Total
9186 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-33449 | 1 Pdfmyurl | 1 Pdfmyurl | 2026-04-15 | 9.8 Critical |
| An SSRF issue in the PDFMyURL service allows a remote attacker to obtain sensitive information and execute arbitrary code via a POST request in the url parameter | ||||
| CVE-2025-25056 | 2026-04-15 | 4.3 Medium | ||
| Cross-site request forgery vulnerability exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If a user views a malicious page while logged in, unintended operations may be performed. | ||||
| CVE-2021-29050 | 1 Liferay | 2 Dxp, Portal | 2026-04-15 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in the terms of use page in Liferay Portal before 7.3.6, and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11 allows remote attackers to accept the site's terms of use via social engineering and enticing the user to visit a malicious page. | ||||
| CVE-2025-14903 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-41254 | 1 Vmware | 1 Spring Framework | 2026-04-15 | 4.3 Medium |
| STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older, unsupported versions are also affected. MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser. | ||||
| CVE-2024-3873 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability was found in SMI SMI-EX-5414W up to 1.0.03. It has been classified as problematic. This affects an unknown part of the component Web Interface. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260907. | ||||
| CVE-2025-41661 | 2026-04-15 | 8.8 High | ||
| An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection. | ||||
| CVE-2025-64700 | 1 Growi | 1 Growi | 2026-04-15 | N/A |
| Cross-site request forgery vulnerability exists in GROWI v7.3.3 and earlier. If a user views a malicious page while logged in, the user may be tricked to do unintended operations. | ||||
| CVE-2024-13560 | 2026-04-15 | 4.3 Medium | ||
| The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-45504 | 2026-04-15 | 6.5 Medium | ||
| Cross-site request forgery (CSRF) vulnerability in multiple Alps System Integration products and the OEM products allow a remote unauthenticated attacker to hijack the authentication of the user and to perform unintended operations if the user views a malicious page while logged in. | ||||
| CVE-2024-12555 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The SIP Calculator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-53483 | 2026-04-15 | 8.8 High | ||
| ArchivePage.php, UnarchivePage.php, and VoterEligibilityPage#executeClear() do not validate request methods or CSRF tokens, allowing attackers to trigger sensitive actions if an admin visits a malicious site. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | ||||
| CVE-2025-31328 | 2026-04-15 | 4.6 Medium | ||
| SAP Learning Solution is vulnerable to Cross-Site Request Forgery (CSRF), allowing an attacker to trick authenticated user into sending unintended requests to the server. GET-based OData function is named in a way that it violates the expected behaviour. This issue could impact both the confidentiality and integrity of the application without affecting the availability. | ||||
| CVE-2025-4375 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Request Forgery to perform Session Hijacking. Cross-Site Request Forgery is present at the whole application but it can be used to change the Pro Cloud Server Configuration password. This issue affects Pro Cloud Server: earlier than 6.0.165. | ||||
| CVE-2024-12643 | 2026-04-15 | 8.1 High | ||
| The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system. | ||||
| CVE-2024-12644 | 2026-04-15 | 7.1 High | ||
| The tbm-client from Chunghwa Telecom has an Arbitrary File vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes. | ||||
| CVE-2024-12646 | 2026-04-15 | 8.1 High | ||
| The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system. | ||||
| CVE-2025-62346 | 1 Hcltech | 1 Glovius Cloud | 2026-04-15 | 6.8 Medium |
| A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint. | ||||
| CVE-2025-34133 | 1 Wimi Teamwork | 1 Wimi Teamwork | 2026-04-15 | N/A |
| Wimi Teamwork versions prior to 7.38.17 contains a cross-site request forgery (CSRF) vulnerability in its API. The API accepts any authenticated request that contains a JSON field named 'csrf_token' without validating the field’s value; only the presence of the field is checked. An attacker can craft a cross-site request that causes a logged-in victim’s browser to submit a JSON POST containing an arbitrary or empty 'csrf_token', and the API will execute the request with the victim’s privileges. Successful exploitation can allow an attacker to perform privileged actions as the victim potentially resulting in account takeover, privilege escalation, or service disruption. | ||||
| CVE-2025-14389 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||