Total
8502 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11051 | 2 Mayurik, Sourcecodester | 2 Pet Grooming Management Software, Pet Grooming Management Software | 2025-10-03 | 4.3 Medium |
| A vulnerability has been found in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. | ||||
| CVE-2025-1745 | 1 Pb-cms Project | 1 Pb-cms | 2025-10-03 | 4.3 Medium |
| A vulnerability has been found in LinZhaoguan pb-cms 2.0 and classified as problematic. This vulnerability affects unknown code of the component Logout. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-24402 | 1 Jenkins | 1 Azure Service Fabric | 2025-10-03 | 4.3 Medium |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method. | ||||
| CVE-2025-9948 | 1 Wordpress | 1 Wordpress | 2025-10-02 | 4.3 Medium |
| The Chat by Chatwee plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on the admin settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-35030 | 1 Medical Informatics Engineering | 1 Enterprise Health | 2025-10-02 | 8.1 High |
| Medical Informatics Engineering Enterprise Health has a cross site request forgery vulnerability that allows an unauthenticated attacker to trick administrative users into clicking a crafted URL and perform actions on behalf of that administrative user. This issue is fixed as of 2025-04-08. | ||||
| CVE-2025-9946 | 2 Lockerpress, Wordpress | 2 Wordpress Security Plugin, Wordpress | 2025-10-02 | 6.1 Medium |
| The LockerPress – WordPress Security Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-7052 | 2 Latepoint, Wordpress | 2 Latepoint, Wordpress | 2025-10-02 | 8.8 High |
| The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_password() function of its customer_cabinet__change_password AJAX route. The plugin hooks this endpoint via wp_ajax and wp_ajax_nopriv but does not verify a nonce or user capability before resetting the user’s password. This makes it possible for unauthenticated attackers who trick a logged-in customer (or, with “WP users as customers” enabled, an administrator) into visiting a malicious link to take over their account. | ||||
| CVE-2025-58010 | 1 Wordpress | 1 Wordpress | 2025-10-01 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in straightvisions GmbH SV Proven Expert allows Cross Site Request Forgery. This issue affects SV Proven Expert: from n/a through 2.0.06. | ||||
| CVE-2025-58013 | 1 Wordpress | 1 Wordpress | 2025-10-01 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in pebas CouponXxL allows Privilege Escalation. This issue affects CouponXxL: from n/a through 4.5.0. | ||||
| CVE-2025-23639 | 1 Mdc Youtube Downloader Project | 1 Mdc Youtube Downloader | 2025-09-30 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC YouTube Downloader allows Stored XSS.This issue affects MDC YouTube Downloader: from n/a through 3.0.0. | ||||
| CVE-2025-48497 | 1 Irohasoft | 1 Iroha Board | 2025-09-30 | N/A |
| Cross-site request forgery vulnerability exists in iroha Board versions v0.10.12 and earlier. If a user accesses a specially crafted URL while being logged in to the affected product, arbitrary learning histories may be registered. | ||||
| CVE-2024-2125 | 2 Dattateccom, Donweb | 2 Envialosimple Email Marketing Y Newsletters, Envialosimple | 2025-09-30 | 8.8 High |
| The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated attackers to upload malicious files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-2822 | 1 Dedecms | 1 Dedecms | 2025-09-30 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in DedeCMS 5.7. This affects an unknown part of the file /src/dede/vote_edit.php. The manipulation of the argument aid leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257709 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-36255 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-09-30 | 5.7 Medium |
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows an attacker to run a playbook checklist task command as another user via creating and sharing a deceptive post action that unexpectedly runs a slash command in some arbitrary channel. | ||||
| CVE-2024-51144 | 1 Ampache | 1 Ampache | 2025-09-30 | 8.8 High |
| Cross Site Request Forgery (CSRF) vulnerability exists in the 'pvmsg.php?action=add_message', pvmsg.php?action=confirm_delete , and ajax.server.php?page=user&action=flip_follow endpoints in Ampache <= 6.6.0. | ||||
| CVE-2024-32085 | 1 Ait-themes | 1 Citadela Listing | 2025-09-29 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in AitThemes Citadela Listing.This issue affects Citadela Listing: from n/a before 5.20.0. | ||||
| CVE-2024-2821 | 1 Dedecms | 1 Dedecms | 2025-09-29 | 4.3 Medium |
| A vulnerability, which was classified as problematic, has been found in DedeCMS 5.7. Affected by this issue is some unknown functionality of the file /src/dede/friendlink_edit.php. The manipulation of the argument id leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257708. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-59845 | 1 Apollographql | 2 Apollo Explorer, Apollo Sandbox | 2025-09-29 | 8.2 High |
| Apollo Studio Embeddable Explorer & Embeddable Sandbox are website embeddable software solutions from Apollo GraphQL. Prior to Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3, a cross-site request forgery (CSRF) vulnerability was identified. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the embedding page, causing the victim’s browser to execute arbitrary GraphQL queries or mutations against their GraphQL server while authenticated with the victim’s cookies. This issue has been patched in Apollo Sandbox version 2.7.2 and Apollo Explorer version 3.7.3. | ||||
| CVE-2025-9896 | 1 Wordpress | 1 Wordpress | 2025-09-29 | 4.3 Medium |
| The HidePost plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.8. This is due to missing or incorrect nonce validation on the options.php settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9894 | 1 Wordpress | 1 Wordpress | 2025-09-29 | 4.3 Medium |
| The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsf_cron_job_func function. This makes it possible for unauthenticated attackers to trigger content synchronization from Feedly, potentially creating multiple posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||