Total
9105 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-31388 | 2026-04-15 | 4.3 Medium | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Pauple Table & Contact Form 7 Database – Tablesome.This issue affects Table & Contact Form 7 Database – Tablesome: from n/a through 1.0.25. | ||||
| CVE-2025-48077 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in nitinmaurya12 Block Country block-country allows Stored XSS.This issue affects Block Country: from n/a through <= 1.0. | ||||
| CVE-2025-32112 | 2026-04-15 | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Sidebar Manager Light sidebar-manager-light allows Cross Site Request Forgery.This issue affects Sidebar Manager Light: from n/a through <= 1.18. | ||||
| CVE-2017-20221 | 1 Telesquare | 2 Sdt-cs3b1, Sdt-cs3b1 Firmware | 2026-04-14 | 4.3 Medium |
| Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains a cross-site request forgery vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting missing request validation. Attackers can craft malicious web pages that perform administrative actions when visited by logged-in users, enabling command execution with router privileges. | ||||
| CVE-2026-39620 | 2 Priyanshumittal, Wordpress | 2 Appointment, Wordpress | 2026-04-14 | 9.6 Critical |
| Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5. | ||||
| CVE-2026-34749 | 1 Payloadcms | 1 Payload | 2026-04-14 | 5.4 Medium |
| Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1. | ||||
| CVE-2026-34228 | 1 Emlog | 1 Emlog | 2026-04-14 | 6.5 Medium |
| Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This process does not validate a CSRF token. Therefore, an attacker only needs to trick an authenticated administrator into visiting a malicious link to achieve arbitrary SQL execution and arbitrary file write. This issue has been patched in version 2.6.8. | ||||
| CVE-2026-39640 | 2 Mndpsingh287, Wordpress | 2 Theme Editor, Wordpress | 2026-04-14 | 9.6 Critical |
| Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2. | ||||
| CVE-2026-39671 | 2 Dotstore, Wordpress | 2 Extra Fees Plugin For Woocommerce, Wordpress | 2026-04-14 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3. | ||||
| CVE-2026-5918 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-14 | 4.3 Medium |
| Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2026-6109 | 1 Foundation Agents | 1 Metagpt | 2026-04-14 | 4.3 Medium |
| A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2025-4088 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | 6.5 Medium |
| A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability was fixed in Firefox 138 and Thunderbird 138. | ||||
| CVE-2026-4401 | 2 Wordpress, Wpchill | 2 Wordpress, Download Monitor | 2026-04-13 | 5.4 Medium |
| The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it possible for unauthenticated attackers to delete, disable, or enable approved download paths via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1924 | 2 Arubadev, Wordpress | 2 Aruba Hispeed Cache, Wordpress | 2026-04-13 | 4.3 Medium |
| The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-29521 | 2 Hereta, Shenzhen Hereta Technology | 3 Eth-imc408m, Eth-imc408m Firmware, Hereta Eth-imc408m | 2026-04-13 | 4.3 Medium |
| Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-included HTTP Basic Authentication credentials to add RADIUS accounts, alter network settings, or trigger diagnostics. | ||||
| CVE-2026-39603 | 2 Themegoods, Wordpress | 2 Grand Photography, Wordpress | 2026-04-13 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Photography grandphotography allows Cross Site Request Forgery.This issue affects Grand Photography: from n/a through <= 5.7.8. | ||||
| CVE-2019-25682 | 1 Victoralagwu | 1 Cmssite | 2026-04-10 | 4.3 Medium |
| CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint with parameters like source=add_user, source=edit_user, or del=1 to create, modify, or delete admin accounts. | ||||
| CVE-2026-39617 | 2 Priyanshumittal, Wordpress | 2 Bluestreet, Wordpress | 2026-04-10 | 9.6 Critical |
| Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through <= 1.7.3. | ||||
| CVE-2026-39619 | 2 Priyanshumittal, Wordpress | 2 Busiprof, Wordpress | 2026-04-10 | 9.6 Critical |
| Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through <= 2.5.2. | ||||
| CVE-2026-39621 | 2 Spicethemes, Wordpress | 2 Spicepress, Wordpress | 2026-04-10 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5. | ||||