Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2016-6277

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-14 Dec, 2016 | 16:00
Updated At-21 Oct, 2025 | 23:55
Rejected At-
Credits

NETGEAR Multiple Routers Remote Code Execution Vulnerability

NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Known Exploited Vulnerabilities (KEV)
cisa.gov
Vendor:
NETGEAR, Inc.NETGEAR
Product:Multiple Routers
Added At:07 Mar, 2022
Due At:07 Sep, 2022

NETGEAR Multiple Routers Remote Code Execution Vulnerability

NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution.

Used in Ransomware

:

Unknown

CWE

:
CWE-352

Required Action:

Apply updates per vendor instructions.

Additional Notes:

https://nvd.nist.gov/vuln/detail/CVE-2016-6277
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:14 Dec, 2016 | 16:00
Updated At:21 Oct, 2025 | 23:55
Rejected At:
â–¼CVE Numbering Authority (CNA)

NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.exploit-db.com/exploits/40889/
exploit
x_refsource_EXPLOIT-DB
https://www.exploit-db.com/exploits/41598/
exploit
x_refsource_EXPLOIT-DB
http://kb.netgear.com/000036386/CVE-2016-582384
x_refsource_CONFIRM
http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
x_refsource_MISC
https://www.kb.cert.org/vuls/id/582384
third-party-advisory
x_refsource_CERT-VN
http://www.securityfocus.com/bid/94819
vdb-entry
x_refsource_BID
https://kalypto.org/research/netgear-vulnerability-expanded/
x_refsource_MISC
http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
x_refsource_MISC
Hyperlink: https://www.exploit-db.com/exploits/40889/
Resource:
exploit
x_refsource_EXPLOIT-DB
Hyperlink: https://www.exploit-db.com/exploits/41598/
Resource:
exploit
x_refsource_EXPLOIT-DB
Hyperlink: http://kb.netgear.com/000036386/CVE-2016-582384
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
Resource:
x_refsource_MISC
Hyperlink: https://www.kb.cert.org/vuls/id/582384
Resource:
third-party-advisory
x_refsource_CERT-VN
Hyperlink: http://www.securityfocus.com/bid/94819
Resource:
vdb-entry
x_refsource_BID
Hyperlink: https://kalypto.org/research/netgear-vulnerability-expanded/
Resource:
x_refsource_MISC
Hyperlink: http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.exploit-db.com/exploits/40889/
exploit
x_refsource_EXPLOIT-DB
x_transferred
https://www.exploit-db.com/exploits/41598/
exploit
x_refsource_EXPLOIT-DB
x_transferred
http://kb.netgear.com/000036386/CVE-2016-582384
x_refsource_CONFIRM
x_transferred
http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
x_refsource_MISC
x_transferred
https://www.kb.cert.org/vuls/id/582384
third-party-advisory
x_refsource_CERT-VN
x_transferred
http://www.securityfocus.com/bid/94819
vdb-entry
x_refsource_BID
x_transferred
https://kalypto.org/research/netgear-vulnerability-expanded/
x_refsource_MISC
x_transferred
http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
x_refsource_MISC
x_transferred
Hyperlink: https://www.exploit-db.com/exploits/40889/
Resource:
exploit
x_refsource_EXPLOIT-DB
x_transferred
Hyperlink: https://www.exploit-db.com/exploits/41598/
Resource:
exploit
x_refsource_EXPLOIT-DB
x_transferred
Hyperlink: http://kb.netgear.com/000036386/CVE-2016-582384
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.kb.cert.org/vuls/id/582384
Resource:
third-party-advisory
x_refsource_CERT-VN
x_transferred
Hyperlink: http://www.securityfocus.com/bid/94819
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://kalypto.org/research/netgear-vulnerability-expanded/
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-352CWE-352 Cross-Site Request Forgery (CSRF)
Type: CWE
CWE ID: CWE-352
Description: CWE-352 Cross-Site Request Forgery (CSRF)
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
kev
dateAdded:
2022-03-07
reference:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
CVE-2016-6277 added to CISA KEV2022-03-07 00:00:00
Event: CVE-2016-6277 added to CISA KEV
Date: 2022-03-07 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277
government-resource
Hyperlink: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277
Resource:
government-resource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:14 Dec, 2016 | 16:59
Updated At:21 Apr, 2026 | 16:23

NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6400, D7000, and possibly other routers allow remote attackers to execute arbitrary commands via shell metacharacters in the path info to cgi-bin/.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
2022-03-072022-09-07NETGEAR Multiple Routers Remote Code Execution VulnerabilityApply updates per vendor instructions.
Date Added: 2022-03-07
Due Date: 2022-09-07
Vulnerability Name: NETGEAR Multiple Routers Remote Code Execution Vulnerability
Required Action: Apply updates per vendor instructions.
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary2.09.3HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 9.3
Base severity: HIGH
Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C
CPE Matches

NETGEAR, Inc.
netgear
>>d6220_firmware>>Versions up to 1.0.0.22(inclusive)
cpe:2.3:o:netgear:d6220_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>d6220>>-
cpe:2.3:h:netgear:d6220:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>d6400_firmware>>Versions up to 1.0.0.56(inclusive)
cpe:2.3:o:netgear:d6400_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>d6400>>-
cpe:2.3:h:netgear:d6400:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6250_firmware>>Versions up to 1.0.4.6_10.1.12(inclusive)
cpe:2.3:o:netgear:r6250_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6250>>-
cpe:2.3:h:netgear:r6250:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6400_firmware>>Versions up to 1.0.1.18(inclusive)
cpe:2.3:o:netgear:r6400_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6400>>-
cpe:2.3:h:netgear:r6400:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6700_firmware>>Versions up to 1.0.1.14(inclusive)
cpe:2.3:o:netgear:r6700_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6700>>-
cpe:2.3:h:netgear:r6700:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6900_firmware>>Versions up to 1.0.1.14(inclusive)
cpe:2.3:o:netgear:r6900_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r6900>>-
cpe:2.3:h:netgear:r6900:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7000_firmware>>Versions up to 1.0.7.2_1.1.93(inclusive)
cpe:2.3:o:netgear:r7000_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7000>>-
cpe:2.3:h:netgear:r7000:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7100lg_firmware>>Versions up to 1.0.0.28(inclusive)
cpe:2.3:o:netgear:r7100lg_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7100lg>>-
cpe:2.3:h:netgear:r7100lg:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7300dst_firmware>>Versions up to 1.0.0.46(inclusive)
cpe:2.3:o:netgear:r7300dst_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7300dst>>-
cpe:2.3:h:netgear:r7300dst:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7900_firmware>>Versions up to 1.0.1.8(inclusive)
cpe:2.3:o:netgear:r7900_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r7900>>-
cpe:2.3:h:netgear:r7900:-:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r8000_firmware>>Versions up to 1.0.3.26(inclusive)
cpe:2.3:o:netgear:r8000_firmware:*:*:*:*:*:*:*:*
NETGEAR, Inc.
netgear
>>r8000>>-
cpe:2.3:h:netgear:r8000:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Primarynvd@nist.gov
CWE-352Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-352
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://kb.netgear.com/000036386/CVE-2016-582384cve@mitre.org
Patch
Vendor Advisory
http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.htmlcve@mitre.org
Exploit
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/94819cve@mitre.org
Broken Link
Third Party Advisory
VDB Entry
http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/cve@mitre.org
Broken Link
Mitigation
Third Party Advisory
https://kalypto.org/research/netgear-vulnerability-expanded/cve@mitre.org
Broken Link
Exploit
Third Party Advisory
https://www.exploit-db.com/exploits/40889/cve@mitre.org
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/41598/cve@mitre.org
Exploit
Third Party Advisory
VDB Entry
https://www.kb.cert.org/vuls/id/582384cve@mitre.org
Third Party Advisory
US Government Resource
http://kb.netgear.com/000036386/CVE-2016-582384af854a3a-2127-422b-91ae-364da2661108
Patch
Vendor Advisory
http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.htmlaf854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/94819af854a3a-2127-422b-91ae-364da2661108
Broken Link
Third Party Advisory
VDB Entry
http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/af854a3a-2127-422b-91ae-364da2661108
Broken Link
Mitigation
Third Party Advisory
https://kalypto.org/research/netgear-vulnerability-expanded/af854a3a-2127-422b-91ae-364da2661108
Broken Link
Exploit
Third Party Advisory
https://www.exploit-db.com/exploits/40889/af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/41598/af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
VDB Entry
https://www.kb.cert.org/vuls/id/582384af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource
Hyperlink: http://kb.netgear.com/000036386/CVE-2016-582384
Source: cve@mitre.org
Resource:
Patch
Vendor Advisory
Hyperlink: http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
VDB Entry
Hyperlink: http://www.securityfocus.com/bid/94819
Source: cve@mitre.org
Resource:
Broken Link
Third Party Advisory
VDB Entry
Hyperlink: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
Source: cve@mitre.org
Resource:
Broken Link
Mitigation
Third Party Advisory
Hyperlink: https://kalypto.org/research/netgear-vulnerability-expanded/
Source: cve@mitre.org
Resource:
Broken Link
Exploit
Third Party Advisory
Hyperlink: https://www.exploit-db.com/exploits/40889/
Source: cve@mitre.org
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://www.exploit-db.com/exploits/41598/
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory
VDB Entry
Hyperlink: https://www.kb.cert.org/vuls/id/582384
Source: cve@mitre.org
Resource:
Third Party Advisory
US Government Resource
Hyperlink: http://kb.netgear.com/000036386/CVE-2016-582384
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Vendor Advisory
Hyperlink: http://packetstormsecurity.com/files/155712/Netgear-R6400-Remote-Code-Execution.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory
VDB Entry
Hyperlink: http://www.securityfocus.com/bid/94819
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Third Party Advisory
VDB Entry
Hyperlink: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Mitigation
Third Party Advisory
Hyperlink: https://kalypto.org/research/netgear-vulnerability-expanded/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Broken Link
Exploit
Third Party Advisory
Hyperlink: https://www.exploit-db.com/exploits/40889/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://www.exploit-db.com/exploits/41598/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory
VDB Entry
Hyperlink: https://www.kb.cert.org/vuls/id/582384
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-6277
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
US Government Resource

