Total
8066 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-48057 | 1 Mudler | 1 Localai | 2025-09-04 | N/A | 6.1 MEDIUM |
| localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage. | |||||
| CVE-2025-3153 | 1 Concretecms | 1 Concrete Cms | 2025-09-04 | N/A | 6.5 MEDIUM |
| Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. The fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. The Concrete CMS security team gave this vulnerability CVSS v.4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Thanks Myq Larson for reporting. | |||||
| CVE-2025-58272 | 2025-09-04 | N/A | 3.7 LOW | ||
| Cross-site request forgery vulnerability exists in Web Caster V130 versions 1.08 and earlier. If a logged-in user views a malicious page created by an attacker, the settings of the product may be unintentionally changed. | |||||
| CVE-2025-9616 | 2025-09-04 | N/A | 5.3 MEDIUM | ||
| The PopAd plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the PopAd_reset_cookie_time function. This makes it possible for unauthenticated attackers to reset cookie time settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-20326 | 2025-09-04 | N/A | 4.3 MEDIUM | ||
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. This vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. | |||||
| CVE-2025-58611 | 2025-09-04 | N/A | 4.3 MEDIUM | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Tickera Tickera allows Cross Site Request Forgery. This issue affects Tickera: from n/a through 3.5.5.6. | |||||
| CVE-2025-8739 | 1 Zhenfeng13 | 1 My-blog | 2025-09-02 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in zhenfeng13 My-Blog up to 1.0.0 and classified as problematic. This issue affects some unknown processing of the file /admin/tags/save. The manipulation of the argument tagName leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-8814 | 1 Pybbs Project | 1 Pybbs | 2025-09-02 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in atjiu pybbs up to 6.0.0 and classified as problematic. This issue affects the function setCookie of the file src/main/java/co/yiiu/pybbs/util/CookieUtil.java. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named 8aa2bb1aef3346e49aec6358edf5e47ce905ae7b. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2025-3907 | 1 Drunkenmonkey | 1 Search Api Solr | 2025-09-02 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Search API Solr allows Cross Site Request Forgery.This issue affects Search API Solr: from 0.0.0 before 4.3.9. | |||||
| CVE-2025-31689 | 1 General Data Protection Regulation Project | 1 General Data Protection Regulation | 2025-09-02 | N/A | 8.1 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal General Data Protection Regulation allows Cross Site Request Forgery.This issue affects General Data Protection Regulation: from 0.0.0 before 3.0.1, from 3.1.0 before 3.1.2. | |||||
| CVE-2025-31690 | 1 Cache Utility Project | 1 Cache Utility | 2025-09-02 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cache Utility allows Cross Site Request Forgery.This issue affects Cache Utility: from 0.0.0 before 1.2.1. | |||||
| CVE-2024-13293 | 1 Post File Project | 1 Post File | 2025-09-02 | N/A | 3.1 LOW |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal POST File allows Cross Site Request Forgery.This issue affects POST File: from 0.0.0 before 1.0.2. | |||||
| CVE-2024-13284 | 1 Drupalgutenberg | 1 Gutenberg | 2025-09-02 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Drupal Gutenberg allows Cross Site Request Forgery.This issue affects Gutenberg: from 0.0.0 before 2.13.0, from 3.0.0 before 3.0.5. | |||||
| CVE-2024-29192 | 1 Alexxit | 1 Go2rtc | 2025-09-02 | N/A | 8.8 HIGH |
| gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The `/api/config` endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without authentication, an attacker may be able to achieve that depending on how go2rtc is set up on the upstream application, and given that this endpoint is not protected against CSRF, it allows requests from any origin (e.g. a "drive-by" attack) . The `exec` handler allows for any stream to execute arbitrary commands. An attacker may add a custom stream through `api/config`, which may lead to arbitrary command execution. In the event of a victim visiting the server in question, their browser will execute the requests against the go2rtc instance. Commit 8793c3636493c5efdda08f3b5ed5c6e1ea594fd9 adds a warning about secure API access. | |||||
| CVE-2024-27631 | 1 Gnu | 1 Savane | 2025-09-02 | N/A | 6.0 MEDIUM |
| Cross Site Request Forgery vulnerability in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via siteadmin/usergroup.php | |||||
| CVE-2024-28233 | 1 Jupyter | 1 Jupyterhub | 2025-09-02 | N/A | 8.1 HIGH |
| JupyterHub is an open source multi-user server for Jupyter notebooks. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve full access to JupyterHub API and user's single-user server. The affected configurations are single-origin JupyterHub deployments and JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. This vulnerability is fixed in 4.1.0. | |||||
| CVE-2025-9618 | 2025-09-02 | N/A | 4.3 MEDIUM | ||
| The Related Posts Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-0610 | 2025-09-02 | N/A | 8.6 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Akınsoft QR Menü allows Cross Site Request Forgery.This issue affects QR Menü: from s1.05.06 before v1.05.12. | |||||
| CVE-2024-2748 | 1 Github | 1 Enterprise Server | 2025-09-02 | N/A | 4.3 MEDIUM |
| A Cross Site Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker to execute unauthorized actions on behalf of an unsuspecting user. A mitigating factor is that user interaction is required. This vulnerability affected GitHub Enterprise Server 3.12.0 and was fixed in versions 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2024-43684 | 1 Microchip | 2 Timeprovider 4100, Timeprovider 4100 Firmware | 2025-08-29 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Microchip TimeProvider 4100 allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects TimeProvider 4100: from 1.0. | |||||