CVE-2026-4968

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in SourceCodester Diary App version 1.0. The flaw resides in the diary.php file, specifically within the diary entry deletion functionality. The application performs state-changing operations (deleting entries) via a GET request without any CSRF token verification or origin validation [1].

Exploitation

Details

The vulnerable endpoint is /diary_app/diary-app/diary.php?delete=. An attacker can craft a malicious webpage that, when visited by an authenticated user, triggers a GET request to this endpoint. The attack requires no special privileges; the only prerequisite is that the victim must be logged into the Diary App and must open the attacker's page while their session is active [1].

Impact

Successful exploitation allows an attacker to delete arbitrary diary entries belonging to the authenticated victim. The integrity of user data is compromised, though confidentiality and availability remain unaffected. The CVSS v3.1 base score is 4.3 (Medium), with the vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N [1].

Mitigation

As of the publication date, the vendor (SourceCodester) has not released a patch. patch. Users should implement CSRF protection mechanisms, such as including anti-CSRF tokens in state-changing requests and validating the request origin. The exploit has been publicly disclosed, increasing the risk of active exploitation [1].