.8 High |
| ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2. | ||||
| CVE-2026-5365 | 2 Latepoint, Wordpress | 2 Latepoint – Calendar Booking Plugin For Appointments And Events, Wordpress | 2026-05-14 | 4.3 Medium |
| The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link. | ||||
| CVE-2026-40703 | 1 F5 | 1 Big-ip | 2026-05-13 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2026-44548 | 1 Churchcrm | 1 Churchcrm | 2026-05-13 | 8.1 High |
| ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments. This vulnerability is fixed in 7.3.2. | ||||
| CVE-2026-30807 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2026-05-13 | 8.8 High |
| Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800 | ||||
| CVE-2026-7562 | 2 Phkcorp2005, Wordpress | 2 Wp-redirection, Wordpress | 2026-05-13 | 4.3 Medium |
| The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification (via check_admin_referer() or wp_verify_nonce()) in the displayWPRedirectionManagementPage() function before processing POST requests that add, edit, or delete URL redirection rules. This makes it possible for unauthenticated attackers to trick a logged-in administrator into clicking a crafted link, causing the attacker to create, modify, or delete redirection records in the plugin's database table without the administrator's consent. | ||||
| CVE-2026-7561 | 2 Tienrocker, Wordpress | 2 Tm – Wordpress Redirection, Wordpress | 2026-05-13 | 6.1 Medium |
| The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-7616 | 2 Saturngod, Wordpress | 2 Zawgyi Embed, Wordpress | 2026-05-13 | 4.3 Medium |
| The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyi_adminpage function. This makes it possible for unauthenticated attackers to update the plugin's zawgyi_forceCSS setting by submitting a forged POST request to options-general.php?page=zawgyi_embed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-6932 | 2 Hemant29, Wordpress | 2 Woo Commerce Minimum Weight, Wordpress | 2026-05-13 | 4.3 Medium |
| The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify the minimum order weight setting by tricking a site administrator into clicking a link or visiting an attacker-controlled page containing a forged POST request. | ||||
| CVE-2026-6710 | 2 Davidskysa, Wordpress | 2 Skysa Text Ticker App, Wordpress | 2026-05-13 | 4.3 Medium |
| The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaApps_Admin_AppPage function. This makes it possible for unauthenticated attackers to trick a site administrator into making a forged request to modify the plugin's settings, including the scrolling message text and URL, via a forged cross-site request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-4689 | 1 Shortpixel | 1 Shortpixel Adaptive Images | 2026-05-12 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ShortPixel ShortPixel Adaptive Images shortpixel-adaptive-images.This issue affects ShortPixel Adaptive Images: from n/a through <= 3.8.3. | ||||
| CVE-2026-42091 | 2 Goshs, Patrickhener | 2 Goshs, Goshs | 2026-05-12 | 6.5 Medium |
| goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2. | ||||
| CVE-2026-38566 | 1 Stratonwebdesigners | 1 Hireflow | 2026-05-12 | 8.1 High |
| HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms (password change at /profile, candidate deletion at /candidates/delete/<id>, feedback submission at /feedback/add/<id>, interview scheduling at /interviews/add) are vulnerable to CSRF. An attacker who can trick an authenticated user into visiting a malicious page can silently change the victim's password, delete records, or inject arbitrary data on their behalf. The SESSION_COOKIE_SAMESITE attribute is also not configured, removing the browser-level CSRF defense. | ||||
| CVE-2026-0502 | 1 Sap Se | 1 Sap Business Objects Business Intelligence Platform | 2026-05-12 | 5.4 Medium |
| Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This has low impact on integrity and availability of the application. There is no impact on confidentiality of the data. | ||||
| CVE-2026-45430 | 1 Backdropcms | 1 Backdrop-contrib/salesforce | 2026-05-12 | 7.1 High |
| The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks. | ||||
| CVE-2026-20704 | 1 Elecom | 2 Wrc-x1500gs-b, Wrc-x1500gsa-b | 2026-05-12 | N/A |
| Cross-site request forgery vulnerability exists in ELECOM wireless LAN products. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed. | ||||
| CVE-2026-42286 | 1 Emlog | 1 Emlog | 2026-05-12 | N/A |
| Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11. | ||||