Search Results (10333 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-67646 1 Telepedia 1 Tableprogresstracking 2026-04-15 3.5 Low
TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result, an attacker could craft a malicious webpage that, when visited by an authenticated user on a wiki with the extension enabled, would trigger unintended authenticated actions through the victim's browser. Due to the lack of token validation, an attacker can delete or track progress against tables. This issue is patched in version 1.2.1 of the extension.
CVE-2025-12821 2 Spicethemes, Wordpress 2 Newsblogger, Wordpress 2026-04-15 8.8 High
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is due to a reverted fix of CVE-2025-1305.
CVE-2025-0683 2026-04-15 5.9 Medium
In its default configuration, Contec Health CMS8000 Patient Monitor transmits plain-text patient data to a hard-coded public IP address when a patient is hooked up to the monitor. This could lead to a leakage of confidential patient data to any device with that IP address or an attacker in a machine-in-the-middle scenario.
CVE-2025-60075 2 Allegro Marketing, Wordpress 2 Hpb Seo Plugin For Wordpress, Wordpress 2026-04-15 7.1 High
Cross-Site Request Forgery (CSRF) vulnerability in Allegro Marketing hpb seo plugin for WordPress hpbseo allows Reflected XSS.This issue affects hpb seo plugin for WordPress: from n/a through <= 3.0.1.
CVE-2024-6841 1 Vanna-ai 1 Vanna 2026-04-15 N/A
A Cross-Site Request Forgery (CSRF) vulnerability exists in the latest commit (56b782bcefd2e59b19cd7ba7878b95f54884f502) of the vanna-ai/vanna repository. Two endpoints in the built-in web app that provide SQL functionality are implemented as simple GET requests, making them susceptible to CSRF attacks. This vulnerability allows an attacker to run arbitrary SQL commands via CSRF without the target intending to expose the web app to the network or other users. The impact is limited to data alteration or deletion, as the attacker cannot read the results of the query.
CVE-2017-20221 1 Telesquare 2 Sdt-cs3b1, Sdt-cs3b1 Firmware 2026-04-14 4.3 Medium
Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains a cross-site request forgery vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting missing request validation. Attackers can craft malicious web pages that perform administrative actions when visited by logged-in users, enabling command execution with router privileges.
CVE-2026-4712 1 Mozilla 2 Firefox, Firefox Esr 2026-04-14 7.5 High
Information disclosure in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
CVE-2026-34749 1 Payloadcms 1 Payload 2026-04-14 5.4 Medium
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.
CVE-2026-34228 1 Emlog 1 Emlog 2026-04-14 6.5 Medium
Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8.
CVE-2026-5918 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-04-14 4.3 Medium
Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
CVE-2020-26141 4 Alfa, Cisco, Redhat and 1 more 191 Awus036h, Awus036h Firmware, Ip Conference Phone 8832 and 188 more 2026-04-14 6.5 Medium
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
CVE-2026-4401 2 Wordpress, Wpchill 2 Wordpress, Download Monitor 2026-04-13 5.4 Medium
The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it possible for unauthenticated attackers to delete, disable, or enable approved download paths via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-29521 2 Hereta, Shenzhen Hereta Technology 3 Eth-imc408m, Eth-imc408m Firmware, Hereta Eth-imc408m 2026-04-13 4.3 Medium
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-included HTTP Basic Authentication credentials to add RADIUS accounts, alter network settings, or trigger diagnostics.
CVE-2019-25682 1 Victoralagwu 1 Cmssite 2026-04-10 4.3 Medium
CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint with parameters like source=add_user, source=edit_user, or del=1 to create, modify, or delete admin accounts.
CVE-2026-3499 2 Jkohlbach, Wordpress 2 Product Feed Pro For Woocommerce By Adtribes – Product Feeds For Woocommerce, Wordpress 2026-04-08 8.8 High
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-4141 2 Edckwt, Wordpress 2 Quran Translations, Wordpress 2026-04-08 4.3 Medium
The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options() function that handles the plugin's settings page. The function processes POST requests to update plugin options via update_option() without any wp_nonce_field() in the form or wp_verify_nonce()/check_admin_referer() verification before processing. This makes it possible for unauthenticated attackers to modify plugin settings (toggling display options for PDF, RSS, podcast, media player links, playlist title, and playlist code) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-33373 2 Synacor, Zimbra 2 Zimbra Collaboration Suite, Collaboration Suite 2026-04-08 8.8 High
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.
CVE-2024-9990 1 Odude 2 Crypto, Crypto Tool 2026-04-08 8.8 High
The Crypto plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.15. This is due to missing nonce validation in the 'crypto_connect_ajax_process::check' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-6405 1 Varniinfotech 1 Floating Social Buttons 2026-04-08 6.1 Medium
The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the floating_social_buttons_option() function. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-5943 1 Kylephillips 1 Nested Pages 2026-04-08 8.8 High
The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.