VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 117 of 286
  • CVE-2026-8174MedMay 26, 2026
    risk 0.37cvss 5.7epss 0.00

    Zohocorp Zoho Mail wordpress plugin is vulnerable to Cross-Site request forgery (CSRF). This issue affects Zoho Mail wordpress plugin versions before 1.6.2.

  • CVE-2026-28741MedApr 15, 2026
    risk 0.37cvss 6.8epss 0.00

    Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a…

  • CVE-2023-47870MedNov 30, 2023
    risk 0.37cvss 5.7epss 0.00

    Cross-Site Request Forgery (CSRF), Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a…

  • CVE-2023-2228MedApr 21, 2023
    risk 0.37cvss 6.8epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.1.0.

  • CVE-2021-3944MedDec 2, 2021
    risk 0.37cvss 6.8epss 0.01

    bookstack is vulnerable to Cross-Site Request Forgery (CSRF)

  • CVE-2020-15156MedAug 26, 2020
    risk 0.37cvss 6.8epss 0.01

    In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.

  • CVE-2026-42073MedJun 2, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a…

  • CVE-2026-34460MedJun 2, 2026
    risk 0.35cvss 5.4epss 0.00

    NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own…

  • CVE-2026-48147MedMay 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the…

  • CVE-2026-8435MedMay 21, 2026
    risk 0.35cvss 6.5epss 0.00

    Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC…

  • CVE-2026-8140MedMay 21, 2026
    risk 0.35cvss 6.5epss 0.00

    Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before…

  • CVE-2018-25334MedMay 17, 2026
    risk 0.35cvss 5.4epss 0.00

    Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. The application uses a CSRF token, but an attacker can use the hashtag parameter to inject an encoded payload and…

  • CVE-2026-45773MedMay 15, 2026
    risk 0.35cvss 6.5epss 0.00

    Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web…

  • CVE-2026-40703MedMay 13, 2026
    risk 0.35cvss 5.4epss 0.00

    A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-0502MedMay 12, 2026
    risk 0.35cvss 5.4epss 0.00

    Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This has low impact on integrity and availability of the application. There is no…

  • CVE-2026-42091MedMay 4, 2026
    risk 0.35cvss 6.5epss 0.00

    goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin:…

  • CVE-2026-34721MedApr 8, 2026
    risk 0.35cvss 6.5epss 0.00

    Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4.

  • CVE-2026-1672MedApr 8, 2026
    risk 0.35cvss 6.5epss 0.00

    The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row()…

  • CVE-2026-39710MedApr 8, 2026
    risk 0.35cvss 5.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Cross Site Request Forgery.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.

  • CVE-2026-39635MedApr 8, 2026
    risk 0.35cvss 5.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through <= 3.5.5.