VYPR

CWE-352

Cross-Site Request Forgery (CSRF)

CompoundStableLikelihood: Medium

Description

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62

CVEs mapped to this weakness (5,713)

page 45 of 286
  • CVE-2018-15612HigSep 21, 2018
    risk 0.54cvss 8.3epss 0.00

    A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.

  • CVE-2018-10895CriJul 12, 2018
    risk 0.54cvss 9.3epss 0.01

    qutebrowser before version 1.4.1 is vulnerable to a cross-site request forgery flaw that allows websites to access 'qute://*' URLs. A malicious website could exploit this to load a 'qute://settings/set' URL, which then sets 'editor.command' to a bash script, resulting in…

  • CVE-2018-10188HigApr 19, 2018
    risk 0.54cvss 8.8epss 0.04

    phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php.

  • CVE-2016-2539HigFeb 7, 2017
    risk 0.54cvss 8.8epss 0.04

    Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file.

  • CVE-2026-6455HigMay 28, 2026
    risk 0.53cvss 8.1epss 0.00

    The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the…

  • CVE-2026-28761HigMay 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Cross-site request forgery vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a user views a malicious page while logged-in to the affected product, unexpected operations may be done.

  • CVE-2026-44364CriMay 13, 2026
    risk 0.53cvss epss 0.00

    MISP modules are autonomous modules that can be used to extend MISP for new services. In 3.0.7 and earlier, a Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home…

  • CVE-2026-44548HigMay 12, 2026
    risk 0.53cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently…

  • CVE-2026-38566HigMay 11, 2026
    risk 0.53cvss 8.1epss 0.00

    HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms (password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add) are vulnerable…

  • CVE-2026-27841HigApr 24, 2026
    risk 0.53cvss 8.1epss 0.00

    A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of request origin or implement CSRF…

  • CVE-2026-4922HigApr 22, 2026
    risk 0.53cvss 8.1epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF…

  • CVE-2026-40883HigApr 21, 2026
    risk 0.53cvss 8.1epss 0.00

    goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete…

  • CVE-2026-40764HigApr 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through <= 1.10.0.2.

  • CVE-2026-34394HigMar 31, 2026
    risk 0.53cvss 8.1epss 0.00

    WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with…

  • CVE-2026-4984HigMar 27, 2026
    risk 0.53cvss 8.2epss 0.00

    The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in…

  • CVE-2025-14037HigMar 21, 2026
    risk 0.53cvss 8.1epss 0.00

    The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for…

  • CVE-2026-2626HigMar 11, 2026
    risk 0.53cvss 8.1epss 0.00

    The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data,…

  • CVE-2018-25176HigMar 6, 2026
    risk 0.53cvss 8.2epss 0.00

    Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload…

  • CVE-2018-25170HigMar 6, 2026
    risk 0.53cvss 8.2epss 0.00

    DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id, idC, and idU parameters. Attackers can send GET requests to the lesson.php endpoint with malicious SQL payloads to…

  • CVE-2019-25359HigFeb 18, 2026
    risk 0.53cvss 8.2epss 0.00

    SD.NET RIM versions before 4.7.3c contain a SQL injection vulnerability that allows attackers to inject malicious SQL statements through POST parameters 'idtyp' and 'idgremium'. Attackers can exploit this vulnerability by crafting specially formed POST requests to the /vorlagen/…