Total
9315 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-11270 | 1 Google | 2 Android, Chrome | 2026-06-08 | 6.5 Medium |
| Inappropriate implementation in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-7047 | 2 Absikandar, Wordpress | 2 Frontend User Notes, Wordpress | 2026-06-06 | 4.3 Medium |
| The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funp_ajax_modify_notes function. This makes it possible for unauthenticated attackers to trick a logged-in user into visiting a malicious page, causing unauthorized overwriting of that victim's own note content via a forged cross-site request to wp_update_post() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to ownership enforcement comparing the note's stored _funp_single_user_id meta against the current session's user ID, the attack is limited to modifying only notes belonging to the tricked victim, and cannot be used to alter notes owned by arbitrary third-party users. | ||||
| CVE-2026-9719 | 2 Latepoint, Wordpress | 2 Latepoint – Calendar Booking Plugin For Appointments And Events, Wordpress | 2026-06-06 | 4.3 Medium |
| The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the change_status function. This makes it possible for unauthenticated attackers to change the status of arbitrary invoices — including marking unpaid invoices as paid — without administrator consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-0610 | 1 Akinsoft | 1 Qr Menu | 2026-06-06 | 8.6 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Akınsoft QR Menü allows Cross Site Request Forgery. This issue affects QR Menü: from s1.05.06 before v1.05.12. | ||||
| CVE-2025-1927 | 1 Restajet | 1 Online Food Delivery System | 2026-06-06 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery. This issue affects Online Food Delivery System: through 19122025. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-11200 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-06-05 | 6.5 Medium |
| Inappropriate implementation in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-11214 | 2 Apple, Google | 2 Iphone Os, Chrome | 2026-06-05 | 6.5 Medium |
| Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-11194 | 1 Google | 1 Chrome | 2026-06-05 | 6.5 Medium |
| Inappropriate implementation in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-11195 | 1 Google | 1 Chrome | 2026-06-05 | 6.5 Medium |
| Inappropriate implementation in MHTML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2019-25729 | 1 Simcy Creative | 1 Pdf Signer | 2026-06-05 | 9.8 Critical |
| PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie parameter. Attackers can craft malicious cookie values containing template injection payloads like shell_exec() to execute system commands and retrieve sensitive information from the server. | ||||
| CVE-2025-11022 | 2026-06-05 | 9.6 Critical | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery. This CSRF vulnerability resulting in Command Injection has been identified. This issue affects Panilux: before v.0.10.0. NOTE: The vendor was contacted and responded that they deny ownership of the mentioned product. | ||||
| CVE-2026-43985 | 1 Tautulli | 1 Tautulli | 2026-06-04 | 8.8 High |
| Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `configUpdate` as a state-changing administrator endpoint, but the route does not enforce `POST` and does not use any anti-CSRF token. In the default form and JWT-based authentication mode, the administrator session cookie is issued with `SameSite=Lax`, which still permits top-level cross-site navigation requests. An attacker can exploit this by luring a logged-in administrator to a malicious page that submits a cross-site request to `/configUpdate` and overwrites the local administrator username and password. The attacker can then sign in directly with the chosen credentials and take over the Tautulli administrative interface. Version 2.17.1 patches the issue. | ||||
| CVE-2025-13296 | 1 T-soft | 1 E-commerce | 2026-06-04 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery. This issue affects T-Soft E-Commerce: through 28112025. | ||||
| CVE-2026-35266 | 1 Oracle | 1 Rest Data Services | 2026-06-03 | 7.9 High |
| Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L). | ||||
| CVE-2026-42073 | 1 Gitlawb | 1 Openclaude | 2026-06-03 | 6.5 Medium |
| OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down — without knowing the state value at all. This issue has been patched in version 0.5.1. | ||||
| CVE-2026-9732 | 2 Planetshaker, Wordpress | 2 Emergencywp – Dead Man's Switch & Legacy Deliverance, Wordpress | 2026-06-03 | 4.3 Medium |
| The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the form_settings_ui (settings save handler, procedural include scope) function. This makes it possible for unauthenticated attackers to modify plugin settings including the minimum access role (altering WordPress role capabilities via add_cap/remove_cap), the data-erasure-on-uninstall flag, life-check timing values, the mandator email address, the confirmation page ID, and date/time formats via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-49433 | 1 Deepai | 1 Api.deepai.org | 2026-06-02 | 5 Medium |
| The DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20. | ||||
| CVE-2026-4071 | 2 Birdseedapp, Wordpress | 2 Birdseed, Wordpress | 2026-06-02 | 4.3 Medium |
| The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseed_plugin_settings_page() function. The function processes the 'birdseed_token' GET parameter and saves it to the database via update_option() without verifying a nonce. This makes it possible for unauthenticated attackers to change the plugin's BirdSeed token setting via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | ||||
| CVE-2026-9723 | 2 Ddd2500, Wordpress | 2 Google Plus One Bottom, Wordpress | 2026-06-02 | 4.3 Medium |
| The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the plusone-lang, plusone-callback, and plusone-url options stored in the database via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-9599 | 2 Russellr, Wordpress | 2 Tectite Forms, Wordpress | 2026-06-02 | 4.3 Medium |
| The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the admin_init function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the tectite_forms_button option, via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||