Total
8380 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10557 | 1 Fabian | 1 Blood Bank Management System | 2025-10-23 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in code-projects Blood Bank Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /file/updateprofile.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-10448 | 1 Fabian | 1 Blood Bank Management System | 2025-10-23 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in code-projects Blood Bank Management System 1.0. Affected by this issue is some unknown functionality of the file /file/delete.php. The manipulation of the argument bid leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other endpoints might be affected as well. | |||||
| CVE-2024-10605 | 1 Fabian | 1 Blood Bank Management System | 2025-10-23 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /file/request.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-7756 | 1 Fabian | 1 E-commerce Site | 2025-10-23 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in code-projects E-Commerce Site 1.0. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-62771 | 2025-10-22 | N/A | 7.5 HIGH | ||
| Mercku M6a devices through 2.1.0 allow password changes via intranet CSRF attacks. | |||||
| CVE-2025-10588 | 2025-10-22 | N/A | 4.3 MEDIUM | ||
| The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-54286 | 2 Canonical, Linux | 2 Lxd, Linux Kernel | 2025-10-22 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication. | |||||
| CVE-2014-100005 | 1 Dlink | 2 Dir-600, Dir-600 Firmware | 2025-10-22 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php. | |||||
| CVE-2016-6277 | 1 Netgear | 22 D6220, D6220 Firmware, D6400 and 19 more | 2025-10-22 | 9.3 HIGH | 8.8 HIGH |
| NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/. | |||||
| CVE-2025-9890 | 2025-10-21 | N/A | 8.8 HIGH | ||
| The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-43296 | 1 Apple | 1 Macos | 2025-10-20 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26. An app may bypass Gatekeeper checks. | |||||
| CVE-2025-59428 | 1 Espocrm | 1 Espocrm | 2025-10-20 | N/A | 5.4 MEDIUM |
| EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page that executes a CSRF request against the api/v1/User endpoint. If the victim is prompted for and enters their credentials, an attacker-controlled account is created with privileges determined by the CSRF payload. This issue has been patched in version 9.1.9. | |||||
| CVE-2025-61930 | 1 Emlog | 1 Emlog | 2025-10-20 | N/A | 8.1 HIGH |
| Emlog is an open source website building system. Emlog Pro versions 2.5.19 and earlier are vulnerable to Cross‑Site Request Forgery (CSRF) on the password change endpoint. An attacker can trick a logged‑in administrator into submitting a crafted POST request to change the admin password without consent. Impact is account takeover of privileged users. Severity: High. As of time of publication, no known patched versions exist. | |||||
| CVE-2022-1092 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog | |||||
| CVE-2022-0363 | 1 Wpexperts | 1 Mycred | 2025-10-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts. | |||||
| CVE-2023-35096 | 1 Wpexperts | 1 Mycred | 2025-10-17 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions. | |||||
| CVE-2024-54792 | 1 Eng | 1 Spagobi | 2025-10-17 | N/A | 6.1 MEDIUM |
| A Cross-Site Request Forgery (CSRF) vulnerability has been found in SpagoBI v3.5.1 in the user administration panel. An authenticated user can lead another user into executing unwanted actions inside the application they are logged in, like adding, editing or deleting users. | |||||
| CVE-2025-46547 | 1 Sherparpa | 1 Sherpa Orchestrator | 2025-10-16 | N/A | 5.4 MEDIUM |
| In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue. | |||||
| CVE-2025-10300 | 2025-10-16 | N/A | 4.3 MEDIUM | ||
| The TopBar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the fme_nb_topbar_save_settings() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-10312 | 2025-10-16 | N/A | 4.3 MEDIUM | ||
| The Theme Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation when processing form submissions in the theme-importer.php file. This makes it possible for unauthenticated attackers to trigger arbitrary file downloads and potentially execute malicious operations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||