CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 213 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-1003017 | Med | 0.27 | 5.3 | 0.01 | Feb 6, 2019 | A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's… | ||
| CVE-2019-25313 | Med | 0.26 | 4.0 | 0.00 | Feb 11, 2026 | FlexNet Publisher 11.12.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious HTML form to trick authenticated users into submitting a request that creates a new… | ||
| CVE-2024-43787 | Med | 0.26 | 5.0 | 0.00 | Aug 22, 2024 | Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass… | ||
| CVE-2020-2184 | Med | 0.25 | 4.3 | 0.44 | May 6, 2020 | A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL. | ||
| CVE-2017-8382 | Med | 0.25 | 4.5 | 0.03 | May 16, 2017 | admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts. | ||
| CVE-2026-49043 | Med | 0.24 | 4.7 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions. | ||
| CVE-2025-58272 | Low | 0.24 | 3.7 | 0.00 | Sep 3, 2025 | Cross-site request forgery vulnerability exists in Web Caster V130 versions 1.08 and earlier. If a logged-in user views a malicious page created by an attacker, the settings of the product may be unintentionally changed. | ||
| CVE-2024-31265 | Low | 0.24 | 3.7 | 0.00 | Apr 12, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in SumoMe Sumo.This issue affects Sumo: from n/a through 1.34. | ||
| CVE-2023-43649 | Med | 0.24 | 4.7 | 0.00 | Oct 30, 2023 | baserCMS is a website development framework. Prior to version 4.8.0, there is a cross site request forgery vulnerability in the content preview feature of baserCMS. Version 4.8.0 contains a patch for this issue. | ||
| CVE-2023-2307 | Med | 0.24 | 4.7 | 0.00 | Apr 26, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0. | ||
| CVE-2026-45317 | Med | 0.23 | 4.6 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a… | ||
| CVE-2026-34382 | Med | 0.23 | 4.6 | 0.00 | Mar 31, 2026 | Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious… | ||
| CVE-2020-37118 | — | Low | 0.23 | 3.5 | 0.00 | Feb 5, 2026 | P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations… | |
| CVE-2021-47722 | Low | 0.23 | 3.5 | 0.00 | Dec 23, 2025 | Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control… | ||
| CVE-2025-67646 | Low | 0.23 | 3.5 | 0.00 | Dec 11, 2025 | TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result, an attacker could craft a malicious webpage that, when visited by an authenticated user on a… | ||
| CVE-2024-46872 | Med | 0.23 | 4.6 | 0.00 | Oct 29, 2024 | Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks | ||
| CVE-2024-47082 | Med | 0.23 | 4.6 | 0.00 | Sep 25, 2024 | Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view… | ||
| CVE-2024-40886 | Med | 0.23 | 4.6 | 0.00 | Aug 22, 2024 | Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system… | ||
| CVE-2024-22438 | Low | 0.23 | 3.5 | 0.00 | Apr 15, 2024 | A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820 Network switches. The vulnerability could be remotely exploited to allow execution of malicious code. | ||
| CVE-2023-41946 | Low | 0.23 | 3.5 | 0.00 | Sep 6, 2023 | A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the… |
- risk 0.27cvss 5.3epss 0.01
A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's…
- risk 0.26cvss 4.0epss 0.00
FlexNet Publisher 11.12.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious HTML form to trick authenticated users into submitting a request that creates a new…
- risk 0.26cvss 5.0epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass…
- risk 0.25cvss 4.3epss 0.44
A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
- risk 0.25cvss 4.5epss 0.03
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.
- risk 0.24cvss 4.7epss 0.00
Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions.
- risk 0.24cvss 3.7epss 0.00
Cross-site request forgery vulnerability exists in Web Caster V130 versions 1.08 and earlier. If a logged-in user views a malicious page created by an attacker, the settings of the product may be unintentionally changed.
- risk 0.24cvss 3.7epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in SumoMe Sumo.This issue affects Sumo: from n/a through 1.34.
- risk 0.24cvss 4.7epss 0.00
baserCMS is a website development framework. Prior to version 4.8.0, there is a cross site request forgery vulnerability in the content preview feature of baserCMS. Version 4.8.0 contains a patch for this issue.
- risk 0.24cvss 4.7epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
- risk 0.23cvss 4.6epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a…
- risk 0.23cvss 4.6epss 0.00
Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious…
- risk 0.23cvss 3.5epss 0.00
P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations…
- risk 0.23cvss 3.5epss 0.00
Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control…
- risk 0.23cvss 3.5epss 0.00
TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result, an attacker could craft a malicious webpage that, when visited by an authenticated user on a…
- risk 0.23cvss 4.6epss 0.00
Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks
- risk 0.23cvss 4.6epss 0.00
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view…
- risk 0.23cvss 4.6epss 0.00
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system…
- risk 0.23cvss 3.5epss 0.00
A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820 Network switches. The vulnerability could be remotely exploited to allow execution of malicious code.
- risk 0.23cvss 3.5epss 0.00
A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the…