Change History

0
Information is not available yet

Similar CVEs

2437Records found

CVE-2019-17676
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.60% / 44.30%
||
7 Day CHG~0.00%
Published-17 Oct, 2019 | 12:16
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.

Action-Not Available
Vendor-metinfon/a
Product-metinfon/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-17367
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.56% / 42.56%
||
7 Day CHG-0.00%
Published-18 Oct, 2019 | 16:19
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.

Action-Not Available
Vendor-n/aOpenWrt
Product-openwrtn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-11553
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.51% / 39.92%
||
7 Day CHG~0.00%
Published-09 Apr, 2020 | 12:35
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. There is pervasive CSRF.

Action-Not Available
Vendor-castlerockn/a
Product-snmpc_onlinen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-18280
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.48% / 38.23%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 13:40
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sourcecodester Online Grading System 1.0 is affected by a Cross Site Request Forgery vulnerability due to a lack of CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code via a crafted HTML page, as demonstrated by a Create User action at the admin/modules/user/controller.php?action=add URI.

Action-Not Available
Vendor-online_grading_system_projectn/a
Product-online_grading_systemn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5258
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-0.75% / 50.43%
||
7 Day CHG~0.00%
Published-22 Aug, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in springframework-social before 1.1.3.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)Fedora Project
Product-spring_socialfedoran/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-6109
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 12.92%
||
7 Day CHG~0.00%
Published-12 Apr, 2026 | 01:30
Updated-29 Apr, 2026 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FoundationAgents MetaGPT Mineflayer HTTP API index.js evaluateCode cross-site request forgery

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-deepwisdomFoundationAgents
Product-metagptMetaGPT
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2023-47350
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.38% / 30.29%
||
7 Day CHG~0.00%
Published-22 Nov, 2023 | 00:00
Updated-26 Nov, 2024 | 19:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Request Forgery (CSRF) vulnerability in SwiftyEdit Content Management System prior to v1.2.0, allows remote attackers to escalate privileges via the user password update functionality.

Action-Not Available
Vendor-swiftyeditn/a
Product-swiftyeditn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5395
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.90% / 55.20%
||
7 Day CHG~0.00%
Published-20 Sep, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.

