ReportizFlow
Filtered by vendor
Subscriptions
Total
9320 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6230 | 2 Wordpress, Wp-master | 2 Wordpress, Pardakht-delkhah | 2026-01-02 | 6.5 Medium |
| The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack | ||||
| CVE-2024-2232 | 1 2code | 1 Himer | 2026-01-02 | 8.1 High |
| The lacks CSRF checks allowing a user to invite any user to any group (including private groups) | ||||
| CVE-2025-66906 | 2 Turms, Turms-im | 2 Admin Api, Turms | 2026-01-02 | 6.1 Medium |
| Cross Site Request Forgery (CSRF) vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges. | ||||
| CVE-2025-66953 | 1 Nardamiteq | 2 Upc2, Upc2 Firmware | 2026-01-02 | 8.8 High |
| CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and specifically the /system_setup.htm, /set_clock.htm, /receiver_setup.htm, /cal.htm?..., and /channel_setup.htm endpoints | ||||
| CVE-2025-67013 | 1 Etlsystems | 54 C0401d1uia-22476, C0401d1uia-22476 Firmware, C0401d1ula-22419 and 51 more | 2026-01-02 | 6.5 Medium |
| The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery (CSRF) protection mechanisms (no tokens, no Origin/Referer validation) on critical configuration endpoints. | ||||
| CVE-2022-23044 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 8.8 High |
| Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. | ||||
| CVE-2021-40965 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker. | ||||
| CVE-2025-57310 | 1 Salmen | 1 Simple Faucet Script | 2025-12-31 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) vulnerability in Salmen2/Simple-Faucet-Script v1.07 via crafted POST request to admin.php?p=ads&c=1 allowing attackers to execute arbitrary code. | ||||
| CVE-2020-36901 | 1 Medivision | 3 Digital Signage, Medivision Digital Signage, Medivision Digital Signage Firmware | 2025-12-30 | 8.8 High |
| UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that submits a form to the /query/user/itSet endpoint to add a new admin user with elevated privileges. | ||||
| CVE-2025-59949 | 1 Freshrss | 1 Freshrss | 2025-12-30 | 5.3 Medium |
| FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue. | ||||
| CVE-2023-44475 | 1 Add Shortcodes Actions And Filters Project | 1 Add Shortcodes Actions And Filters | 2025-12-30 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Michael Simpson Add Shortcodes Actions And Filters plugin <= 2.0.9 versions. | ||||
| CVE-2025-63952 | 1 Magewell | 27 Convert, Pro Convert 12g Sdi 4k Plus, Pro Convert 12g Sdi 4k Plus Firmware and 24 more | 2025-12-30 | 5.7 Medium |
| A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | ||||
| CVE-2025-63953 | 1 Magewell | 11 Convert, Ultra Encode Aio, Ultra Encode Aio Firmware and 8 more | 2025-12-30 | 6.5 Medium |
| A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | ||||
| CVE-2025-56400 | 3 Apple, Google, Tuya | 6 Ios, Android, Smart and 3 more | 2025-12-30 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. | ||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | 9.6 Critical |
| Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | ||||
| CVE-2025-62190 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-29 | 4.3 Medium |
| Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link | ||||
| CVE-2025-52841 | 3 Apple, Laundry Project, Linux | 3 Macos, Laundry, Linux Kernel | 2025-12-23 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Laundry on Linux, MacOS allows to perform an Account Takeover. This issue affects Laundry: 2.3.0. | ||||
| CVE-2024-12642 | 1 Cht | 1 Tenderdoctransfer | 2025-12-23 | 8.1 High |
| TenderDocTransfer from Chunghwa Telecom has an Arbitrary File Write vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to write arbitrary files to any path on the user's system. | ||||
| CVE-2025-64133 | 1 Jenkins | 2 Extensible Choice Parameter, Jenkins | 2025-12-22 | 5.4 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier allows attackers to execute sandboxed Groovy code. | ||||
| CVE-2025-13282 | 2 Cht, Chunghwa Telecom | 2 Tenderdoctransfer, Tenderdoctransfer | 2025-12-19 | 8.1 High |
| TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system. | ||||