VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 213 of 286
  • CVE-2019-1003017MedFeb 6, 2019
    risk 0.27cvss 5.3epss 0.01

    A data modification vulnerability exists in Jenkins Job Import Plugin 3.0 and earlier in JobImportAction.java that allows attackers to copy jobs from a preconfigured other Jenkins instance, potentially installing additional plugins necessary to load the imported job's…

  • CVE-2019-25313MedFeb 11, 2026
    risk 0.26cvss 4.0epss 0.00

    FlexNet Publisher 11.12.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious HTML form to trick authenticated users into submitting a request that creates a new…

  • CVE-2024-43787MedAug 22, 2024
    risk 0.26cvss 5.0epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass…

  • CVE-2020-2184MedMay 6, 2020
    risk 0.25cvss 4.3epss 0.44

    A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.

  • CVE-2017-8382MedMay 16, 2017
    risk 0.25cvss 4.5epss 0.03

    admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.

  • CVE-2026-49043MedJun 15, 2026
    risk 0.24cvss 4.7epss 0.00

    Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions.

  • CVE-2025-58272LowSep 3, 2025
    risk 0.24cvss 3.7epss 0.00

    Cross-site request forgery vulnerability exists in Web Caster V130 versions 1.08 and earlier. If a logged-in user views a malicious page created by an attacker, the settings of the product may be unintentionally changed.

  • CVE-2024-31265LowApr 12, 2024
    risk 0.24cvss 3.7epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in SumoMe Sumo.This issue affects Sumo: from n/a through 1.34.

  • CVE-2023-43649MedOct 30, 2023
    risk 0.24cvss 4.7epss 0.00

    baserCMS is a website development framework. Prior to version 4.8.0, there is a cross site request forgery vulnerability in the content preview feature of baserCMS. Version 4.8.0 contains a patch for this issue.

  • CVE-2023-2307MedApr 26, 2023
    risk 0.24cvss 4.7epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.

  • CVE-2026-45317MedMay 15, 2026
    risk 0.23cvss 4.6epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, an application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a…

  • CVE-2026-34382MedMar 31, 2026
    risk 0.23cvss 4.6epss 0.00

    Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylist_function.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious…

  • CVE-2020-37118LowFeb 5, 2026
    risk 0.23cvss 3.5epss 0.00

    P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations…

  • CVE-2021-47722LowDec 23, 2025
    risk 0.23cvss 3.5epss 0.00

    Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control…

  • CVE-2025-67646LowDec 11, 2025
    risk 0.23cvss 3.5epss 0.00

    TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result, an attacker could craft a malicious webpage that, when visited by an authenticated user on a…

  • CVE-2024-46872MedOct 29, 2024
    risk 0.23cvss 4.6epss 0.00

    Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in Playbooks

  • CVE-2024-47082MedSep 25, 2024
    risk 0.23cvss 4.6epss 0.00

    Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view…

  • CVE-2024-40886MedAug 22, 2024
    risk 0.23cvss 4.6epss 0.00

    Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system…

  • CVE-2024-22438LowApr 15, 2024
    risk 0.23cvss 3.5epss 0.00

    A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820 Network switches. The vulnerability could be remotely exploited to allow execution of malicious code.

  • CVE-2023-41946LowSep 6, 2023
    risk 0.23cvss 3.5epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the…