Total
8685 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-65107 | 1 Langfuse | 1 Langfuse | 2025-12-03 | N/A | 6.5 MEDIUM |
| Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK. | |||||
| CVE-2025-51733 | 1 Hcltech | 1 Unica | 2025-12-02 | N/A | 5.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in HCL Technologies Ltd. Unica 12.0.0. | |||||
| CVE-2025-62687 | 3 Linux, Microsoft, Secuavail | 3 Linux Kernel, Windows, Logstare Collector | 2025-12-02 | N/A | 6.5 MEDIUM |
| Cross-site request forgery vulnerability exists in LogStare Collector. If a user views a crafted page while logged, unintended operations may be performed. | |||||
| CVE-2025-13606 | 2025-12-02 | N/A | 6.5 MEDIUM | ||
| The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-13140 | 2025-12-02 | N/A | 4.3 MEDIUM | ||
| The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. This makes it possible for unauthenticated attackers to delete surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-13685 | 2025-12-02 | N/A | 4.3 MEDIUM | ||
| The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-13737 | 2025-12-01 | N/A | 4.3 MEDIUM | ||
| The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the 'unlinkUser' function. This makes it possible for unauthenticated attackers to unlink the user's social login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-13143 | 2025-12-01 | N/A | 4.3 MEDIUM | ||
| The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-62593 | 2025-12-01 | N/A | N/A | ||
| Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the User-Agent header starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows the User-Agent header to be modified. Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising). This issue has been patched in version 2.52.0. | |||||
| CVE-2025-13296 | 2025-12-01 | N/A | 5.4 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery.This issue affects T-Soft E-Commerce: through 28112025. | |||||
| CVE-2025-12578 | 2025-12-01 | N/A | 4.3 MEDIUM | ||
| The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-62497 | 1 Sony | 2 Snc-cx600w, Snc-cx600w Firmware | 2025-12-01 | N/A | 6.5 MEDIUM |
| Cross-site request forgery vulnerability exists in SNC-CX600W versions prior to Ver.2.8.0. If a user accesses a specially crafted webpage while logged in, unintended operations may be performed. | |||||
| CVE-2025-24897 | 1 Misskey | 1 Misskey | 2025-11-26 | N/A | 8.2 HIGH |
| Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, due to a lack of CSRF protection and the lack of proper security attributes in the authentication cookies of Bull's dashboard, some of the APIs of bull-board may be subject to CSRF attacks. There is a risk of this vulnerability being used for attacks with relatively large impact on availability and integrity, such as the ability to add arbitrary jobs. This vulnerability was fixed in 2025.2.0-alpha.0. As a workaround, block all access to the `/queue` directory with a web application firewall (WAF). | |||||
| CVE-2025-8119 | 1 Widzialni | 1 Pad Cms | 2025-11-26 | N/A | 4.3 MEDIUM |
| PAD CMS is vulnerable to Cross-Site Request Forgery in reset password's functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send a POST request changing currently logged user's password to defined by the attacker value. This issue affects all 3 templates: www, bip and www+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability. | |||||
| CVE-2025-11087 | 2025-11-25 | N/A | 8.8 HIGH | ||
| The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-12587 | 2025-11-25 | N/A | 4.3 MEDIUM | ||
| The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-12586 | 2025-11-25 | N/A | 4.3 MEDIUM | ||
| The Conditional Maintenance Mode for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation when toggling the maintenance mode status. This makes it possible for unauthenticated attackers to enable or disable the site's maintenance mode via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | |||||
| CVE-2019-11712 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-25 | 6.8 MEDIUM | 8.8 HIGH |
| POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. | |||||
| CVE-2025-6105 | 1 Jflyfox | 1 Jfinal Cms | 2025-11-25 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in jflyfox jfinal_cms 5.0.1 and classified as problematic. This vulnerability affects unknown code of the file HOME.java. The manipulation of the argument Logout leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5410 | 1 Mist | 1 Mist | 2025-11-25 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in Mist Community Edition up to 4.7.1. It has been declared as problematic. This vulnerability affects the function session_start_response of the file src/mist/api/auth/middleware.py. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The patch is identified as db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component. | |||||