Search Results (9398 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-43930 2 Eyecix, Wordpress 2 Jobsearch, Wordpress 2026-04-15 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in eyecix JobSearch allows Cross Site Request Forgery.This issue affects JobSearch: from n/a through 2.5.3.
CVE-2025-27792 2026-04-15 N/A
Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using `<meta name="referrer" content="never">`, effectively bypassing this protection. Version 5.1.1 contains a patch for the issue.
CVE-2024-39326 1 Nsa 1 Skills-service 2026-04-15 4.4 Medium
SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.
CVE-2024-27448 1 Maildev 1 Maildev 2026-04-15 9.1 Critical
MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Content-ID header for an e-mail attachment, leading to lib/mailserver.js writing arbitrary code into the routes.js file.
CVE-2024-3932 1 Totara 1 Enterprise Lms 2026-04-15 3.1 Low
A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 13.46, 14.38, 15.33, 16.27, 17.21 and 18.8 is able to address this issue. It is recommended to upgrade the affected component.
CVE-2024-10789 2026-04-15 4.3 Medium
The WP User Profile Avatar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the wpupa_user_admin() function. This makes it possible for unauthenticated attackers to update the plugins setting which controls access to the functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-24289 2026-04-15 N/A
A Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in the UCRM Client Signup Plugin (v1.3.4 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. The plugin is disabled by default.
CVE-2024-12557 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The Transporters.io plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-14904 2 Anilankola, Wordpress 2 Newsletter Email Subscribe, Wordpress 2026-04-15 4.3 Medium
The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-49347 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Cross-Site Request Forgery (CSRF) vulnerability in Jupitercow WP sIFR wp-sifr allows Stored XSS.This issue affects WP sIFR: from n/a through <= 0.6.8.1.
CVE-2025-7379 1 Asustor 2 Adm, Datasync Center 2026-04-15 N/A
A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206.
CVE-2025-60075 2 Allegro Marketing, Wordpress 2 Hpb Seo Plugin For Wordpress, Wordpress 2026-04-15 7.1 High
Cross-Site Request Forgery (CSRF) vulnerability in Allegro Marketing hpb seo plugin for WordPress hpbseo allows Reflected XSS.This issue affects hpb seo plugin for WordPress: from n/a through <= 3.0.1.
CVE-2024-0892 2026-04-15 4.3 Medium
The Schema App Structured Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the MarkUpdate function. This makes it possible for unauthenticated attackers to update and delete post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-0847 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
The 5280 Bootstrap Modal Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in class-sbmm-list-table.php. This makes it possible for unauthenticated attackers to bulk delete messages via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-11071 2026-04-15 8.8 High
Permissive Cross-domain Policy with Untrusted Domains vulnerability in local API server of DestinyECM solution(versions described below) which is developed and maintained by Cyberdigm may allow Cross-Site Request Forgery (CSRF) attack, which probabilistically enables JSON Hijacking (aka JavaScript Hijacking) via forgery web page.* Due to product customization, version information may differ from the following version description. For further inquiries, please contact the vendor.
CVE-2024-8489 1 Modelscope 1 Agentscope 2026-04-15 N/A
A vulnerability in modelscope/agentscope, specifically in the AgentScope Studio backend server, allows for Cross-Site Request Forgery (CSRF) due to overly permissive CORS headers. This issue affects the latest commit on the main branch (21161fe). The vulnerability permits an attacker to access all backend endpoints, including the `api/file` endpoint, enabling the reading of arbitrary files on the target's local file system through CSRF.
CVE-2024-35657 2026-04-15 5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Plechev Andrey WP-Recall.This issue affects WP-Recall: from n/a through 16.26.6.
CVE-2024-9365 2026-04-15 N/A
A Cross-Site Request Forgery (CSRF) vulnerability in polyaxon/polyaxon v2.4.0 allows attackers to perform unauthorized actions in the context of the victim's browser. This includes creating projects, model versions, and artifact versions, or changing settings. The impact of this vulnerability includes potential data loss and service disruption.
CVE-2024-10726 2026-04-15 6.1 Medium
The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-64700 1 Growi 1 Growi 2026-04-15 N/A
Cross-site request forgery vulnerability exists in GROWI v7.3.3 and earlier. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.