ReportizFlow
Filtered by vendor
Subscriptions
Total
9189 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-25155 | 2 Qwik, Qwikdev | 2 Qwik, Qwik | 2026-04-18 | 5.9 Medium |
| Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0. | ||||
| CVE-2026-1835 | 1 Lcg0124 | 1 Bootdo | 2026-04-18 | 4.3 Medium |
| A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. | ||||
| CVE-2026-25812 | 2 Praskla-technology, Prasklatechnology | 2 Assessment-placipy, Placipy | 2026-04-18 | 8.8 High |
| PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism. | ||||
| CVE-2026-24885 | 1 Kanboard | 1 Kanboard | 2026-04-18 | 5.7 Medium |
| Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the changeUserRole action. Although the request body is JSON, the server accepts text/plain, allowing an attacker to craft a malicious form using the text/plain attribute. Which allows unauthorized modification of project user roles if an authenticated admin visits a malicious site This vulnerability is fixed in 1.2.50. | ||||
| CVE-2019-25708 | 1 Heatmiser | 2 Heatmiser Wifi Thermostat, Wifi Thermostat | 2026-04-17 | 4.3 Medium |
| Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent. | ||||
| CVE-2026-2658 | 1 Newbee-ltd | 1 Newbee-mall | 2026-04-17 | 4.3 Medium |
| A vulnerability was found in newbee-ltd newbee-mall up to a069069b07027613bf0e7f571736be86f431faee. Affected is an unknown function of the component Multiple Endpoints. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2026-27513 | 1 Tenda | 2 F3, F3 Firmware | 2026-04-17 | 4.3 Medium |
| Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a cross-site request forgery (CSRF) vulnerability in the web-based administrative interface. The interface does not implement anti-CSRF protections, allowing an attacker to induce an authenticated administrator to submit state-changing requests, which can result in unauthorized configuration changes. | ||||
| CVE-2026-23694 | 3 Aruba, Arubadev, Wordpress | 3 Aruba Hispeed Cache, Aruba Hispeed Cache, Wordpress | 2026-04-17 | N/A |
| Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capability checks but do not verify a WordPress nonce for state-changing requests. An attacker can induce a logged-in administrator to visit a malicious webpage that submits forged requests to admin-ajax.php, resulting in unauthorized resetting of plugin settings, toggling of the WordPress WP_DEBUG configuration, or modification of cache purging behavior without the administrator’s intent. | ||||
| CVE-2026-25649 | 1 Traccar | 1 Traccar | 2026-04-17 | 7.3 High |
| Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available. | ||||
| CVE-2026-27609 | 2 Parse Community, Parseplatform | 2 Parse Dashboard, Parse Dashboard | 2026-04-17 | 6.5 Medium |
| Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected. | ||||
| CVE-2026-40041 | 1 Pachno | 1 Pachno | 2026-04-17 | 4.3 Medium |
| Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites. | ||||
| CVE-2026-34721 | 1 Zammad | 1 Zammad | 2026-04-17 | 6.5 Medium |
| Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4. | ||||
| CVE-2026-27758 | 3 Shenzhen Hongyavision Technology Co, Sodola-network, Sodolanetworks | 4 Sodola Sl902-swtgw124as, Sl902-swtgw124as, Sl902-swtgw124as Firmware and 1 more | 2026-04-17 | 4.3 Medium |
| SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a cross-site request forgery vulnerability in its management interface that allows attackers to induce authenticated users into submitting forged requests. Attackers can craft malicious requests that execute unauthorized configuration or administrative actions with the victim's privileges when the authenticated user visits a malicious webpage. | ||||
| CVE-2026-2994 | 1 Concretecms | 1 Concrete Cms | 2026-04-17 | 6.8 Medium |
| Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting | ||||
| CVE-2025-70810 | 2 Ariefibis, Phpbb | 2 Phpbb3, Phpbb | 2026-04-17 | 8.8 High |
| Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism | ||||
| CVE-2025-70811 | 2 Ariefibis, Phpbb | 2 Phpbb3, Phpbb | 2026-04-17 | 4.3 Medium |
| Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. | ||||
| CVE-2026-30793 | 6 Apple, Google, Linux and 3 more | 7 Iphone Os, Macos, Android and 4 more | 2026-04-17 | 9.8 Critical |
| Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, FFI bridge modules) allows Privilege Escalation. This vulnerability is associated with program files flutter/lib/common.Dart, src/flutter_ffi.Rs and program routines URI handler for rustdesk://password/, bind.MainSetPermanentPassword(). This issue affects RustDesk Client: through 1.4.5. | ||||
| CVE-2026-28477 | 1 Openclaw | 1 Openclaw | 2026-04-17 | 7.1 High |
| OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts. | ||||
| CVE-2026-3589 | 2 Automattic, Wordpress | 2 Woocommerce, Wordpress | 2026-04-17 | 7.5 High |
| The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example. | ||||
| CVE-2026-29784 | 1 Ghost | 1 Ghost | 2026-04-17 | 7.5 High |
| Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3. | ||||