Search Results (9388 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-13887 1 Google 1 Chrome 2026-07-08 6.5 Medium
Inappropriate implementation in NFC in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-13944 1 Google 1 Chrome 2026-07-08 3.1 Low
Inappropriate implementation in DataTransfer in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-13952 1 Google 1 Chrome 2026-07-08 4.3 Medium
Inappropriate implementation in PerformanceAPIs in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-14016 1 Google 1 Chrome 2026-07-08 6.5 Medium
Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-9731 2026-07-08 4.3 Medium
The Wp Js Detect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.9. This is due to missing or incorrect nonce validation on the plugin_settings function. This makes it possible for unauthenticated attackers to update the plugin's notification text and CSS settings (wp_non_js_notification_text and wp_non_js_notification_css), injecting arbitrary content that is echoed unescaped on the frontend via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-58315 2026-07-08 N/A
Cross-site request forgery vulnerability exists in SEIKO EPSON Web Config. If a user views a malicious page while logged into Web Config, unintended operations may be performed.
CVE-2026-13826 1 Google 1 Chrome 2026-07-07 6.5 Medium
Inappropriate implementation in Autofill in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CVE-2026-13946 1 Google 1 Chrome 2026-07-07 4.3 Medium
Inappropriate implementation in ScriptInjections in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-49471 2026-07-07 8.3 High
Serena is a powerful MCP toolkit for coding that provides semantic retrieval and editing capabilities. Prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port, with no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach this API from any browser and write arbitrary content to the agent's persistent memory store, which the agent reads and acts on autonomously. Combined with execute_shell_command using shell=True, this creates a remote code execution chain requiring only that the victim visit a malicious webpage while Serena is running. This issue is fixed in version v1.5.2.
CVE-2026-59713 1 Leantime 1 Leantime 2026-07-07 8.1 High
Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker.
CVE-2026-34171 1 Coollabsio 1 Coolify 2026-07-07 8 High
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit the crafted invitation URL to reset the victim account password to a predictable value. This issue is fixed in version 4.0.0-beta.471.
CVE-2026-13963 1 Google 1 Chrome 2026-07-07 3.1 Low
Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-58518 1 Wikimedia 1 Mediawiki-redirectmanager Extension 2026-07-06 N/A
Cross-Site request forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - RedirectManager Extension allows Cross Site Request Forgery. This issue affects Mediawiki - RedirectManager Extension: from * before 1.3.3.
CVE-2026-57690 2 Fuelthemes, Wordpress 2 Werkstatt, Wordpress 2026-07-06 4.3 Medium
Unauthenticated Cross Site Request Forgery (CSRF) in Werkstatt <= 4.7.2 versions.
CVE-2026-57751 2 Heateor Support, Wordpress 2 Heateor Social Login, Wordpress 2026-07-06 8.1 High
Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions.
CVE-2026-57757 2 Ploudapp, Wordpress 2 Pcloud Wp Backup, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.
CVE-2026-57761 2 Blueastralthemes, Wordpress 2 Seowp, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.
CVE-2026-12740 1 Cornelius 1 Plack::middleware::oauth 2026-07-06 8.1 High
Plack::Middleware::OAuth versions through 0.10 for Perl do not support the OAuth 2.0 state parameter. RequestTokenV2 builds the provider authorization redirect without issuing a state value, and AccessTokenV2 exchanges the callback code and registers the resulting token into the session (register_session) without verifying that the callback corresponds to an authorization request this session initiated. Any application that uses this middleware for OAuth 2.0 login is exposed to login cross-site request forgery: because the callback is not bound to the session that began the flow, an attacker who starts an authorization with their own provider account can deliver the resulting callback to a victim, causing the victim's session to complete the attacker's authorization and associating the attacker's provider identity and access token with that session. Where the application persists this as an account link, the attacker may retain access to the victim's account through their own provider credentials.
CVE-2026-59520 2 Properfraction, Wordpress 2 Crawlwp Seo, Wordpress 2026-07-06 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in properfraction CrawlWP SEO allows Cross Site Request Forgery. This issue affects CrawlWP SEO: from n/a through 3.0.16.
CVE-2026-14620 2026-07-06 4.7 Medium
webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. An attacker can open an arbitrary existing local file in the developer's editor, including files outside the project root, and repeated requests can spawn editor processes and force recompilations that degrade the developer's machine. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: none.