Action-Not Available
Vendor-n/aDebian GNU/LinuxAlinto
Product-sogodebian_linuxn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2017-5528
Matching Score-4
Assigner-TIBCO Software Inc.
ShareView Details
Matching Score-4
Assigner-TIBCO Software Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.56% / 42.77%
||
7 Day CHG~0.00%
Published-29 Jun, 2017 | 14:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TIBCO JasperReports Server cross-site vulnerabilities

Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The impact of this vulnerability includes the theoretical disclosure of sensitive information. Affects TIBCO JasperReports Server (versions 6.1.1 and below, 6.2.0, 6.2.1, and 6.3.0), TIBCO JasperReports Server Community Edition (versions 6.3.0 and below), TIBCO JasperReports Server for ActiveMatrix BPM (versions 6.2.0 and below), TIBCO Jaspersoft for AWS with Multi-Tenancy (versions 6.2.0 and below), and TIBCO Jaspersoft Reporting and Analytics for AWS (versions 6.2.0 and below).

Action-Not Available
Vendor-TIBCO (Cloud Software Group, Inc.)
Product-jaspersoftjaspersoft_reporting_and_analyticsjasperreports_serverTIBCO Jaspersoft Reporting and Analytics for AWSTIBCO Jaspersoft for AWS with Multi-TenancyTIBCO JasperReports Server Community EditionTIBCO JasperReports Server for ActiveMatrix BPMTIBCO JasperReports Server
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-17386
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.86% / 54.14%
||
7 Day CHG~0.00%
Published-10 Oct, 2019 | 20:03
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The animate-it plugin before 2.3.6 for WordPress has CSRF in edsanimate.php.

Action-Not Available
Vendor-eleopardn/a
Product-animate_it\!n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5170
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-0.76% / 50.67%
||
7 Day CHG~0.00%
Published-24 Oct, 2017 | 17:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks.

Action-Not Available
Vendor-n/aCloud FoundryVMware (Broadcom Inc.)
Product-cloud_foundry_uaacf-releasecloud_foundry_elastic_runtimen/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-43275
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.32% / 24.19%
||
7 Day CHG~0.00%
Published-16 Nov, 2023 | 00:00
Updated-14 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-Site Request Forgery (CSRF) vulnerability in DedeCMS v5.7 in 110 backend management interface via /catalog_add.php, allows attackers to create crafted web pages due to a lack of verification of the token value of the submitted form.

Action-Not Available
Vendor-n/aDedeCMS
Product-dedecmsn/adedecms
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-17431
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.64% / 46.12%
||
7 Day CHG~0.00%
Published-10 Oct, 2019 | 11:15
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in fastadmin 1.0.0.20190705_beta. There is a public/index.php/admin/auth/admin/add CSRF vulnerability.

Action-Not Available
Vendor-fastadminn/a
Product-fastadminn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-17633
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-8.8||HIGH
EPSS-0.81% / 52.43%
||
7 Day CHG~0.00%
Published-19 Dec, 2019 | 17:05
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

For Eclipse Che versions 6.16 to 7.3.0, with both authentication and TLS disabled, visiting a malicious web site could trigger the start of an arbitrary Che workspace. Che with no authentication and no TLS is not usually deployed on a public network but is often used for local installations (e.g. on personal laptops). In that case, even if the Che API is not exposed externally, some javascript running in the local browser is able to send requests to it.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-cheEclipse Che
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5686
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.45% / 36.13%
||
7 Day CHG~0.00%
Published-27 Feb, 2020 | 00:25
Updated-06 Aug, 2024 | 06:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Parts of the Puppet Enterprise Console 3.x were found to be susceptible to clickjacking and CSRF (Cross-Site Request Forgery) attacks. This would allow an attacker to redirect user input to an untrusted site or hijack a user session.

Action-Not Available
Vendor-n/aPerforce Software, Inc. ("Puppet")
Product-puppet_enterprisen/a
CWE ID-CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-36728
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.17% / 6.75%
||
7 Day CHG~0.00%
Published-25 Jul, 2025 | 16:42
Updated-26 Aug, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SimpleHelp Cross Site Request Forgery

Cross-Site Request Forgery (CSRF) vulnerability in Simplehelp.This issue affects Simplehelp: before 5.5.11.

Action-Not Available
Vendor-simple-helpSimplehelp
Product-simplehelpSimplehelp
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-43500
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.41% / 32.53%
||
7 Day CHG~0.00%
Published-20 Sep, 2023 | 16:06
Updated-24 Sep, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.

