Total
8664 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-31205 | 1 Saleor | 1 Saleor | 2026-01-07 | 4.2 Medium |
| Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user provides an empty string in `refreshToken` mutation, while the token persists in `JWT_REFRESH_TOKEN_COOKIE_NAME` cookie, application omits validation against CSRF token and returns valid access token. Versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19 contain a patch for the issue. As a workaround, one may replace `saleor.graphql.account.mutations.authentication.refresh_token.py.get_refresh_token`. This will fix the issue, but be aware, that it returns `JWT_MISSING_TOKEN` instead of `JWT_INVALID_TOKEN`. | ||||
| CVE-2024-31371 | 2 Wordpress, Xylusthemes | 2 Wordpress, Wp Event Aggregator | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Xylus Themes WP Event Aggregator.This issue affects WP Event Aggregator: from n/a through 1.7.6. | ||||
| CVE-2024-33688 | 2 Extendthemes, Wordpress | 2 Teluro, Teluro Theme | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes Teluro.This issue affects Teluro: from n/a through 1.0.31. | ||||
| CVE-2022-47443 | 1 Danielpowney | 1 Multi Rating | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Daniel Powney Multi Rating plugin <= 5.0.5 versions. | ||||
| CVE-2024-31429 | 2 Blossomthemes, Wordpress | 2 Sarada, Wordpress | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Sarada Lite.This issue affects Sarada Lite: from n/a through 1.1.2. | ||||
| CVE-2024-37243 | 2 Blossomthemes, Wordpress | 2 Vandana, Wordpress | 2026-01-07 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vandana Lite allows Cross Site Request Forgery.This issue affects Vandana Lite: from n/a through 1.1.9. | ||||
| CVE-2023-50931 | 1 Savignano | 1 S-notify | 2026-01-06 | 8.3 High |
| An issue was discovered in savignano S/Notify before 2.0.1 for Bitbucket. While an administrative user is logged on, the configuration settings of S/Notify can be modified via a CSRF attack. The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website. If executed while an administrator is logged on to Bitbucket, an attacker could exploit this to modify the configuration of the S/Notify app on that host. This can, in particular, lead to email notifications being no longer encrypted when they should be. | ||||
| CVE-2023-50932 | 1 Savignano | 1 S-notify | 2026-01-06 | 8.3 High |
| An issue was discovered in savignano S/Notify before 4.0.2 for Confluence. While an administrative user is logged on, the configuration settings of S/Notify can be modified via a CSRF attack. The injection could be initiated by the administrator clicking a malicious link in an email or by visiting a malicious website. If executed while an administrator is logged on to Confluence, an attacker could exploit this to modify the configuration of the S/Notify app on that host. This can, in particular, lead to email notifications being no longer encrypted when they should be. | ||||
| CVE-2025-14163 | 2 Leap13, Wordpress | 2 Premium Addons For Elementor, Wordpress | 2026-01-05 | 4.3 Medium |
| The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link. | ||||
| CVE-2024-6719 | 2 Webgarh, Wordpress | 2 Offload Videos, Wordpress | 2026-01-05 | 8.1 High |
| The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack | ||||
| CVE-2025-65203 | 1 Keepassxc | 1 Keepassxc-browser | 2026-01-05 | 7.1 High |
| KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials. | ||||
| CVE-2018-25152 | 1 Ecessa | 1 Edge Ev150 | 2026-01-05 | 5.3 Medium |
| Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials. | ||||
| CVE-2018-25151 | 1 Ecessa | 1 Wanworx Wvr-30 | 2026-01-05 | 4.3 Medium |
| Ecessa WANWorx WVR-30 versions before 10.7.4 contain a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft a malicious web page with a hidden form to create a new superuser account by tricking an authenticated administrator into loading the page. | ||||
| CVE-2024-30855 | 1 Dedecms | 1 Dedecms | 2026-01-05 | 8.8 High |
| DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php. | ||||
| CVE-2025-35030 | 2 Medical Informatics Engineering, Mieweb | 2 Enterprise Health, Enterprise Health | 2026-01-02 | 8.1 High |
| Medical Informatics Engineering Enterprise Health has a cross site request forgery vulnerability that allows an unauthenticated attacker to trick administrative users into clicking a crafted URL and perform actions on behalf of that administrative user. This issue is fixed as of 2025-04-08. | ||||
| CVE-2024-6230 | 2 Wordpress, Wp-master | 2 Wordpress, Pardakht-delkhah | 2026-01-02 | 6.5 Medium |
| The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack | ||||
| CVE-2024-2232 | 1 2code | 1 Himer | 2026-01-02 | 8.1 High |
| The lacks CSRF checks allowing a user to invite any user to any group (including private groups) | ||||
| CVE-2025-66906 | 2 Turms, Turms-im | 2 Admin Api, Turms | 2026-01-02 | 6.1 Medium |
| Cross Site Request Forgery (CSRF) vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges. | ||||
| CVE-2025-66953 | 1 Nardamiteq | 2 Upc2, Upc2 Firmware | 2026-01-02 | 8.8 High |
| CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and specifically the /system_setup.htm, /set_clock.htm, /receiver_setup.htm, /cal.htm?..., and /channel_setup.htm endpoints | ||||
| CVE-2025-67013 | 1 Etlsystems | 54 C0401d1uia-22476, C0401d1uia-22476 Firmware, C0401d1ula-22419 and 51 more | 2026-01-02 | 6.5 Medium |
| The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery (CSRF) protection mechanisms (no tokens, no Origin/Referer validation) on critical configuration endpoints. | ||||