Total
8614 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-12189 | 1 Breadbutter | 1 Bread \& Butter | 2026-03-16 | N/A | 4.3 MEDIUM |
| The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-32328 | 2026-03-16 | N/A | 5.4 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in shufflehound Lemmony lemmony allows Cross Site Request Forgery.This issue affects Lemmony: from n/a through < 1.7.1. | |||||
| CVE-2016-20028 | 2026-03-16 | N/A | 4.3 MEDIUM | ||
| ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages. | |||||
| CVE-2017-20221 | 2026-03-16 | N/A | 4.3 MEDIUM | ||
| Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains a cross-site request forgery vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting missing request validation. Attackers can craft malicious web pages that perform administrative actions when visited by logged-in users, enabling command execution with router privileges. | |||||
| CVE-2026-32443 | 2026-03-16 | N/A | 6.5 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Josh Kohlbach Product Feed PRO for WooCommerce woo-product-feed-pro allows Cross Site Request Forgery.This issue affects Product Feed PRO for WooCommerce: from n/a through <= 13.5.2. | |||||
| CVE-2026-32420 | 2026-03-16 | N/A | 5.4 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Ruben Garcia GamiPress gamipress allows Cross Site Request Forgery.This issue affects GamiPress: from n/a through <= 7.6.6. | |||||
| CVE-2026-32456 | 2026-03-16 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor admin-menu-editor allows Cross Site Request Forgery.This issue affects Admin Menu Editor: from n/a through <= 1.14.1. | |||||
| CVE-2026-32330 | 2026-03-16 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Cross Site Request Forgery.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.37. | |||||
| CVE-2026-32343 | 2026-03-16 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Magazine3 Easy Table of Contents easy-table-of-contents allows Cross Site Request Forgery.This issue affects Easy Table of Contents: from n/a through <= 2.0.80. | |||||
| CVE-2023-36517 | 1 Kevonadonis | 1 Wp Abstracts | 2026-03-13 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Kevon Adonis WP Abstracts plugin <= 2.6.2 versions. | |||||
| CVE-2023-2307 | 1 Qwik | 1 Qwik | 2026-03-13 | N/A | 4.7 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0. | |||||
| CVE-2025-64166 | 1 Mercurius Project | 1 Mercurius | 2026-03-13 | N/A | 5.4 MEDIUM |
| Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0. | |||||
| CVE-2026-28281 | 1 Instantcms | 1 Instantcms | 2026-03-13 | N/A | 7.1 HIGH |
| InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability is fixed in 2.18.1. | |||||
| CVE-2021-35486 | 1 Nokia | 1 Impact Mobile | 2026-03-13 | N/A | 8.1 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie is validated. | |||||
| CVE-2026-28495 | 1 Getsimple-ce | 1 Getsimple Cms | 2026-03-12 | N/A | 9.6 CRITICAL |
| GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server. | |||||
| CVE-2026-29113 | 1 Craftcms | 1 Craft Cms | 2026-03-12 | N/A | 4.3 MEDIUM |
| Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7. | |||||
| CVE-2025-70031 | 2026-03-11 | N/A | 8.8 HIGH | ||
| An issue pertaining to CWE-352: Cross-Site Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. | |||||
| CVE-2026-2626 | 2026-03-11 | N/A | 8.1 HIGH | ||
| The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection | |||||
| CVE-2026-1508 | 2026-03-11 | N/A | 4.3 MEDIUM | ||
| The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2026-3903 | 2026-03-11 | N/A | 4.3 MEDIUM | ||
| The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth() function. This makes it possible for unauthenticated attackers to disconnect the plugin's OAuth/SSO connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||