Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2016-6277

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-14 Dec, 2016 | 16:00
Updated At-21 Oct, 2025 | 23:55
Rejected At-
Credits

NETGEAR Multiple Routers Remote Code Execution Vulnerability

NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Known Exploited Vulnerabilities (KEV)
cisa.gov
Vendor:
NETGEAR, Inc.NETGEAR
Product:Multiple Routers
Added At:07 Mar, 2022
Due At:07 Sep, 2022

NETGEAR Multiple Routers Remote Code Execution Vulnerability

NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution.

Used in Ransomware

:

Unknown

CWE

:
CWE-352

Required Action:

Apply updates per vendor instructions.

Additional Notes:

https://nvd.nist.gov/vuln/detail/CVE-2016-6277
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:14 Dec, 2016 | 16:00
Updated At:21 Oct, 2025 | 23:55
Rejected At:
â–¼CVE Numbering Authority (CNA)

NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.exploit-db.com/exploits/40889/
exploit
x_refsource_EXPLOIT-DB
https://www.exploit-db.com/exploits/41598/
exploit
x_refsource_EXPLOIT-DB
http://kb.netgear.com/000036386/CVE-2016-582384
x_refsource_CONFIRM
http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
x_refsource_MISC
https://www.kb.cert.org/vuls/id/582384
third-party-advisory
x_refsource_CERT-VN
http://www.securityfocus.com/bid/94819
vdb-entry
x_refsource_BID
https://kalypto.org/research/netgear-vulnerability-expanded/
x_refsource_MISC
http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
x_refsource_MISC
Hyperlink: https://www.exploit-db.com/exploits/40889/
Resource:
exploit
x_refsource_EXPLOIT-DB
Hyperlink: https://www.exploit-db.com/exploits/41598/
Resource:
exploit
x_refsource_EXPLOIT-DB
Hyperlink: http://kb.netgear.com/000036386/CVE-2016-582384
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
Resource:
x_refsource_MISC
Hyperlink: https://www.kb.cert.org/vuls/id/582384
Resource:
third-party-advisory
x_refsource_CERT-VN
Hyperlink: http://www.securityfocus.com/bid/94819
Resource:
vdb-entry
x_refsource_BID
Hyperlink: https://kalypto.org/research/netgear-vulnerability-expanded/
Resource:
x_refsource_MISC
Hyperlink: http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.exploit-db.com/exploits/40889/
exploit
x_refsource_EXPLOIT-DB
x_transferred
https://www.exploit-db.com/exploits/41598/
exploit
x_refsource_EXPLOIT-DB
x_transferred
http://kb.netgear.com/000036386/CVE-2016-582384
x_refsource_CONFIRM
x_transferred
http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
x_refsource_MISC
x_transferred
https://www.kb.cert.org/vuls/id/582384
third-party-advisory
x_refsource_CERT-VN
x_transferred
http://www.securityfocus.com/bid/94819
vdb-entry
x_refsource_BID
x_transferred
https://kalypto.org/research/netgear-vulnerability-expanded/
x_refsource_MISC
x_transferred
http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
x_refsource_MISC
x_transferred
Hyperlink: https://www.exploit-db.com/exploits/40889/
Resource:
exploit
x_refsource_EXPLOIT-DB
x_transferred
Hyperlink: https://www.exploit-db.com/exploits/41598/
Resource:
exploit
x_refsource_EXPLOIT-DB
x_transferred
Hyperlink: http://kb.netgear.com/000036386/CVE-2016-582384
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.kb.cert.org/vuls/id/582384
Resource:
third-party-advisory
x_refsource_CERT-VN
x_transferred
Hyperlink: http://www.securityfocus.com/bid/94819
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://kalypto.org/research/netgear-vulnerability-expanded/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352 Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
kev
dateAdded:
2022-03-07
reference:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
CVE-2016-6277 added to CISA KEV2022-03-07 00:00:00
Event: CVE-2016-6277 added to CISA KEV
Date: 2022-03-07 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277
government-resource
Hyperlink: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277
Resource:
government-resource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:14 Dec, 2016 | 16:59
Updated At:21 Apr, 2026 | 16:23

NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
2022-03-072022-09-07NETGEAR Multiple Routers Remote Code Execution VulnerabilityApply updates per vendor instructions.
Date Added: 2022-03-07
Due Date: 2022-09-07
Vulnerability Name: NETGEAR Multiple Routers Remote Code Execution Vulnerability
Required Action: Apply updates per vendor instructions.
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary2.09.3HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 9.3
Base severity: HIGH
Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
CPE Matches

NETGEAR, Inc.
netgear
>>d6220_firmware>>Versions up to 1.0.0.22(inclusive)
cpe:2.3:o:netgear:d6220_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>d6220>>-
cpe:2.3:h:netgear:d6220:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>d6400_firmware>>Versions up to 1.0.0.56(inclusive)
cpe:2.3:o:netgear:d6400_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>d6400>>-
cpe:2.3:h:netgear:d6400:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6250_firmware>>Versions up to 1.0.4.6_10.1.12(inclusive)
cpe:2.3:o:netgear:r6250_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6250>>-
cpe:2.3:h:netgear:r6250:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6400_firmware>>Versions up to 1.0.1.18(inclusive)
cpe:2.3:o:netgear:r6400_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6400>>-
cpe:2.3:h:netgear:r6400:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6700_firmware>>Versions up to 1.0.1.14(inclusive)
cpe:2.3:o:netgear:r6700_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6700>>-
cpe:2.3:h:netgear:r6700:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6900_firmware>>Versions up to 1.0.1.14(inclusive)
cpe:2.3:o:netgear:r6900_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6900>>-
cpe:2.3:h:netgear:r6900:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7000_firmware>>Versions up to 1.0.7.2_1.1.93(inclusive)
cpe:2.3:o:netgear:r7000_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7000>>-
cpe:2.3:h:netgear:r7000:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7100lg_firmware>>Versions up to 1.0.0.28(inclusive)
cpe:2.3:o:netgear:r7100lg_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7100lg>>-
cpe:2.3:h:netgear:r7100lg:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7300dst_firmware>>Versions up to 1.0.0.46(inclusive)
cpe:2.3:o:netgear:r7300dst_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7300dst>>-
cpe:2.3:h:netgear:r7300dst:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7900_firmware>>Versions up to 1.0.1.8(inclusive)
cpe:2.3:o:netgear:r7900_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7900>>-
cpe:2.3:h:netgear:r7900:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r8000_firmware>>Versions up to 1.0.3.26(inclusive)
cpe:2.3:o:netgear:r8000_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r8000>>-
cpe:2.3:h:netgear:r8000:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarynvd@nist.gov
CWE-352Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-352
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://kb.netgear.com/000036386/CVE-2016-582384cve@mitre.org
Patch
Vendor Advisory
http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.htmlcve@mitre.org
Exploit
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/94819cve@mitre.org
Broken Link
Third Party Advisory
VDB Entry
http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/cve@mitre.org
Broken Link
Mitigation
Third Party Advisory
https://kalypto.org/research/netgear-vulnerability-expanded/cve@mitre.org
Broken Link
Exploit
Third Party Advisory
https://www.exploit-db.com/exploits/40889/cve@mitre.org
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/41598/cve@mitre.org
Exploit
Third Party Advisory
VDB Entry
https://www.kb.cert.org/vuls/id/582384cve@mitre.org
Third Party Advisory
US Government Resource
http://kb.netgear.com/000036386/CVE-2016-582384af854a3a-2127-422b-91ae-364da2661108
Patch
Vendor Advisory
http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.htmlaf854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/94819af854a3a-2127-422b-91ae-364da2661108
Broken Link
Third Party Advisory
VDB Entry
http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/af854a3a-2127-422b-91ae-364da2661108
Broken Link
Mitigation
Third Party Advisory
https://kalypto.org/research/netgear-vulnerability-expanded/af854a3a-2127-422b-91ae-364da2661108
Broken Link
Exploit
Third Party Advisory
https://www.exploit-db.com/exploits/40889/af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/41598/af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
VDB Entry
https://www.kb.cert.org/vuls/id/582384af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource
Hyperlink: http://kb.netgear.com/000036386/CVE-2016-582384
Source: cve@mitre.org
Resource:
Patch
Vendor Advisory
Hyperlink: http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
VDB Entry
Hyperlink: http://www.securityfocus.com/bid/94819
Source: cve@mitre.org
Resource:
Broken Link
Third Party Advisory
VDB Entry
Hyperlink: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
Source: cve@mitre.org
Resource:
Broken Link
Mitigation
Third Party Advisory
Hyperlink: https://kalypto.org/research/netgear-vulnerability-expanded/
Source: cve@mitre.org
Resource:
Broken Link
Exploit
Third Party Advisory
Hyperlink: https://www.exploit-db.com/exploits/40889/
Source: cve@mitre.org
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://www.exploit-db.com/exploits/41598/
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
VDB Entry
Hyperlink: https://www.kb.cert.org/vuls/id/582384
Source: cve@mitre.org
Resource:
Third Party Advisory
US Government Resource
Hyperlink: http://kb.netgear.com/000036386/CVE-2016-582384
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Vendor Advisory
Hyperlink: http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory
VDB Entry
Hyperlink: http://www.securityfocus.com/bid/94819
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Third Party Advisory
VDB Entry
Hyperlink: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Mitigation
Third Party Advisory
Hyperlink: https://kalypto.org/research/netgear-vulnerability-expanded/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Exploit
Third Party Advisory
Hyperlink: https://www.exploit-db.com/exploits/40889/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://www.exploit-db.com/exploits/41598/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory
VDB Entry
Hyperlink: https://www.kb.cert.org/vuls/id/582384
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
US Government Resource

