Total
8777 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-37149 | 1 Edimax | 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware | 2026-03-05 | 8.1 High |
| Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's privileges. | ||||
| CVE-2020-37145 | 1 Hrsale | 1 Hrsale | 2026-03-05 | 4.3 Medium |
| HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user accounts with elevated privileges. | ||||
| CVE-2020-37144 | 1 Exagate | 2 Sysguard 3001 Firmware, Sysguard 6001 | 2026-03-05 | 5.3 Medium |
| Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without the victim's consent. | ||||
| CVE-2020-37096 | 1 Edimax | 2 Ew-7438rpn Mini, Ew-7438rpn Mini Firmware | 2026-03-05 | 5.3 Medium |
| Edimax EW-7438RPn 1.13 contains a cross-site request forgery vulnerability in the MAC filtering configuration interface. Attackers can craft malicious web pages to trick users into adding unauthorized MAC addresses to the device's filtering rules without their consent. | ||||
| CVE-2020-37079 | 2 Wftpserver, Winftp Server | 2 Wing Ftp Server, Winftp Server | 2026-03-05 | 4.3 Medium |
| Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user account without proper authorization. | ||||
| CVE-2020-37054 | 1 Naviwebs | 1 Navigate Cms | 2026-03-05 | 4.3 Medium |
| Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation. | ||||
| CVE-2020-37007 | 1 Salihciftci | 1 Liman | 2026-03-05 | 5.3 Medium |
| Liman 0.7 contains a cross-site request forgery vulnerability that allows attackers to manipulate user account settings without proper request validation. Attackers can craft malicious HTML forms to change user passwords or modify account information by tricking logged-in users into submitting unauthorized requests. | ||||
| CVE-2019-25447 | 1 Orientdb | 1 Orientdb | 2026-03-05 | 4.3 Medium |
| OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes, manage users, and create functions by sending authenticated requests without token validation, combined with reflected and stored cross-site scripting vulnerabilities in the web interface. | ||||
| CVE-2019-25313 | 2 Flexera, Flexerasoftware | 2 Flexnet Publisher, Flexnet Publisher | 2026-03-05 | 4 Medium |
| FlexNet Publisher 11.12.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious HTML form to trick authenticated users into submitting a request that creates a new local admin account with a predefined password. | ||||
| CVE-2026-3193 | 1 Chia | 1 Blockchain | 2026-03-05 | 3.1 Low |
| A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. The manipulation results in cross-site request forgery. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was informed early via email. A separate report via bugbounty was rejected with the reason "This is by design. The user is responsible for host security". | ||||
| CVE-2026-2994 | 1 Concretecms | 1 Concrete Cms | 2026-03-04 | 6.8 Medium |
| Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting | ||||
| CVE-2021-35486 | 1 Nokia | 1 Impact | 2026-03-04 | 8.1 High |
| A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie is validated. | ||||
| CVE-2026-27758 | 3 Shenzhen Hongyavision Technology Co, Sodola-network, Sodolanetworks | 4 Sodola Sl902-swtgw124as, Sl902-swtgw124as, Sl902-swtgw124as Firmware and 1 more | 2026-03-03 | 4.3 Medium |
| SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a cross-site request forgery vulnerability in its management interface that allows attackers to induce authenticated users into submitting forged requests. Attackers can craft malicious requests that execute unauthorized configuration or administrative actions with the victim's privileges when the authenticated user visits a malicious webpage. | ||||
| CVE-2026-24408 | 2 Linuxfoundation, Sigstore | 2 Sigstore-python, Sigstore-python | 2026-03-02 | 0 Low |
| sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue. | ||||
| CVE-2024-42056 | 1 Retool | 1 Retool | 2026-03-02 | 6.5 Medium |
| Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1. | ||||
| CVE-2025-13671 | 1 Opentext | 1 Web Site Management Server | 2026-02-27 | 6.5 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously. This issue affects Web Site Management Server: 16.7.0, 16.7.1. | ||||
| CVE-2024-37212 | 1 Ali2woo | 1 Aliexpress Dropshipping With Alinext | 2026-02-27 | 8.3 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Ali2Woo Ali2Woo Lite.This issue affects Ali2Woo Lite: from n/a through 3.3.5. | ||||
| CVE-2026-27589 | 1 Caddyserver | 1 Caddy | 2026-02-27 | 6.5 Medium |
| Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue. | ||||
| CVE-2026-27632 | 1 Talishar | 1 Talishar | 2026-02-27 | 2.6 Low |
| Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. By failing to require unique, unpredictable session tokens, the application allows third-party malicious websites to forge requests on behalf of authenticated users, leading to unauthorized actions within active game sessions. The attacker would need to know both the proper gameName and playerID for the player. The player would also need to be browsing and interact with the infected website while playing a game. The vulnerability is fixed in commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48. | ||||
| CVE-2026-27609 | 2 Parse Community, Parseplatform | 2 Parse Dashboard, Parse Dashboard | 2026-02-27 | 6.5 Medium |
| Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected. | ||||