Action-Not Available
Vendor-Jenkins
Product-build_failure_analyzerJenkins Build Failure Analyzer Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-17217
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.46% / 36.48%
||
7 Day CHG~0.00%
Published-06 Oct, 2019 | 15:23
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ethernet R07 and before WLAN R05. There is no CSRF protection established on the web service.

Action-Not Available
Vendor-vzugn/a
Product-combi-stream_mslq_firmwarecombi-stream_mslqn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-36375
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.17% / 6.27%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 22:50
Updated-06 Apr, 2026 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM DataPower Gateway vulnerable to CSRF

IBM DataPower Gateway 10.6CD 10.6.1.0 through 10.6.5.0 and IBM DataPower Gateway 10.5.0 10.5.0.0 through 10.5.0.20 and IBM DataPower Gateway 10.6.0 10.6.0.0 through 10.6.0.8 IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Action-Not Available
Vendor-IBM Corporation
Product-datapower_gatewayDataPower Gateway 10.6.0DataPower Gateway 10.6CDDataPower Gateway 10.5.0
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-18411
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.33% / 81.49%
||
7 Day CHG~0.00%
Published-06 Nov, 2019 | 21:48
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_adselfservice_plusn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-18414
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.48% / 38.23%
||
7 Day CHG~0.00%
Published-24 Oct, 2019 | 17:20
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sourcecodester Restaurant Management System 1.0 is affected by an admin/staff-exec.php Cross Site Request Forgery vulnerability due to a lack of CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code or adding a staff entry via a crafted HTML page.

Action-Not Available
Vendor-n/aSourceCodester
Product-restaurant_management_systemn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-26173
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.67% / 47.50%
||
7 Day CHG~0.00%
Published-16 Jun, 2022 | 21:53
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JForum v2.8.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via http://target_host:port/jforum-2.8.0/jforum.page, which allows attackers to arbitrarily add admin accounts.

Action-Not Available
Vendor-jforumn/a
Product-jforumn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-4277
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.27% / 18.28%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 06:53
Updated-08 Apr, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Realia <= 1.4.0 - Cross-Site Request Forgery to User Email Change

The Realia plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.0. This is due to missing nonce validation on the 'process_change_profile_form' function. This makes it possible for unauthenticated attackers to change user email via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-pragmaticmatespragmaticmates
Product-realiaRealia
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-35030
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-8.6||HIGH
EPSS-0.18% / 8.21%
||
7 Day CHG~0.00%
Published-29 Sep, 2025 | 20:00
Updated-02 Jan, 2026 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Medical Informatics Engineering Enterprise Health cross site request forgery

Medical Informatics Engineering Enterprise Health has a cross site request forgery vulnerability that allows an unauthenticated attacker to trick administrative users into clicking a crafted URL and perform actions on behalf of that administrative user. This issue is fixed as of 2025-04-08.

Action-Not Available
Vendor-miewebMedical Informatics Engineering
Product-enterprise_healthEnterprise Health
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-10984
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.71% / 49.19%
||
7 Day CHG~0.00%
Published-28 Jul, 2020 | 20:40
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gambio GX before 4.0.1.0 allows admin/admin.php CSRF.

Action-Not Available
Vendor-gambion/a
Product-gambio_gxn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2015-5182
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-0.63% / 45.66%
||
7 Day CHG~0.00%
Published-25 Sep, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability in the jolokia API in A-MQ.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-amqn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-18346
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.98% / 57.98%
||
7 Day CHG~0.00%
Published-04 Dec, 2019 | 17:15
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.

Action-Not Available
Vendor-davicaln/a
Product-davicaln/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-17642
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.65% / 73.56%
||
7 Day CHG~0.00%
Published-05 Mar, 2020 | 16:55
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Centreon before 18.10.8, 19.10.1, and 19.04.2. It allows CSRF with resultant remote command execution via shell metacharacters in a POST to centreon-autodiscovery-server/views/scan/ajax/call.php in the Autodiscovery plugin.

Action-Not Available
Vendor-n/aCENTREON
Product-centreonn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-18206
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.46% / 36.48%
||
7 Day CHG~0.00%
Published-30 Oct, 2019 | 18:31
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery (CSRF) vulnerability in Zucchetti InfoBusiness before and including 4.4.1 allows arbitrary file upload.