Change History

0
Information is not available yet

Similar CVEs

2437Records found

CVE-2004-1967
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.64% / 73.41%
||
7 Day CHG~0.00%
Published-10 May, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerabilities in (1) cp_forums.php, (2) cp_usergroup.php, (3) cp_ipbans.php, (4) myhome.php, (5) post.php, or (6) moderator.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary code by including the code in an image tag or a link.

Action-Not Available
Vendor-openbbn/a
Product-openbbn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9498
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.72% / 49.31%
||
7 Day CHG~0.00%
Published-22 Oct, 2019 | 20:36
Updated-06 Aug, 2024 | 08:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wps-hide-login plugin before 1.1 for WordPress has CSRF that affects saving an option value.

Action-Not Available
Vendor-wpserveurn/a
Product-wps_hide_loginn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-9307
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.70% / 48.57%
||
7 Day CHG~0.00%
Published-14 Aug, 2019 | 15:24
Updated-07 May, 2025 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature.

Action-Not Available
Vendor-wepluginsn/a
Product-wp_mapsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19685
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.51% / 39.92%
||
7 Day CHG~0.00%
Published-09 Dec, 2019 | 16:58
Updated-05 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable to CSRF because GET requests can be used for renames and deletions.

Action-Not Available
Vendor-nopcommercen/a
Product-nopcommercen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19854
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.48% / 38.19%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 22:51
Updated-05 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. It does not use CSRF Tokens to mitigate against CSRF; it uses the Origin header (which must match the request origin). This is problematic in conjunction with XSS: one can escalate privileges from User level to Administrator.

Action-Not Available
Vendor-serpico_projectn/a
Product-serpicon/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44995
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 10.97%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 15:46
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Login Redirect Plugin <= 2.2.4 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in WP Doctor WooCommerce Login Redirect plugin <= 2.2.4 versions.

Action-Not Available
Vendor-wpdoctorWP Doctor
Product-woocommerce_login_redirectWooCommerce Login Redirect
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44260
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.80%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 08:35
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Woocommerce ESTO Plugin <= 2.23.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Mikk Mihkel Nurges, Rebing OÜ Woocommerce ESTO plugin <= 2.23.1 versions.

Action-Not Available
Vendor-rebingMikk Mihkel Nurges, Rebing OÜ
Product-woocommerce_estoWoocommerce ESTO
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44473
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 12.60%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 10:08
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Table of Contents Plus Plugin <= 2302 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Michael Tran Table of Contents Plus plugin <= 2302 versions.

