Total
9090 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28281 | 1 Instantcms | 1 Instantcms | 2026-06-17 | N/A | 7.1 HIGH |
| InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1. | |||||
| CVE-2026-27758 | 1 Sodola-network | 2 Sl902-swtgw124as, Sl902-swtgw124as Firmware | 2026-06-17 | N/A | 4.3 MEDIUM |
| SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a cross-site request forgery vulnerability in its management interface that allows attackers to induce authenticated users into submitting forged requests. Attackers can craft malicious requests that execute unauthorized configuration or administrative actions with the victim's privileges when the authenticated user visits a malicious webpage. | |||||
| CVE-2026-27741 | 1 Bludit | 1 Bludit | 2026-06-17 | N/A | 4.3 MEDIUM |
| Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity. | |||||
| CVE-2026-27632 | 1 Talishar | 1 Talishar | 2026-06-17 | N/A | 2.6 LOW |
| Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. By failing to require unique, unpredictable session tokens, the application allows third-party malicious websites to forge requests on behalf of authenticated users, leading to unauthorized actions within active game sessions. The attacker would need to know both the proper gameName and playerID for the player. The player would also need to be browsing and interact with the infected website while playing a game. The vulnerability is fixed in commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48. | |||||
| CVE-2026-27609 | 1 Parseplatform | 1 Parse Dashboard | 2026-06-17 | N/A | 6.5 MEDIUM |
| Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. The fix in version 9.0.0-alpha.8 adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page. As a workaround, remove the `agent` configuration block from your dashboard configuration. Dashboards without an `agent` config are not affected. | |||||
| CVE-2026-27589 | 1 Caddyserver | 1 Caddy | 2026-06-17 | N/A | 6.5 MEDIUM |
| Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue. | |||||
| CVE-2026-27518 | 1 Binardat | 2 10g08-0800gsm, 10g08-0800gsm Firmware | 2026-06-17 | N/A | 4.3 MEDIUM |
| Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior lack CSRF protections for state-changing actions in the administrative interface. An attacker can trick an authenticated administrator into performing unauthorized configuration changes. | |||||
| CVE-2026-27513 | 1 Tenda | 2 F3, F3 Firmware | 2026-06-17 | N/A | 4.3 MEDIUM |
| Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a cross-site request forgery (CSRF) vulnerability in the web-based administrative interface. The interface does not implement anti-CSRF protections, allowing an attacker to induce an authenticated administrator to submit state-changing requests, which can result in unauthorized configuration changes. | |||||
| CVE-2026-27146 | 1 Getsimple-ce | 1 Getsimple Cms | 2026-06-17 | N/A | 4.5 MEDIUM |
| GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated victim’s browser. The request is accepted without requiring a CSRF token or origin validation. This allows an attacker to upload arbitrary files to the application without the victim’s knowledge or consent. In order to exploit this vulnerability, the victim must be authenticated to GetSimple CMS (e.g., admin user), and visit an attacker-controlled webpage. This issue does not have a fix at the time of publication. | |||||
| CVE-2026-27090 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3. | |||||
| CVE-2026-27050 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in ThimPress RealPress realpress allows Cross Site Request Forgery.This issue affects RealPress: from n/a through <= 1.1.0. | |||||
| CVE-2026-26317 | 1 Openclaw | 1 Openclaw | 2026-06-17 | N/A | 7.1 HIGH |
| OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled. | |||||
| CVE-2026-26075 | 1 Fastgpt | 1 Fastgpt | 2026-06-17 | N/A | 5.4 MEDIUM |
| FastGPT is an AI Agent building platform. Due to the fact that FastGPT's web page acquisition nodes, HTTP nodes, etc. need to initiate data acquisition requests from the server, there are certain security issues. In addition to implementing internal network isolation in the deployment environment, this optimization has added stricter internal network address detection. This vulnerability is fixed in 4.14.7. | |||||
| CVE-2026-25812 | 1 Prasklatechnology | 1 Placipy | 2026-06-17 | N/A | 8.8 HIGH |
| PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism. | |||||
| CVE-2026-25649 | 1 Traccar | 1 Traccar | 2026-06-17 | N/A | 7.3 HIGH |
| Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is not validated against a whitelist, allowing attackers to redirect authorization codes to attacker-controlled URLs, enabling account takeover on any OAuth-integrated application. As of time of publication, it is unclear whether a fix is available. | |||||
| CVE-2026-25422 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10. | |||||
| CVE-2026-25411 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in themastercut Revision Manager TMC revision-manager-tmc allows Cross Site Request Forgery.This issue affects Revision Manager TMC: from n/a through <= 2.8.22. | |||||
| CVE-2026-25337 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through <= 1.1.5. | |||||
| CVE-2026-25322 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in PublishPress PublishPress Revisions revisionary allows Cross Site Request Forgery.This issue affects PublishPress Revisions: from n/a through <= 3.7.22. | |||||
| CVE-2026-25319 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6. | |||||