Total
8480 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-30855 | 1 Dedecms | 1 Dedecms | 2026-01-02 | N/A | 8.8 HIGH |
| DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php. | |||||
| CVE-2021-40965 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 9.3 HIGH | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker. | |||||
| CVE-2022-23044 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | N/A | 8.8 HIGH |
| Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. | |||||
| CVE-2025-57310 | 1 Salmen | 1 Simple Faucet Script | 2025-12-31 | N/A | 8.8 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in Salmen2/Simple-Faucet-Script v1.07 via crafted POST request to admin.php?p=ads&c=1 allowing attackers to execute arbitrary code. | |||||
| CVE-2020-36901 | 1 Medivision | 2 Medivision Digital Signage, Medivision Digital Signage Firmware | 2025-12-30 | N/A | 8.8 HIGH |
| UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that submits a form to the /query/user/itSet endpoint to add a new admin user with elevated privileges. | |||||
| CVE-2019-25242 | 1 Iwt | 2 Facesentry Access Control System, Facesentry Access Control System Firmware | 2025-12-30 | N/A | 4.3 MEDIUM |
| FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage. | |||||
| CVE-2025-59949 | 1 Freshrss | 1 Freshrss | 2025-12-30 | N/A | 5.3 MEDIUM |
| FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue. | |||||
| CVE-2023-44475 | 1 Add Shortcodes Actions And Filters Project | 1 Add Shortcodes Actions And Filters | 2025-12-30 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Michael Simpson Add Shortcodes Actions And Filters plugin <= 2.0.9 versions. | |||||
| CVE-2025-63952 | 1 Magewell | 26 Pro Convert 12g Sdi 4k Plus, Pro Convert 12g Sdi 4k Plus Firmware, Pro Convert Aes67 and 23 more | 2025-12-30 | N/A | 5.7 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | |||||
| CVE-2025-63953 | 1 Magewell | 10 Ultra Encode Aio, Ultra Encode Aio Firmware, Ultra Encode Hdmi and 7 more | 2025-12-30 | N/A | 6.5 MEDIUM |
| A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | |||||
| CVE-2025-56400 | 1 Tuya | 3 Smartlife, Tuya, Tuya Smart | 2025-12-30 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. | |||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | N/A | 9.6 CRITICAL |
| Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | |||||
| CVE-2025-62190 | 1 Mattermost | 1 Mattermost Server | 2025-12-29 | N/A | 4.3 MEDIUM |
| Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link | |||||
| CVE-2021-47722 | 2025-12-29 | N/A | 3.5 LOW | ||
| Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking authenticated users into loading the page. | |||||
| CVE-2018-25133 | 2025-12-29 | N/A | 4.3 MEDIUM | ||
| Synaccess netBooter NP-0801DU 7.4 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages with hidden form submissions to add admin users by tricking authenticated administrators into loading a malicious page. | |||||
| CVE-2018-25151 | 2025-12-29 | N/A | 4.3 MEDIUM | ||
| Ecessa WANWorx WVR-30 versions before 10.7.4 contain a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft a malicious web page with a hidden form to create a new superuser account by tricking an authenticated administrator into loading the page. | |||||
| CVE-2018-25150 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
| Ecessa ShieldLink SL175EHQ 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a hidden form to add a superuser account by tricking a logged-in administrator into loading the page. | |||||
| CVE-2019-25250 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
| Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site. | |||||
| CVE-2019-25247 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
| Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft a malicious web page with a hidden form to add an admin user by tricking a logged-in user into submitting the form. | |||||
| CVE-2019-25234 | 2025-12-29 | N/A | 5.3 MEDIUM | ||
| SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or injecting malicious scripts into various application parameters. | |||||