Total
8685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-14163 | 1 Leap13 | 1 Premium Addons For Elementor | 2026-01-05 | N/A | 4.3 MEDIUM |
| The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link. | |||||
| CVE-2024-6719 | 1 Webgarh | 1 Offload Videos | 2026-01-05 | N/A | 8.1 HIGH |
| The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack | |||||
| CVE-2025-65203 | 1 Keepassxc | 1 Keepassxc-browser | 2026-01-05 | N/A | 7.1 HIGH |
| KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials. | |||||
| CVE-2025-35030 | 1 Mieweb | 1 Enterprise Health | 2026-01-02 | N/A | 8.1 HIGH |
| Medical Informatics Engineering Enterprise Health has a cross site request forgery vulnerability that allows an unauthenticated attacker to trick administrative users into clicking a crafted URL and perform actions on behalf of that administrative user. This issue is fixed as of 2025-04-08. | |||||
| CVE-2024-6230 | 1 Wp-master | 1 Pardakht-delkhah | 2026-01-02 | N/A | 6.5 MEDIUM |
| The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack | |||||
| CVE-2024-2232 | 1 2code | 1 Himer | 2026-01-02 | N/A | 8.1 HIGH |
| The lacks CSRF checks allowing a user to invite any user to any group (including private groups) | |||||
| CVE-2025-66906 | 1 Turms-im | 1 Turms | 2026-01-02 | N/A | 6.1 MEDIUM |
| Cross Site Request Forgery (CSRF) vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges. | |||||
| CVE-2025-66953 | 1 Nardamiteq | 2 Upc2, Upc2 Firmware | 2026-01-02 | N/A | 8.8 HIGH |
| CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and specifically the /system_setup.htm, /set_clock.htm, /receiver_setup.htm, /cal.htm?..., and /channel_setup.htm endpoints | |||||
| CVE-2025-67013 | 1 Etlsystems | 54 C0401d1uia-22476, C0401d1uia-22476 Firmware, C0401d1ula-22419 and 51 more | 2026-01-02 | N/A | 6.5 MEDIUM |
| The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery (CSRF) protection mechanisms (no tokens, no Origin/Referer validation) on critical configuration endpoints. | |||||
| CVE-2024-30855 | 1 Dedecms | 1 Dedecms | 2026-01-02 | N/A | 8.8 HIGH |
| DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php. | |||||
| CVE-2021-40965 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 9.3 HIGH | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker. | |||||
| CVE-2022-23044 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | N/A | 8.8 HIGH |
| Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. | |||||
| CVE-2025-57310 | 1 Salmen | 1 Simple Faucet Script | 2025-12-31 | N/A | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in Salmen2/Simple-Faucet-Script v1.07 via crafted POST request to admin.php?p=ads&c=1 allowing attackers to execute arbitrary code. | |||||
| CVE-2020-36901 | 1 Medivision | 2 Medivision Digital Signage, Medivision Digital Signage Firmware | 2025-12-30 | N/A | 8.8 HIGH |
| UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that submits a form to the /query/user/itSet endpoint to add a new admin user with elevated privileges. | |||||
| CVE-2019-25242 | 1 Iwt | 2 Facesentry Access Control System, Facesentry Access Control System Firmware | 2025-12-30 | N/A | 4.3 MEDIUM |
| FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage. | |||||
| CVE-2025-59949 | 1 Freshrss | 1 Freshrss | 2025-12-30 | N/A | 5.3 MEDIUM |
| FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue. | |||||
| CVE-2023-44475 | 1 Add Shortcodes Actions And Filters Project | 1 Add Shortcodes Actions And Filters | 2025-12-30 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Michael Simpson Add Shortcodes Actions And Filters plugin <= 2.0.9 versions. | |||||
| CVE-2025-63952 | 1 Magewell | 26 Pro Convert 12g Sdi 4k Plus, Pro Convert 12g Sdi 4k Plus Firmware, Pro Convert Aes67 and 23 more | 2025-12-30 | N/A | 5.7 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | |||||
| CVE-2025-63953 | 1 Magewell | 10 Ultra Encode Aio, Ultra Encode Aio Firmware, Ultra Encode Hdmi and 7 more | 2025-12-30 | N/A | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | |||||
| CVE-2025-56400 | 1 Tuya | 3 Smartlife, Tuya, Tuya Smart | 2025-12-30 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. | |||||