CWE-352
Cross-Site Request Forgery (CSRF)
Description
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-462 · CAPEC-467 · CAPEC-62
CVEs mapped to this weakness (5,713)
page 8 of 286| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-30807 | Hig | 0.57 | 8.8 | 0.00 | May 12, 2026 | Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800 | ||
| CVE-2026-36960 | Hig | 0.57 | 8.8 | 0.00 | Apr 30, 2026 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An… | ||
| CVE-2026-36956 | Hig | 0.57 | 8.8 | 0.00 | Apr 30, 2026 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for… | ||
| CVE-2026-38934 | Hig | 0.57 | 8.8 | 0.00 | Apr 27, 2026 | Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php | ||
| CVE-2025-70810 | Hig | 0.57 | 8.8 | 0.00 | Apr 9, 2026 | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism | ||
| CVE-2026-39621 | Hig | 0.57 | 8.8 | 0.00 | Apr 8, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5. | ||
| CVE-2026-33373 | Hig | 0.57 | 8.8 | 0.00 | Mar 30, 2026 | An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens… | ||
| CVE-2026-32989 | Hig | 0.57 | 8.8 | 0.00 | Mar 20, 2026 | Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to… | ||
| CVE-2025-70031 | Hig | 0.57 | 8.8 | 0.00 | Mar 9, 2026 | An issue pertaining to CWE-352: Cross-Site Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. | ||
| CVE-2025-12821 | Hig | 0.57 | 8.8 | 0.00 | Feb 19, 2026 | The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers… | ||
| CVE-2026-23622 | Hig | 0.57 | 8.8 | 0.00 | Jan 15, 2026 | Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while… | ||
| CVE-2025-12879 | Hig | 0.57 | 8.8 | 0.00 | Dec 5, 2025 | The User Generator and Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce validation in the "Import Using CSV File" function. This makes it possible for unauthenticated attackers to… | ||
| CVE-2025-11087 | Hig | 0.57 | 8.8 | 0.00 | Nov 21, 2025 | The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file.… | ||
| CVE-2025-12095 | — | Hig | 0.57 | 8.8 | 0.00 | Oct 25, 2025 | The Simple Registration for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.8. This is due to missing nonce validation on the role requests admin page handler in the includes/display-role-admin.php file. This… | |
| CVE-2025-60208 | Hig | 0.57 | 8.8 | 0.00 | Oct 22, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in Tusko Trush Advanced Custom Fields : CPT Options Pages acf-cpt-options-pages allows Object Injection.This issue affects Advanced Custom Fields : CPT Options Pages: from n/a through <= 2.0.9. | ||
| CVE-2025-9890 | Hig | 0.57 | 8.8 | 0.00 | Oct 18, 2025 | The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve… | ||
| CVE-2025-60111 | Hig | 0.57 | 8.8 | 0.00 | Sep 26, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core javo-core allows Authentication Bypass.This issue affects Javo Core: from n/a through <= 3.0.0.266. | ||
| CVE-2025-59572 | Hig | 0.57 | 8.8 | 0.00 | Sep 22, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in purethemes WorkScout-Core workscout-core allows Cross Site Request Forgery.This issue affects WorkScout-Core: from n/a through < 1.7.06. | ||
| CVE-2025-58250 | Hig | 0.57 | 8.8 | 0.00 | Sep 22, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in ApusTheme Findgo fingo allows Authentication Bypass.This issue affects Findgo: from n/a through <= 1.3.55. | ||
| CVE-2025-58244 | Hig | 0.57 | 8.8 | 0.00 | Sep 22, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo constructo allows Object Injection.This issue affects Constructo: from n/a through <= 4.3.9. |
- risk 0.57cvss 8.8epss 0.00
Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800
- risk 0.57cvss 8.8epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An…
- risk 0.57cvss 8.8epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for…
- risk 0.57cvss 8.8epss 0.00
Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php
- risk 0.57cvss 8.8epss 0.00
Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism
- risk 0.57cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through <= 2.3.2.5.
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens…
- risk 0.57cvss 8.8epss 0.00
Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to…
- risk 0.57cvss 8.8epss 0.00
An issue pertaining to CWE-352: Cross-Site Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
- risk 0.57cvss 8.8epss 0.00
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers…
- risk 0.57cvss 8.8epss 0.00
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while…
- risk 0.57cvss 8.8epss 0.00
The User Generator and Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce validation in the "Import Using CSV File" function. This makes it possible for unauthenticated attackers to…
- risk 0.57cvss 8.8epss 0.00
The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file.…
- risk 0.57cvss 8.8epss 0.00
The Simple Registration for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.8. This is due to missing nonce validation on the role requests admin page handler in the includes/display-role-admin.php file. This…
- risk 0.57cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Tusko Trush Advanced Custom Fields : CPT Options Pages acf-cpt-options-pages allows Object Injection.This issue affects Advanced Custom Fields : CPT Options Pages: from n/a through <= 2.0.9.
- risk 0.57cvss 8.8epss 0.00
The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve…
- risk 0.57cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core javo-core allows Authentication Bypass.This issue affects Javo Core: from n/a through <= 3.0.0.266.
- risk 0.57cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in purethemes WorkScout-Core workscout-core allows Cross Site Request Forgery.This issue affects WorkScout-Core: from n/a through < 1.7.06.
- risk 0.57cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in ApusTheme Findgo fingo allows Authentication Bypass.This issue affects Findgo: from n/a through <= 1.3.55.
- risk 0.57cvss 8.8epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Anps Constructo constructo allows Object Injection.This issue affects Constructo: from n/a through <= 4.3.9.