Action-Not Available
Vendor-dublueMichael Tran
Product-table_of_contents_plusTable of Contents Plus
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-57766
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-Not Assigned
Published-02 Jul, 2026 | 11:16
Updated-02 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPIDE – File Manager & Code Editor plugin <= 3.5.6 - Cross Site Request Forgery (CSRF) vulnerability

Unauthenticated Cross Site Request Forgery (CSRF) in WPIDE – File Manager & Code Editor <= 3.5.6 versions.

Action-Not Available
Vendor-XplodedThemes
Product-WPIDE – File Manager & Code Editor
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19659
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.49% / 38.57%
||
7 Day CHG~0.00%
Published-10 Feb, 2020 | 15:48
Updated-05 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSRF vulnerability exists in the Web File Manager's Edit Accounts functionality of Rumpus FTP Server 8.2.9.1. By exploiting it, an attacker can take over a user account by changing the password, update users' details, and escalate privileges via RAPR/DefineUsersSet.html.

Action-Not Available
Vendor-maxumn/a
Product-rumpusn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45048
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.01%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 12:16
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Social proof testimonials and reviews by Repuso Plugin <= 5.00 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Repuso Social proof testimonials and reviews by Repuso plugin <= 5.00 versions.

Action-Not Available
Vendor-repusoRepuso
Product-repusoSocial proof testimonials and reviews by Repuso
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44146
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.42%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 14:59
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Checkfront Online Booking System Plugin <= 3.6 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Checkfront Inc. Checkfront Online Booking System plugin <= 3.6 versions.

Action-Not Available
Vendor-checkfrontCheckfront Inc.
Product-checkfront_online_booking_systemCheckfront Online Booking System
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44233
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 12.60%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 15:04
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FooGallery Plugin <= 2.2.44 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in FooPlugins Best WordPress Gallery Plugin – FooGallery plugin <= 2.2.44 versions.

Action-Not Available
Vendor-foopluginsFooPlugins
Product-foogalleryBest WordPress Gallery Plugin – FooGallery
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-57759
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-Not Assigned
Published-02 Jul, 2026 | 11:16
Updated-02 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ProfileGrid plugin <= 5.9.9.7 - CSRF to Account Takeover vulnerability

Unauthenticated Cross Site Request Forgery (CSRF) in ProfileGrid <= 5.9.9.7 versions.

Action-Not Available
Vendor-Metagauss Inc.
Product-ProfileGrid
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44231
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.42%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 08:40
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Contact Form Plugin <= 2.0.10 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in NickDuncan Contact Form plugin <= 2.0.10 versions.

Action-Not Available
Vendor-nickduncanNickDuncan
Product-contact_formContact Form
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45102
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 11.01%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 14:30
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Blog Manager Light Plugin <= 1.20 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Blog Manager Light plugin <= 1.20 versions.

Action-Not Available
Vendor-otwthemesOTWthemes
Product-blog_manager_lightBlog Manager Light
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-7852
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-4.29% / 89.93%
||
7 Day CHG~0.00%
Published-24 Apr, 2017 | 10:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dcs-7000l_firmwaredcs-2332l_firmwaredcs-6212ldcs-5030ldcs-6010ldcs-7000ldcs-934ldcs-5010ldcs-5000l_firmwaredcs-5222l_firmwaredcs-2230l_firmwaredcs-2210l_firmwaredcs-2132ldcs-2330l_firmwaredcs-5025l_firmwaredcs-942l_firmwaredcs-942ldcs-2530l_firmwaredcs-5009l_firmwaredcs-933l_firmwaredcs-2230ldcs-2330ldcs-2210ldcs-5029l_firmwaredcs-932ldcs-7010l_firmwaredcs-7010ldcs-2332ldcs-930ldcs-2136l_firmwaredcs-932l_firmwaredcs-2136ldcs-5020ldcs-931l_firmwaredcs-5010l_firmwaredcs-930l_firmwaredcs-2310l_firmwaredcs-6010l_firmwaredcs-2310ldcs-2132l_firmwaredcs-934l_firmwaredcs-931ldcs-5020l_firmwaredcs-5000ldcs-5222ldcs-5009ldcs-6212l_firmwaredcs-933ldcs-2530ldcs-5025ldcs-5029ldcs-5030l_firmwaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-8536
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.45% / 36.13%
||
7 Day CHG~0.00%
Published-27 Mar, 2020 | 14:05
Updated-06 Aug, 2024 | 08:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center (LSC) prior to version 3.3.002 that could allow cross-site request forgery.

