VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 138 of 286
  • CVE-2020-37144MedFeb 5, 2026
    risk 0.34cvss 5.3epss 0.00

    Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative…

  • CVE-2020-37091MedFeb 3, 2026
    risk 0.34cvss 5.3epss 0.00

    Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload…

  • CVE-2020-37046MedJan 30, 2026
    risk 0.34cvss 5.3epss 0.00

    Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new…

  • CVE-2020-37026MedJan 30, 2026
    risk 0.34cvss 5.3epss 0.00

    Sickbeard alpha contains a cross-site request forgery vulnerability that allows attackers to disable authentication by submitting crafted configuration parameters. Attackers can trick users into submitting a malicious form that clears web username and password, effectively…

  • CVE-2025-15550MedJan 29, 2026
    risk 0.34cvss 5.3epss 0.00

    birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating…

  • CVE-2021-47820MedJan 16, 2026
    risk 0.34cvss 5.3epss 0.00

    Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the…

  • CVE-2021-47800MedJan 16, 2026
    risk 0.34cvss 5.3epss 0.00

    b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a…

  • CVE-2019-25259MedJan 8, 2026
    risk 0.34cvss 5.3epss 0.00

    Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can trick logged-in users into executing unauthorized actions by crafting…

  • CVE-2019-25250MedDec 24, 2025
    risk 0.34cvss 5.3epss 0.00

    Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by…

  • CVE-2019-25247MedDec 24, 2025
    risk 0.34cvss 5.3epss 0.00

    Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft a malicious web page with a hidden form to add an admin user by tricking a…

  • CVE-2019-25234MedDec 24, 2025
    risk 0.34cvss 5.3epss 0.00

    SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or…

  • CVE-2019-25233MedDec 24, 2025
    risk 0.34cvss 5.3epss 0.00

    AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts…

  • CVE-2018-25152MedDec 24, 2025
    risk 0.34cvss 5.3epss 0.00

    Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the…

  • CVE-2018-25150MedDec 24, 2025
    risk 0.34cvss 5.3epss 0.00

    Ecessa ShieldLink SL175EHQ 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a hidden form to add a superuser account by tricking a…

  • CVE-2018-25127MedDec 24, 2025
    risk 0.34cvss 5.3epss 0.00

    SOCA Access Control System 180612 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that submit forged requests to create admin accounts by…

  • CVE-2025-12535MedNov 19, 2025
    risk 0.34cvss 5.3epss 0.00

    The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces (wp_rest) to unauthenticated users via the 'wp_ajax_nopriv_rest-nonce'…

  • CVE-2025-57931MedOct 29, 2025
    risk 0.34cvss 5.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 5.5.4.

  • CVE-2025-56009MedOct 23, 2025
    risk 0.34cvss 5.3epss 0.00

    Cross site request forgery (CSRF) vulnerability in KeeneticOS before 4.3 at "/rci" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit.

  • CVE-2025-9892MedOct 3, 2025
    risk 0.34cvss 5.3epss 0.00

    The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to…

  • CVE-2025-9617MedSep 11, 2025
    risk 0.34cvss 5.3epss 0.00

    The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the publish_save_option function. This makes it possible for unauthenticated attackers to…