Search Results (9385 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-57723 2026-07-01 7.4 High
Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows Path Traversal. This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.12.
CVE-2026-14016 1 Google 1 Chrome 2026-07-01 6.5 Medium
Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-58518 2026-07-01 N/A
Cross-Site request forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - RedirectManager Extension allows Cross Site Request Forgery. This issue affects Mediawiki - RedirectManager Extension: from * before 1.3.3.
CVE-2026-13887 1 Google 1 Chrome 2026-07-01 6.5 Medium
Inappropriate implementation in NFC in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-13826 1 Google 1 Chrome 2026-07-01 6.5 Medium
Inappropriate implementation in Autofill in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12158 2 Metagauss, Wordpress 2 Registrationmagic – Custom Registration Forms, User Registration, Payment, And User Login, Wordpress 2026-07-01 8.8 High
The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the process_request function. This makes it possible for unauthenticated attackers to escalate the privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task that is executed via WordPress cron via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-11981 2026-07-01 4.3 Medium
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-31016 1 Squidex.io 1 Squidex 2026-07-01 6.5 Medium
Cross Site Request Forgery vulnerability in Squidex.io Squidex CMS v.7.21.0 and before allows a remote attacker to escalate privileges via the IdentityServer account profile endpoint
CVE-2026-8944 2 Engagementanalytics, Wordpress 2 Plugin For Google Analytics By Io Technologies, Wordpress 2026-07-01 4.3 Medium
The Plugin for Google Analytics by IO technologies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the Google Analytics settings page (ga.php). This makes it possible for unauthenticated attackers to update the plugin's stored Google Analytics tracking ID option (io-ga-id) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-35096 1 Ktm System 1 E-bok 2026-07-01 N/A
KTM System e-BOK is vulnerable to Cross‑Site Request Forgery (CSRF) in both the email-change and password-change functionalities. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged POST request to the application. This allows the attacker to trigger an unauthorized email or password change on behalf of the victim without their knowledge or interaction. This issue was fixed in the patch published in June 2026.
CVE-2026-56024 2 Saad Iqbal, Wordpress 2 Wp Easypay, Wordpress 2026-07-01 6.5 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal WP EasyPay allows Cross Site Request Forgery. This issue affects WP EasyPay: from n/a through 4.5.0.
CVE-2026-43735 1 Apple 3 Ios And Ipados, Macos, Safari 2026-06-30 8.1 High
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.
CVE-2026-57635 2 Funnelkit, Wordpress 2 Funnelkit Payment Gateway For Stripe Woocommerce, Wordpress 2026-06-29 6.5 Medium
Unauthenticated Cross Site Request Forgery (CSRF) in FunnelKit Payment Gateway for Stripe WooCommerce <= 1.14.0.3 versions.
CVE-2026-57655 2 Jay Versluis, Wordpress 2 Child Theme Wizard, Wordpress 2026-06-29 8.2 High
Unauthenticated Cross Site Request Forgery (CSRF) in Child Theme Wizard <= 1.4 versions.
CVE-2026-57657 2 Noor Alam, Wordpress 2 Gmail Smtp, Wordpress 2026-06-29 4.3 Medium
Unauthenticated Cross Site Request Forgery (CSRF) in Gmail SMTP <= 1.2.3.19 versions.
CVE-2026-57659 2 Stranger Studios, Wordpress 2 Paid Memberships Pro - Add Member From Admin, Wordpress 2026-06-29 8.8 High
Unauthenticated Cross Site Request Forgery (CSRF) in Paid Memberships Pro - Add Member From Admin <= 0.7.2 versions.
CVE-2026-57641 2 Contempothemes, Wordpress 2 Real Estate 7, Wordpress 2026-06-29 6.5 Medium
Unauthenticated Cross Site Request Forgery (CSRF) in Real Estate 7 <= 3.5.9 versions.
CVE-2026-50132 1 Budibase 1 Budibase 2026-06-29 7.3 High
Budibase is an open-source low-code platform. Prior to 3.39.0, `GET /api/chat-links/:instance/:token/handoff` is a public endpoint (no auth required) that performs a permanent, state-changing operation: it binds an external chat identity (Slack/Discord/MS Teams) to an authenticated Budibase user account, with no consent UI and no CSRF protection. The session token in the URL is created by the attacker (from their own /link slash command) and embeds the attacker's externalUserId. When an authenticated Budibase victim visits the URL, their account is silently and permanently linked to the attacker's Slack/Discord identity. The server responds with "Authentication succeeded." — no indication of what was linked. This vulnerability is fixed in 3.39.0.
CVE-2026-13422 2 Harmonicdesign, Wordpress 2 Hd Quiz, Wordpress 2026-06-29 4.3 Medium
The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create new quizzes, and change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-13537 1 Codeastro 1 Human Resource Management System 2026-06-29 4.3 Medium
A vulnerability was found in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely. The exploit has been made public and could be used.