Action-Not Available
Vendor-n/aLenovo Group Limited
Product-solution_centern/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44998
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.78%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 12:10
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Category Meta Plugin <= 1.2.8 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in josecoelho, Randy Hoyt, steveclarkcouk, Vitaliy Kukin, Eric Le Bail, Tom Ransom Category Meta plugin plugin <= 1.2.8 versions.

Action-Not Available
Vendor-randyhoytjosecoelho, Randy Hoyt, steveclarkcouk, Vitaliy Kukin, Eric Le Bail, Tom Ransom
Product-category_metaCategory Meta plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45103
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.78%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 14:33
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Permalinks Customizer Plugin <= 2.8.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in YAS Global Team Permalinks Customizer plugin <= 2.8.2 versions.

Action-Not Available
Vendor-yasglobalizerYAS Global Team
Product-permalinks_customizerPermalinks Customizer
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19025
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.02% / 59.26%
||
7 Day CHG~0.00%
Published-20 Mar, 2020 | 02:01
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)The Linux Foundation
Product-vmware_harbor_registryharborn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-41661
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-8.8||HIGH
EPSS-0.26% / 16.89%
||
7 Day CHG~0.00%
Published-11 Jun, 2025 | 08:13
Updated-24 Jul, 2025 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weidmueller: Security routers IE-SR-2TX are affected by CSRF

An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection.

Action-Not Available
Vendor-Weidmueller
Product-IE-SR-2TX-WLIE-SR-2TX-WL-4G-US-VIE-SR-2TX-WL-4G-EU
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45047
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.21% / 11.01%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 08:27
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress LeadSquared Suite Plugin <= 0.7.4 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in LeadSquared, Inc LeadSquared Suite plugin <= 0.7.4 versions.

Action-Not Available
Vendor-leadsquaredLeadSquared, Inc
Product-leadsquared_suiteLeadSquared Suite
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1958
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.60% / 44.35%
||
7 Day CHG~0.00%
Published-08 Aug, 2019 | 07:30
Updated-21 Nov, 2024 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco HyperFlex Software Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-hyperflex_hx_data_platformCisco HyperFlex HX-Series
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44257
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.38%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 08:56
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Mang Board WP Plugin <= 1.7.6 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Hometory Mang Board WP plugin <= 1.7.6 versions.

Action-Not Available
Vendor-mangboardHometory
Product-mang_boardMang Board WP
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-44243
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.41%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 15:02
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Instant CSS Plugin <= 1.2.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Dylan Blokhuis Instant CSS plugin <= 1.2.1 versions.

Action-Not Available
Vendor-dylanblokhuisDylan Blokhuis
Product-instant_cssInstant CSS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-7715
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-3.06% / 85.99%
||
7 Day CHG~0.00%
Published-18 Oct, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in the Realtyna RPL (com_rpl) component before 8.9.5 for Joomla! allows remote attackers to hijack the authentication of administrators for requests that add a user via an add_user action to administrator/index.php.

Action-Not Available
Vendor-realtynan/a
Product-realtyna_property_listingn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-42270
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.38% / 29.43%
||
7 Day CHG~0.00%
Published-15 Sep, 2023 | 00:00
Updated-02 Aug, 2024 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Grocy <= 4.0.2 is vulnerable to Cross Site Request Forgery (CSRF).

Action-Not Available
Vendor-grocy_projectn/a
Product-grocyn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-13760
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.68% / 47.73%
||
7 Day CHG~0.00%
Published-02 Jun, 2020 | 19:25
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Joomla! before 3.9.19, missing token checks in com_postinstall lead to CSRF.

