← Back
CWE-352

9,364 CVEs • Abstraction: Compound • Likelihood of Exploit: Medium

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

JSON object

Loading...

CVEs (9,364)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Maxum
1Rumpus
Jun 17, 2026
Jan 12, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Rumpus - FTP server version 9.0.7.1 Cross-site request forgery (CSRF) – vulnerability may allow unauthorized action on behalf of authenticated users.
1Maxum
1Rumpus
Jun 17, 2026
Jan 12, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Rumpus - FTP server Cross-site request forgery (CSRF) – Privilege escalation vulnerability that may allow privilege escalation.
1Royal Elementor Addons
1Royal Elementor Addons
Jun 17, 2026
Jan 10, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
The Royal Elementor Addons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.59. This is due to missing nonce validation in the 'wpr_create_mega_menu_template' AJAX fu...Show more
The Royal Elementor Addons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.59. This is due to missing nonce validation in the 'wpr_create_mega_menu_template' AJAX function. This allows unauthenticated attackers to create Mega Menu templates, granted they can trick an administrator into performing an action, such as clicking a link.Show less
1Royal Elementor Addons
1Royal Elementor Addons
Jun 17, 2026
Jan 9, 2023
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated...Show more
The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post (as well as any post type) with an arbitrary titleShow less
1Royal Elementor Addons
1Royal Elementor Addons
Jun 17, 2026
Jan 9, 2023
N/A· v4
3.1 LOW· v3
N/A· v2
The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorization and CSRF checks when deleting a template and does not ensure that the post to be deleted is a template. This could allow any authentic...Show more
The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorization and CSRF checks when deleting a template and does not ensure that the post to be deleted is a template. This could allow any authenticated users, such as subscribers, to delete arbitrary posts assuming they know the related slug.Show less
1Nextcloud
1Desktop
Jun 17, 2026
Jan 9, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they clic...Show more
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2. Show less
1Swifty Page Manager Project
1Swifty Page Manager
Jun 17, 2026
Jan 5, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on several AJAX actions handling page...Show more
The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on several AJAX actions handling page creation and deletion among other things. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.Show less
1Crocoblock
1Jetwidgets For Elementor
Jun 17, 2026
Jan 5, 2023
N/A· v4
6.5 MEDIUM· v3
N/A· v2
The JetWidgets for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.12. This is due to missing nonce validation on the save() function. This makes it possib...Show more
The JetWidgets for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.12. This is due to missing nonce validation on the save() function. This makes it possible for unauthenticated attackers to to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be used to enable SVG uploads that could make Cross-Site Scripting possible.Show less
1Openacs
1Bug Tracker
Nov 21, 2024
Jan 5, 2023
N/A· v4
8.8 HIGH· v3
4.0 MEDIUM· v2
A vulnerability classified as problematic has been found in OpenACS bug-tracker. Affected is an unknown function of the file lib/nav-bar.adp of the component Search. The manipulation leads to cross-site request forgery....Show more
A vulnerability classified as problematic has been found in OpenACS bug-tracker. Affected is an unknown function of the file lib/nav-bar.adp of the component Search. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is aee43e5714cd8b697355ec3bf83eefee176d3fc3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217440.Show less
1Xwiki
1Ckeditor Integration
Jun 17, 2026
Jan 4, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execu...Show more
CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a privileged user with programming rights was tricked into executing a GET request to this document with certain parameters (e.g., via an image with a corresponding URL embedded in a comment or via a redirect), this would allow arbitrary remote code execution and the attacker could gain rights, access private information or impact the availability of the wiki. The issue has been patched in the CKEditor Integration version 1.64.3. This has also been patched in the version of the CKEditor integration that is bundled starting with XWiki 14.6 RC1. There are no known workarounds for this other than upgrading the CKEditor integration to a fixed version.Show less
1Ibm
1Business Automation Workflow
Jun 17, 2026
Jan 4, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
IBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to ex...Show more
IBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054. Show less
1Iubenda
1Iubenda Cookie Law Solution
Jun 17, 2026
Jan 2, 2023
N/A· v4
8.8 HIGH· v3
N/A· v2
The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any...Show more
The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etcShow less
1Valtech
1Idp Test Clients
Nov 21, 2024
Dec 31, 2022
N/A· v4
8.8 HIGH· v3
5.0 MEDIUM· v2
A vulnerability was found in valtech IDP Test Client and classified as problematic. Affected by this issue is some unknown functionality of the file python-flask/main.py. The manipulation leads to cross-site request forg...Show more
A vulnerability was found in valtech IDP Test Client and classified as problematic. Affected by this issue is some unknown functionality of the file python-flask/main.py. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The name of the patch is f1e7b3d431c8681ec46445557125890c14fa295f. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217148.Show less
1Froxlor
1Froxlor
Jun 17, 2026
Dec 31, 2022
N/A· v4
4.3 MEDIUM· v3
N/A· v2
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
1Usememos
1Memos
Jun 17, 2026
Dec 29, 2022
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
1Usememos
1Memos
Jun 17, 2026
Dec 29, 2022
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
1Usememos
1Memos
Jun 17, 2026
Dec 29, 2022
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
1Usememos
1Memos
Jun 17, 2026
Dec 29, 2022
N/A· v4
4.3 MEDIUM· v3
N/A· v2
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
1Usememos
1Memos
Jun 17, 2026
Dec 29, 2022
N/A· v4
8.8 HIGH· v3
N/A· v2
Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.
1Golf Project
1Golf
Apr 11, 2025
Dec 27, 2022
N/A· v4
8.8 HIGH· v3
N/A· v2
CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.