{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31014", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T18:21:08.828Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-21T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T14:43:26.766Z"}, "descriptions": [{"lang": "en", "value": "Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST-based request can be converted to a GET request while still successfully updating user details. This allows an attacker to craft a malicious request that, when visited by an authenticated user, can modify user account information without their consent."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://dovestones.com/download/"}, {"url": "https://gist.github.com/pentestrox/64cb5febcd9b3022c1f9d3340bf586e3"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T18:21:04.933068Z", "id": "CVE-2026-31014", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:21:08.828Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31014", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T18:21:04.933068Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:21:00.520Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://dovestones.com/download/"}, {"url": "https://gist.github.com/pentestrox/64cb5febcd9b3022c1f9d3340bf586e3"}], "descriptions": [{"lang": "en", "value": "Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST-based request can be converted to a GET request while still successfully updating user details. This allows an attacker to craft a malicious request that, when visited by an authenticated user, can modify user account information without their consent."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T14:43:26.766Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31014", "state": "PUBLISHED", "dateUpdated": "2026-04-21T18:21:08.828Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-21T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dovestones:ad_self_update:*:*:*:*:*:*:*:*", "matchCriteriaId": "90C7AA8B-92C3-4582-A04A-04F36FCB5719", "versionEndExcluding": "4.0.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST-based request can be converted to a GET request while still successfully updating user details. This allows an attacker to craft a malicious request that, when visited by an authenticated user, can modify user account information without their consent."}], "id": "CVE-2026-31014", "lastModified": "2026-04-23T16:21:21.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T15:16:36.337", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://dovestones.com/download/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/pentestrox/64cb5febcd9b3022c1f9d3340bf586e3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.0.0.5)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "ad_self_update", "vendor": "dovestones"}], "analysis": {"en": {"generated_at": "2026-04-22T07:36:31.439350+00:00", "value": {"mitigation_remediation": ["Install the newest version of Dovestones Softwares AD Self Update (4.0.0.5 or later) to eliminate the CSRF flaw.", "If an immediate upgrade is not feasible, implement a CSRF token check or reject state\u2011changing requests that lack a valid token and enforce same\u2011origin policies to restrict the endpoint to trusted origins.", "Audit and monitor account change logs for suspicious activity to detect and respond to potential exploitation attempts."], "summary": {"action": "Apply Fix", "impact": "Unauthorized modification of user account data"}, "threat_synthesis": {"affected_systems": "Dovestones Softwares AD Self Update (version < 4.0.0.5) is the only affected product.", "description_and_impact": "The vulnerability is a Cross\u2011Site Request Forgery flaw in Dovestones Softwares AD Self Update, versioned below 4.0.0.5. The endpoint processes state\u2011changing requests without requiring a CSRF token, allowing an attacker to send modifications to user account data without the user\u2019s consent. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST\u2011based request can be converted to a GET request while still succeeding in updating user details. This creates a path for an attacker to craft a malicious request that will be executed automatically when an authenticated user visits a link or submits a form.\n\nThe result is that user account information can be altered without authorization, compromising privacy and potentially degrading system integrity. If the system also permits further actions after the update, broader consequences are possible.\n\nThe CVSS score of 6.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no publicly known exploitation to date. The likely attack vector is inferred to be a malicious link or form presented to an authenticated user, triggering the unauthorized request internally. The risk depends on how often users authenticate and the exposure of the affected endpoint.", "risk_and_exploitability": "The vulnerability is a CSRF flaw that permits state\u2011changing requests without a CSRF token or equivalent protection. Because the endpoint accepts application/x-www-form-urlencoded requests and allows an originally POST\u2011based request to be converted to GET while still succeeding, an attacker can craft a malicious request that an authenticated user will automatically trigger by visiting a link or submitting a form. This yields unauthorized updates to user account details. The CVSS score of 6.3 indicates moderate severity, and with the EPSS value not available, the exact exploitation likelihood remains uncertain, but the absence from the CISA KEV catalog suggests limited public exploitation as of now."}}}}, "created": "2026-04-22T07:45:11.738834+00:00", "title": "Cross\u2011Site Request Forgery Enables Unauthorized User Account Modification", "updated": "2026-04-22T11:47:05.321162+00:00", "vendors": ["dovestones", "dovestones$PRODUCT$ad_self_update"]}