Action-Not Available
Vendor-n/aJoomla!
Product-joomla\!n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-43149
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.54% / 41.54%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 00:00
Updated-18 Sep, 2024 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SPA-Cart 1.9.0.3 is vulnerable to Cross Site Request Forgery (CSRF) that allows a remote attacker to add an admin user with role status.

Action-Not Available
Vendor-spa-cartn/a
Product-spa-cartn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-43278
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.29% / 20.38%
||
7 Day CHG~0.00%
Published-25 Sep, 2023 | 00:00
Updated-24 Sep, 2024 | 15:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-Site Request Forgery (CSRF) in admin_manager.php of Seacms up to v12.8 allows attackers to arbitrarily add an admin account.

Action-Not Available
Vendor-seacmsn/a
Product-seacmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19469
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.60% / 44.53%
||
7 Day CHG~0.00%
Published-01 Dec, 2019 | 13:21
Updated-05 Aug, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Zmanda Management Console 3.3.9, ZMC_Admin_Advanced?form=adminTasks&action=Apply&command= allows CSRF, as demonstrated by command injection with shell metacharacters. This may depend on weak default credentials.

Action-Not Available
Vendor-zmandan/a
Product-amandan/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-42435
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5.5||MEDIUM
EPSS-0.18% / 7.55%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 18:19
Updated-11 Sep, 2024 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Request Forgery in DEXMA DEXGate

The affected product is vulnerable to a cross-site request forgery vulnerability, which may allow an attacker to perform actions with the permissions of a victim user.

Action-Not Available
Vendor-dexmaDEXMA
Product-dexgateDexGate
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19289
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.8||HIGH
EPSS-0.45% / 35.78%
||
7 Day CHG~0.00%
Published-14 Dec, 2020 | 21:05
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link.

Action-Not Available
Vendor-Siemens AG
Product-xhqXHQ
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8428
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-7.5||HIGH
EPSS-0.13% / 3.09%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 20:24
Updated-26 May, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CSRF token is not validated in the core CMS update controller for Concrete CMS 9.5.0 and below

Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). The form is rendered as a POST form, meaning the token reaches the browser, but because the controller discards it without verification, an attacker can craft a cross-site POST that triggers a core CMS update to an attacker-specified version string.  In order to be vulnerable, theictim must be passing canUpgrade()anda valid update version must be present under DIR_CORE_UPDATES. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2019-19737
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.45% / 36.13%
||
7 Day CHG~0.00%
Published-30 Dec, 2019 | 17:00
Updated-05 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks.

Action-Not Available
Vendor-mfscriptsn/a
Product-yetisharen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-8409
Matching Score-4
Assigner-Concrete CMS
ShareView Details
Matching Score-4
Assigner-Concrete CMS
CVSS Score-2.3||LOW
EPSS-0.14% / 3.88%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 21:40
Updated-26 May, 2026 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete.  The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Action-Not Available
Vendor-concretecmsConcrete CMS
Product-concrete_cmsConcrete CMS
CWE ID-CWE-1275
Sensitive Cookie with Improper SameSite Attribute
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1904
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.97% / 57.73%
||
7 Day CHG~0.00%
Published-21 Jun, 2019 | 02:20
Updated-20 Nov, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device. This vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS XE Software with the HTTP Server feature enabled. The default state of the HTTP Server feature is version dependent.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xe4451-x_integrated_services_router4331_integrated_services_router4321_integrated_services_routerasr_1001-x4431_integrated_services_routerasr_1002-xcloud_services_router_1000vasr_1002-hx4351_integrated_services_routerasr_1000_series_route_processor_\(rp2\)Cisco IOS XE Software
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-43118
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.28% / 19.36%
||
7 Day CHG~0.00%
Published-16 Oct, 2023 | 00:00
Updated-17 Sep, 2024 | 16:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery (CSRF) vulnerability in Chalet application in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, fixed in 31.7.2 and 32.5.1.5 allows attackers to run arbitrary code and cause other unspecified impacts via /jsonrpc API.

