Total
8236 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-60208 | 2025-10-22 | N/A | 5.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Tusko Trush Advanced Custom Fields : CPT Options Pages acf-cpt-options-pages allows Object Injection.This issue affects Advanced Custom Fields : CPT Options Pages: from n/a through <= 2.0.9. | |||||
| CVE-2025-60168 | 2025-10-22 | N/A | 5.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in integrationshotelrunner HotelRunner Booking Widget hotelrunner allows Stored XSS.This issue affects HotelRunner Booking Widget: from n/a through <= 1.6. | |||||
| CVE-2025-60134 | 2025-10-22 | N/A | 5.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Media Categories wp-media-categories allows Cross Site Request Forgery.This issue affects WP Media Categories: from n/a through <= 2.1.0. | |||||
| CVE-2025-49373 | 2025-10-22 | N/A | 5.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Evergreen Content Poster Evergreen Content Poster evergreen-content-poster allows Cross Site Request Forgery.This issue affects Evergreen Content Poster: from n/a through <= 1.4.5. | |||||
| CVE-2025-48099 | 2025-10-22 | N/A | 5.4 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Code Amp Search & Filter search-filter allows Cross Site Request Forgery.This issue affects Search & Filter: from n/a through <= 1.2.17. | |||||
| CVE-2025-62771 | 2025-10-22 | N/A | 7.5 HIGH | ||
| Mercku M6a devices through 2.1.0 allow password changes via intranet CSRF attacks. | |||||
| CVE-2025-10588 | 2025-10-22 | N/A | 4.3 MEDIUM | ||
| The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-60132 | 2025-10-22 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in johnh10 Video Blogster Lite video-blogster-lite allows Stored XSS.This issue affects Video Blogster Lite: from n/a through <= 1.2. | |||||
| CVE-2025-62009 | 2025-10-22 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") UPC/EAN/GTIN Code Generator upc-ean-barcode-generator allows Cross Site Request Forgery.This issue affects UPC/EAN/GTIN Code Generator: from n/a through <= 2.0.2. | |||||
| CVE-2025-62061 | 2025-10-22 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in impleCode Product Catalog Simple post-type-x.This issue affects Product Catalog Simple: from n/a through <= 1.8.4. | |||||
| CVE-2025-62005 | 2025-10-22 | N/A | N/A | ||
| Cross-Site Request Forgery (CSRF) vulnerability in FantasticPlugins SUMO Memberships for WooCommerce sumomemberships allows Cross Site Request Forgery.This issue affects SUMO Memberships for WooCommerce: from n/a through < 7.8.0. | |||||
| CVE-2025-54286 | 2 Canonical, Linux | 2 Lxd, Linux Kernel | 2025-10-22 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication. | |||||
| CVE-2014-100005 | 1 Dlink | 2 Dir-600, Dir-600 Firmware | 2025-10-22 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php. | |||||
| CVE-2020-10181 | 1 Sumavision | 2 Enhanced Multimedia Router, Enhanced Multimedia Router Firmware | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request. | |||||
| CVE-2016-6277 | 1 Netgear | 22 D6220, D6220 Firmware, D6400 and 19 more | 2025-10-22 | 9.3 HIGH | 8.8 HIGH |
| NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/. | |||||
| CVE-2023-2533 | 1 Papercut | 2 Papercut Mf, Papercut Ng | 2025-10-21 | N/A | 8.4 HIGH |
| A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes. | |||||
| CVE-2025-47410 | 2025-10-21 | N/A | 8.8 HIGH | ||
| Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user. This issue affects Apache Geode: versions 1.10 through 1.15.1 Users are recommended to upgrade to version 1.15.2, which fixes the issue. | |||||
| CVE-2025-9890 | 2025-10-21 | N/A | 8.8 HIGH | ||
| The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-43296 | 1 Apple | 1 Macos | 2025-10-20 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26. An app may bypass Gatekeeper checks. | |||||
| CVE-2025-59428 | 1 Espocrm | 1 Espocrm | 2025-10-20 | N/A | 5.4 MEDIUM |
| EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page that executes a CSRF request against the api/v1/User endpoint. If the victim is prompted for and enters their credentials, an attacker-controlled account is created with privileges determined by the CSRF payload. This issue has been patched in version 9.1.9. | |||||