CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 100 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-11134 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-11129 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-11106 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-11084 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-11083 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-11020 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. (Chromium security severity: Medium) | ||
| CVE-2026-46620 | Med | 0.42 | 6.5 | 0.00 | May 26, 2026 | e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing… | ||
| CVE-2026-24574 | Med | 0.42 | 6.5 | 0.00 | May 25, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in Recorp Export WP Page to Static HTML/CSS allows Cross Site Request Forgery. This issue affects Export WP Page to Static HTML/CSS: from n/a through 6.0.0. | ||
| CVE-2026-4527 | Med | 0.42 | 6.5 | 0.00 | May 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to create unauthorized Jira subscriptions for a targeted user's namespace via a… | ||
| CVE-2026-5791 | Med | 0.42 | 6.5 | 0.00 | May 7, 2026 | Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | ||
| CVE-2026-41317 | Hig | 0.42 | 7.5 | 0.00 | Apr 24, 2026 | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method.… | ||
| CVE-2026-6755 | Med | 0.42 | 6.5 | 0.00 | Apr 21, 2026 | Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150. | ||
| CVE-2026-40458 | — | Med | 0.42 | 6.5 | 0.00 | Apr 17, 2026 | PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token.… | |
| CVE-2026-39641 | Med | 0.42 | 6.5 | 0.00 | Apr 8, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.This issue affects Blackfyre: from n/a through <= 2.5.4. | ||
| CVE-2026-39633 | Med | 0.42 | 6.5 | 0.00 | Apr 8, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Car Rental grandcarrental allows Cross Site Request Forgery.This issue affects Grand Car Rental: from n/a through <= 3.6.9. | ||
| CVE-2026-39632 | Med | 0.42 | 6.5 | 0.00 | Apr 8, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Cross Site Request Forgery.This issue affects Grand Blog: from n/a through <= 3.1. | ||
| CVE-2026-34904 | Hig | 0.42 | 7.5 | 0.00 | Apr 7, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons allows Cross Site Request Forgery.This issue affects Simple Social Media Share Buttons: from n/a through 6.2.0. | ||
| CVE-2025-36375 | Med | 0.42 | 6.5 | 0.00 | Apr 1, 2026 | IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to… | ||
| CVE-2026-5283 | Med | 0.42 | 6.5 | 0.00 | Apr 1, 2026 | Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | ||
| CVE-2026-31849 | Med | 0.42 | 6.5 | 0.00 | Mar 23, 2026 | Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the… |
- risk 0.42cvss 6.5epss 0.00
Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.42cvss 6.5epss 0.00
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.42cvss 6.5epss 0.00
Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.42cvss 6.5epss 0.00
Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.42cvss 6.5epss 0.00
Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.42cvss 6.5epss 0.00
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. (Chromium security severity: Medium)
- risk 0.42cvss 6.5epss 0.00
e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing…
- risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Recorp Export WP Page to Static HTML/CSS allows Cross Site Request Forgery. This issue affects Export WP Page to Static HTML/CSS: from n/a through 6.0.0.
- risk 0.42cvss 6.5epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to create unauthorized Jira subscriptions for a targeted user's namespace via a…
- risk 0.42cvss 6.5epss 0.00
Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
- risk 0.42cvss 7.5epss 0.00
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS).`press.api.account.create_api_secret` is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method.…
- risk 0.42cvss 6.5epss 0.00
Mitigation bypass in the DOM: postMessage component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
- risk 0.42cvss 6.5epss 0.00
PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token.…
- risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre blackfyre allows Cross Site Request Forgery.This issue affects Blackfyre: from n/a through <= 2.5.4.
- risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Car Rental grandcarrental allows Cross Site Request Forgery.This issue affects Grand Car Rental: from n/a through <= 3.6.9.
- risk 0.42cvss 6.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Cross Site Request Forgery.This issue affects Grand Blog: from n/a through <= 3.1.
- risk 0.42cvss 7.5epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons allows Cross Site Request Forgery.This issue affects Simple Social Media Share Buttons: from n/a through 6.2.0.
- risk 0.42cvss 6.5epss 0.00
IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to…
- risk 0.42cvss 6.5epss 0.00
Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
- risk 0.42cvss 6.5epss 0.00
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the…