Export limit exceeded: 10214 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10214 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-27792 | 2026-04-15 | N/A | ||
| Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using `<meta name="referrer" content="never">`, effectively bypassing this protection. Version 5.1.1 contains a patch for the issue. | ||||
| CVE-2024-48930 | 1 Secp256k1-node Project | 1 Secp256k1-node | 2026-04-15 | N/A |
| secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In `elliptic`-based version, `loadUncompressedPublicKey` has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, `loadCompressedPublicKey` is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. `publicKeyVerify()` incorrectly returning `true` on those invalid keys, and e.g. `publicKeyTweakMul()` also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue. | ||||
| CVE-2025-64482 | 1 Enalean | 1 Tuleap | 2026-04-15 | 4.6 Medium |
| Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9 don't have cross-site request forgery protections in the file release system. An attacker could use this vulnerability to trick victims into changing the commit rules or immutable tags of a SVN repo. Tuleap Community Edition 16.13.99.1762267347, Tuleap Enterprise Edition 17.0-1, Tuleap Enterprise Edition 16.13-6, and Tuleap Enterprise Edition 16.12-9 fix the issue. | ||||
| CVE-2024-4103 | 2026-04-15 | 4.3 Medium | ||
| The ADFO – Custom data in admin dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.0. This is due to missing or incorrect nonce validation on several functions hooked via the controller() function. This makes it possible for unauthenticated attackers to edit the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-6662 | 1 Jan Syski | 1 Megabip | 2026-04-15 | N/A |
| Websites managed by MegaBIP in versions below 5.15 are vulnerable to Cross-Site Request Forgery (CSRF) as the form available under "/edytor/index.php?id=7,7,0" lacks protection mechanisms. A user could be tricked into visiting a malicious website, which would send POST request to this endpoint. If the victim is a logged in administrator, this could lead to creation of new accounts and granting of administrative permissions. | ||||
| CVE-2024-3825 | 2026-04-15 | 4.3 Medium | ||
| Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw which results in credential enumeration | ||||
| CVE-2024-5185 | 2026-04-15 | 7.3 High | ||
| The EmbedAI application is susceptible to security issues that enable Data Poisoning attacks. This weakness could result in the application becoming compromised, leading to unauthorized entries or data poisoning attacks, which are delivered by a CSRF vulnerability due to the absence of a secure session management implementation and weak CORS policies weakness. An attacker can direct a user to a malicious webpage that exploits a CSRF vulnerability within the EmbedAI application. By leveraging this CSRF vulnerability, the attacker can deceive the user into inadvertently uploading and integrating incorrect data into the application’s language model. | ||||
| CVE-2024-41972 | 2026-04-15 | 6.5 Medium | ||
| A low privileged remote attacker can overwrite an arbitrary file on the filesystem which may lead to an arbitrary file read with root privileges. | ||||
| CVE-2025-15550 | 1 Birkir | 1 Prime | 2026-04-15 | 5.3 Medium |
| birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query parameters. | ||||
| CVE-2024-11689 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The HQ Rental Software plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.29. This is due to missing or incorrect nonce validation on the displaySettingsPage() function. This makes it possible for unauthenticated attackers to update arbitrary options that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-0858 | 2026-04-15 | N/A | ||
| A vulnerability was discovered in the firmware builds up to 8.2.1.0820 in certain Poly devices. The firmware flaw does not properly prevent path traversal and could lead to information disclosure. | ||||
| CVE-2024-12293 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.64.3. This is due to missing or incorrect nonce validation on the update_roles() function. This makes it possible for unauthenticated attackers to add or remove roles for arbitrary users, including escalating their privileges to administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-12291 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The ViewMedica 9 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.17. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-36677 | 2026-04-15 | 7.5 High | ||
| In the module "Login as customer PRO" (loginascustomerpro) <1.2.7 from Weblir for PrestaShop, a guest can access direct link to connect to each customer account of the Shop if the module is not installed OR if a secret accessible to administrator is stolen. | ||||
| CVE-2024-36682 | 2026-04-15 | 7.5 High | ||
| In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can download all email collected while SHOP is in maintenance mode. Due to a lack of permissions control, a guest can access the txt file which collect email when maintenance is enable which can lead to leak of personal information. | ||||
| CVE-2024-42476 | 2026-04-15 | 6.5 Medium | ||
| In the OAuth library for nim prior to version 0.11, the Authorization Code grant and Implicit grant both rely on the `state` parameter to prevent cross-site request forgery (CSRF) attacks where a resource owner might have their session associated with protected resources belonging to an attacker. When this project is compiled with certain compiler flags set, it is possible that the `state` parameter will not be checked at all, creating a CSRF vulnerability. Version 0.11 checks the `state` parameter using a regular `if` statement or `doAssert` instead of relying on a plain `assert`. `doAssert` will achieve the desired behavior even if `-d:danger` or `--assertions:off` is set. | ||||
| CVE-2024-46992 | 1 Electron | 1 Electron | 2026-04-15 | 7.8 High |
| Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 30.0.0-alpha.1 to before 30.0.5 and 31.0.0-alpha.1 to before 31.0.0-beta.1, Electron is vulnerable to an ASAR Integrity bypass. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are not impacted. Specifically this issue can only be exploited if the app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against. This issue has been patched in versions 30.0.5 and 31.0.0-beta.1. There are no workarounds for this issue. | ||||
| CVE-2024-4344 | 2026-04-15 | 4.3 Medium | ||
| The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.1.13. This is due to missing or incorrect nonce validation on the exec function. This makes it possible for unauthenticated attackers to disable pin protection for the admin interface of the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-5804 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cf_admin_init function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-3997 | 2026-04-15 | 4.3 Medium | ||
| A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3. This affects an unknown part of the file /index.php?my-profile-ajax-1 of the component Personal Information Page. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||