Total
9179 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6689 | 1 Efacec | 2 Bcu 500, Bcu 500 Firmware | 2026-02-25 | 8.2 High |
| A successful CSRF attack could force the user to perform state changing requests on the application. If the victim is an administrative account, a CSRF attack could compromise the entire web application. | ||||
| CVE-2022-41296 | 1 Ibm | 2 Db2, Db2 Warehouse | 2026-02-25 | 6.5 Medium |
| IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237210. | ||||
| CVE-2021-26034 | 1 Joomla | 1 Joomla\! | 2026-02-25 | 6.5 Medium |
| An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in data download endpoints in com_banners and com_sysinfo. | ||||
| CVE-2021-26033 | 1 Joomla | 1 Joomla\! | 2026-02-25 | 6.5 Medium |
| An issue was discovered in Joomla! 3.0.0 through 3.9.26. A missing token check causes a CSRF vulnerability in the AJAX reordering endpoint. | ||||
| CVE-2025-65027 | 2 Romm.app, Rommapp | 2 Romm, Romm | 2026-02-24 | 7.6 High |
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | ||||
| CVE-2021-41372 | 1 Microsoft | 1 Power Bi Report Server | 2026-02-24 | 7.6 High |
| A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files are accessed directly by the victim. Combining these 2 vulnerabilities together, an attacker is able to upload malicious Power BI templates files to the server using the victim's session and run scripts in the security context of the user and perform privilege escalation in case the victim has admin privileges when the victim access one of the HTML files present in the malicious Power BI template uploaded. The security update addresses the vulnerability by helping to ensure that Power BI Report Server properly sanitize file uploads. | ||||
| CVE-2025-68722 | 1 Axigen | 2 Axigen Mail Server, Mail Server | 2026-02-24 | 8.8 High |
| Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations. | ||||
| CVE-2025-13790 | 1 Scada-lts | 1 Scada-lts | 2026-02-24 | 4.3 Medium |
| A vulnerability was determined in Scada-LTS up to 2.7.8.1. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-14117 | 1 Fit2cloud | 1 Halo | 2026-02-24 | 4.3 Medium |
| A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2020-35615 | 1 Joomla | 1 Joomla\! | 2026-02-24 | 6.3 Medium |
| An issue was discovered in Joomla! 2.5.0 through 3.9.22. A missing token check in the emailexport feature of com_privacy causes a CSRF vulnerability. | ||||
| CVE-2025-70062 | 1 Phpgurukul | 1 Hospital Management System | 2026-02-23 | 6.5 Medium |
| PHPGurukul Hospital Management System v4.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the 'Add Doctor' module. The application fails to enforce CSRF token validation on the add-doctor.php endpoint. This allows remote attackers to create arbitrary Doctor accounts (privileged users) by tricking an authenticated administrator into visiting a malicious page. | ||||
| CVE-2020-36908 | 1 Securecomputing | 2 Snapgear Sg560, Snapgear Sg560 Firmware | 2026-02-23 | 5.3 Medium |
| SnapGear Management Console SG560 version 3.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft a malicious web page that automatically submits a form to create a new super user account with full administrative privileges when a logged-in user visits the page. | ||||
| CVE-2024-55271 | 1 Phpgurukul | 1 Gym Management System | 2026-02-23 | 3.5 Low |
| A Cross-Site Request Forgery (CSRF) vulnerability has been identified in phpgurukul Gym Management System 1.0. This issue is present in the profile update functionality of the User Panel, specifically the /profile.php endpoint. | ||||
| CVE-2025-15405 | 1 Phpems | 1 Phpems | 2026-02-23 | 4.3 Medium |
| A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely. | ||||
| CVE-2024-55089 | 1 Rhymix | 1 Rhymix | 2026-02-20 | 4.1 Medium |
| Rhymix before 2.1.24 is vulnerable to Server-Side Request Forgery (SSRF) in the background import data function because XML documents may contain external entities. | ||||
| CVE-2020-37158 | 2 Avideo, Wwbn | 2 Avideo Platform, Avideo | 2026-02-20 | 5.3 Medium |
| AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication. | ||||
| CVE-2025-13982 | 2 Drupal, Innoraft | 2 Login Time Restriction, Login Time Restriction | 2026-02-19 | 8.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery.This issue affects Login Time Restriction: from 0.0.0 before 1.0.3. | ||||
| CVE-2018-17366 | 1 Mingsoft | 1 Mcms | 2026-02-19 | N/A |
| An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. | ||||
| CVE-2022-0088 | 1 Yourls | 1 Yourls | 2026-02-16 | 7.4 High |
| Cross-Site Request Forgery (CSRF) in GitHub repository yourls/yourls prior to 1.8.3. | ||||
| CVE-2025-21193 | 1 Microsoft | 6 Windows Server 2016, Windows Server 2019, Windows Server 2022 and 3 more | 2026-02-13 | 6.5 Medium |
| Active Directory Federation Server Spoofing Vulnerability | ||||