Total
8331 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9887 | 1 Wordpress | 1 Wordpress | 2025-09-22 | 4.3 Medium |
| The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzk_adminclsw.php file. This makes it possible for unauthenticated attackers to change the email and username settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9882 | 2 Osticket, Wordpress | 2 Osticket, Wordpress | 2025-09-22 | 6.1 Medium |
| The osTicket WP Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-43809 | 1 Liferay | 2 Dxp, Portal | 2025-09-22 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions allows remote attackers to register a server license via the 'orderUuid' parameter. | ||||
| CVE-2025-9883 | 1 Wordpress | 1 Wordpress | 2025-09-22 | 6.1 Medium |
| The Browser Sniff plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-56710 | 1 Phpgurukul | 1 Student Result Management System | 2025-09-20 | 7.3 High |
| A Cross-Site Request Forgery (CSRF) vulnerability was identified in the Profile Page of the PHPGurukul Student-Result-Management-System-Using-PHP-V2.0. This flaw allows an attacker to trick authenticated users into unintentionally modifying their account details. By crafting a malicious HTML page, an attacker can submit unauthorized requests to the vulnerable endpoint: /create-class.php. | ||||
| CVE-2025-50255 | 1 Bpcbt | 2 Smartvista, Smartvista Backoffice | 2025-09-19 | 7.8 High |
| Cross Site Request Forgery (CSRF) vulnerability in Smartvista BackOffice SmartVista Suite 2.2.22 via crafted GET request. | ||||
| CVE-2024-2215 | 1 Jenkins | 1 Docker-build-step | 2025-09-18 | 6.1 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. | ||||
| CVE-2024-48341 | 2 Dingfanzu, Geeeeeeeek | 2 Cms, Dingfanzu | 2025-09-18 | 3.7 Low |
| dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=addShop | ||||
| CVE-2025-54390 | 1 Zimbra | 1 Collaboration | 2025-09-18 | 6.3 Medium |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in the ResetPasswordRequest operation of Zimbra Collaboration (ZCS) when the zimbraFeatureResetPasswordStatus attribute is enabled. An attacker can exploit this by tricking an authenticated user into visiting a malicious webpage that silently sends a crafted SOAP request to reset the user's password. The vulnerability stems from a lack of CSRF token validation on the endpoint, allowing password resets without the user's consent. | ||||
| CVE-2024-48913 | 1 Hono | 1 Hono | 2025-09-17 | 5.9 Medium |
| Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery (CSRF) middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe. This can allow an attacker to bypass CSRF protection implemented with Hono CSRF middleware. Version 4.6.5 fixes this issue. | ||||
| CVE-2024-43787 | 2 Eclipse, Hono | 2 Hono, Hono | 2025-09-17 | 5 Medium |
| Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8. | ||||
| CVE-2025-10188 | 1 Wordpress | 1 Wordpress | 2025-09-17 | 5.4 Medium |
| The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the bulk_remove() function. This makes it possible for unauthenticated attackers to arbitrary directory deletion in /wp-content via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9891 | 1 Wordpress | 1 Wordpress | 2025-09-17 | 4.3 Medium |
| The User Sync – Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9629 | 1 Wordpress | 1 Wordpress | 2025-09-17 | 4.3 Medium |
| The USS Upyun plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing or incorrect nonce validation on the uss_setting_page function when processing the uss_set form type. This makes it possible for unauthenticated attackers to modify critical Upyun cloud storage settings including bucket name, operator credentials, upload paths, and image processing parameters via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9881 | 1 Wordpress | 1 Wordpress | 2025-09-15 | 6.1 Medium |
| The Ultimate Blogroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9880 | 2 Dejocar, Wordpress | 2 Side Slide Responsive Menu, Wordpress | 2025-09-15 | 6.1 Medium |
| The Side Slide Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-54256 | 3 Adobe, Apple, Microsoft | 3 Dreamweaver, Macos, Windows | 2025-09-15 | 8.6 High |
| Dreamweaver Desktop versions 21.5 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must click on a malicious link, and scope is changed. | ||||
| CVE-2025-48114 | 1 Wordpress | 1 Wordpress | 2025-09-15 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in ShayanWeb Admin FontChanger allows Stored XSS.This issue affects ShayanWeb Admin FontChanger: from n/a through 1.9.1. | ||||
| CVE-2023-5455 | 3 Fedoraproject, Freeipa, Redhat | 25 Fedora, Freeipa, Codeready Linux Builder and 22 more | 2025-09-12 | 6.5 Medium |
| A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt. | ||||
| CVE-2025-9632 | 2 Vinzzb, Wordpress | 2 Phplist Subber, Wordpress | 2025-09-12 | 4.3 Medium |
| The PhpList Subber plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the bulk_action_handler function. This makes it possible for unauthenticated attackers to trigger bulk synchronization of subscription forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||