Action-Not Available
Vendor-extremenetworksn/a
Product-exosn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-49379
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.39% / 31.05%
||
7 Day CHG~0.00%
Published-05 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 21:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /admin/friend_link/save.

Action-Not Available
Vendor-jfinalcms_projectn/a
Product-jfinalcmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19995
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.66% / 47.12%
||
7 Day CHG~0.00%
Published-26 Dec, 2019 | 17:31
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, leading to complete control of the router, as demonstrated by v1/system/user.

Action-Not Available
Vendor-intelbrasn/a
Product-iwr_3000n_firmwareiwr_3000nn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-13458
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.48% / 38.19%
||
7 Day CHG~0.00%
Published-25 May, 2020 | 16:34
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.

Action-Not Available
Vendor-verbbn/a
Product-image_resizern/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-42323
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.43% / 34.64%
||
7 Day CHG~0.00%
Published-30 Oct, 2023 | 00:00
Updated-09 Sep, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery (CSRF) vulnerability in DouHaocms v.3.3 allows a remote attacker to execute arbitrary code via the adminAction.class.php file.

Action-Not Available
Vendor-mnbvcxz131421n/a
Product-douhaocmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2018-1434
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-0.94% / 56.60%
||
7 Day CHG~0.00%
Published-17 May, 2018 | 21:00
Updated-17 Sep, 2024 | 02:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) are vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 139474.

Action-Not Available
Vendor-IBM Corporation
Product-spectrum_virtualizestorwize_v3500storwize_v3500_firmwarespectrum_virtualize_for_public_cloudstorwize_v5000_firmwarestorwize_v7000_firmwarestorwize_v3700_firmwarestorwize_v7000storwize_v9000_firmwarestorwize_v3700storwize_v5000san_volume_controllersan_volume_controller_firmwarestorwize_v9000FlashSystem V9000Spectrum Virtualize for Public CloudStorwize V7000 (2076)SAN Volume ControllerStorwize V5000Spectrum Virtualize SoftwareStorwize V3500Storwize V3700
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19979
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.63% / 45.75%
||
7 Day CHG~0.00%
Published-26 Dec, 2019 | 02:26
Updated-05 Aug, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw in the WordPress plugin, WP Maintenance before 5.0.6, allowed attackers to enable a vulnerable site's maintenance mode and inject malicious code affecting site visitors. There was CSRF with resultant XSS.

Action-Not Available
Vendor-wp_maintenance_projectn/a
Product-wp_maintenancen/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-19109
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.71% / 48.99%
||
7 Day CHG~0.00%
Published-15 Jun, 2020 | 13:10
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The wpForo plugin 1.6.5 for WordPress allows wp-admin/admin.php?page=wpforo-usergroups CSRF.

Action-Not Available
Vendor-gvectorsn/a
Product-wpforon/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-13259
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-4.66% / 90.64%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 18:27
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260.

Action-Not Available
Vendor-radn/a
Product-secflow-1v_firmwaresecflow-1vn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-49373
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.39% / 31.05%
||
7 Day CHG~0.00%
Published-05 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 21:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/slide/delete.

Action-Not Available
Vendor-jfinalcms_projectn/a
Product-jfinalcmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-1797
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.1||HIGH
EPSS-0.74% / 50.23%
||
7 Day CHG~0.00%
Published-18 Apr, 2019 | 01:05
Updated-21 Nov, 2024 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Wireless LAN Controller Software Cross-Site Request Forgery Vulnerability

A vulnerability in the web-based management interface of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on the device with the privileges of the user, including modifying the device configuration. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an interface user to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the user. Software versions prior to 8.3.150.0, 8.5.135.0, and 8.8.100.0 are affected.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-wireless_lan_controller_softwareCisco Wireless LAN Controller (WLC)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-39472
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.24%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 17:15
Updated-12 May, 2026 | 00:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Social Login plugin < 2.8.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in wpweb WooCommerce Social Login woo-social-login allows Cross Site Request Forgery.This issue affects WooCommerce Social Login: from n/a through < 2.8.3.

Action-Not Available
Vendor-WPWeb Elite
Product-woocommerce_social_loginWooCommerce Social Login
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 48
  • 49
  • Next
Details not found