VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 1 of 286
  • CVE-2016-6277HigKEVDec 14, 2016
    risk 0.80cvss 8.8epss 1.00

    NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly…

  • CVE-2014-100005HigKEVJan 13, 2015
    risk 0.70cvss 8.0epss 0.42

    Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management…

  • CVE-2017-16780CriNov 10, 2017
    risk 0.67cvss 9.8epss 0.06

    The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.

  • CVE-2025-32642CriApr 9, 2025
    risk 0.65cvss 10.0epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in appsbd Vite Coupon vite-coupon allows Remote Code Inclusion.This issue affects Vite Coupon: from n/a through <= 1.0.9.

  • CVE-2025-23922CriJan 16, 2025
    risk 0.65cvss 10.0epss 0.01

    Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a Web Server.This issue affects iSpring Embedder: from n/a through <= 1.0.

  • CVE-2017-5145CriFeb 13, 2017
    risk 0.65cvss 10.0epss 0.01

    An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful exploitation of this CROSS-SITE REQUEST FORGERY (CSRF) vulnerability can allow execution of unauthorized actions on the device such as…

  • CVE-2019-25729CriJun 4, 2026
    risk 0.64cvss 9.8epss 0.00

    PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie parameter. Attackers can craft malicious cookie values containing template injection…

  • CVE-2025-48340CriMay 19, 2025
    risk 0.64cvss 9.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through <= 1.02.

  • CVE-2025-31033CriApr 9, 2025
    risk 0.64cvss 9.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Adam Nowak Buddypress Humanity buddypress-humanity allows Cross Site Request Forgery.This issue affects Buddypress Humanity: from n/a through <= 1.2.

  • CVE-2025-23797CriJan 16, 2025
    risk 0.64cvss 9.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Mike Selander WP Options Editor wp-options-editor allows Privilege Escalation.This issue affects WP Options Editor: from n/a through <= 1.1.

  • CVE-2024-56012CriDec 16, 2024
    risk 0.64cvss 9.8epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in lizeipe Flash News / Post (Responsive) flashnews-fading-effect-pearlbells allows Privilege Escalation.This issue affects Flash News / Post (Responsive): from n/a through <= 4.1.

  • CVE-2024-52402CriNov 19, 2024
    risk 0.64cvss 9.6epss 0.01

    Cross-Site Request Forgery (CSRF) vulnerability in gunghoinc Exclusive Content Password Protect exclusive-content-password-protect allows Upload a Web Shell to a Web Server.This issue affects Exclusive Content Password Protect: from n/a through <= 1.1.0.

  • CVE-2024-33449CriApr 29, 2024
    risk 0.64cvss 9.8epss 0.00

    An SSRF issue in the PDFMyURL service allows a remote attacker to obtain sensitive information and execute arbitrary code via a POST request in the url parameter

  • CVE-2016-1265CriOct 13, 2017
    risk 0.64cvss 9.8epss 0.02

    A remote unauthenticated network based attacker with access to Junos Space may execute arbitrary code on Junos Space or gain access to devices managed by Junos Space using cross site request forgery (CSRF), default authentication credentials, information leak and command…

  • CVE-2017-6080CriMar 13, 2017
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users…

  • CVE-2017-5959CriFeb 21, 2017
    risk 0.64cvss 9.8epss 0.01

    CSRF token bypass in GeniXCMS before 1.0.2 could result in escalation of privileges. The forgotpassword.php page can be used to acquire a token.

  • CVE-2016-9866CriDec 11, 2016
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x…

  • CVE-2018-7700HigMar 27, 2018
    risk 0.63cvss 8.8epss 0.75

    DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.

  • CVE-2026-39640CriApr 8, 2026
    risk 0.62cvss 9.6epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.

  • CVE-2026-39620CriApr 8, 2026
    risk 0.62cvss 9.6epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5.