Action-Not Available
Vendor-zucchettin/a
Product-infobusinessn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-42321
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.36% / 28.39%
||
7 Day CHG~0.00%
Published-20 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 14:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery (CSRF) vulnerability in icmsdev iCMSv.7.0.16 allows a remote attacker to execute arbitrary code via the user.admincp.php, members.admincp.php, and group.admincp.php files.

Action-Not Available
Vendor-icmsdevn/a
Product-icmsn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-32280
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.47%
||
7 Day CHG~0.00%
Published-04 Apr, 2025 | 15:59
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Project Manager plugin < 2.6.25 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in weDevs WP Project Manager wedevs-project-manager allows Cross Site Request Forgery.This issue affects WP Project Manager: from n/a through < 2.6.25.

Action-Not Available
Vendor-weDevs Pte. Ltd.
Product-wp_project_managerWP Project Manager
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-18220
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.11% / 61.97%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 13:17
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sitemagic CMS 4.4.1 is affected by a Cross-Site-Request-Forgery (CSRF) issue as it doesn't implement any method to validate incoming requests, allowing the execution of critical functionalities via spoofed requests. This behavior could be abused by a remote unauthenticated attacker to trick Sitemagic users into performing unwarranted actions.

Action-Not Available
Vendor-sitemagicn/a
Product-sitemagicn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-43147
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.49% / 38.31%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 00:00
Updated-18 Sep, 2024 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHPJabbers Limo Booking Software 1.0 is vulnerable to Cross Site Request Forgery (CSRF) to add an admin user via the Add Users Function, aka an index.php?controller=pjAdminUsers&action=pjActionCreate URI.

Action-Not Available
Vendor-n/aPHPJabbers Ltd.
Product-limo_booking_softwaren/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-16550
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-0.64% / 46.19%
||
7 Day CHG~0.00%
Published-17 Dec, 2019 | 14:40
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.

Action-Not Available
Vendor-Jenkins
Product-mavenJenkins Maven Release Plugin
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-18271
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-0.64% / 46.06%
||
7 Day CHG~0.00%
Published-15 Jan, 2020 | 18:40
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site.

Action-Not Available
Vendor-osisoftn/a
Product-pi_visionOSIsoft PI Vision
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-17237
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.74% / 50.08%
||
7 Day CHG~0.00%
Published-12 Nov, 2019 | 16:53
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows CSRF.

Action-Not Available
Vendor-getigniteupn/a
Product-igniteupn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-32354
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.28% / 19.68%
||
7 Day CHG+0.01%
Published-29 Apr, 2025 | 00:00
Updated-11 Jun, 2025 | 21:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Zimbra Collaboration (ZCS) 9.0 through 10.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.

Action-Not Available
Vendor-n/aSynacor, Inc.
Product-zimbra_collaboration_suiten/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-41684
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 10.09%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 06:52
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress SIS Handball Plugin <= 1.0.45 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Felix Welberg SIS Handball plugin <= 1.0.45 versions.

Action-Not Available
Vendor-felixwelbergFelix Welberg
Product-sis_handballSIS Handball
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-32310
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.21% / 11.61%
||
7 Day CHG~0.00%
Published-16 May, 2025 | 15:45
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress QuickCal plugin <= 1.0.15 - CSRF to Privilege Escalation vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in ThemeMove QuickCal - Appointment Booking Calendar for WordPress quickcal allows Privilege Escalation.This issue affects QuickCal - Appointment Booking Calendar for WordPress: from n/a through <= 1.0.15.

Action-Not Available
Vendor-ThemeMove
Product-QuickCal - Appointment Booking Calendar for WordPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-41129
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 21.16%
||
7 Day CHG~0.00%
Published-18 Nov, 2023 | 22:16
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Patreon WordPress Plugin <= 1.8.6 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Patreon Patreon WordPress.This issue affects Patreon WordPress: from n/a through 1.8.6.

Action-Not Available
Vendor-patreonPatreon
Product-patreon_wordpressPatreon WordPress
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-41858
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.72%
||
7 Day CHG~0.00%
Published-10 Oct, 2023 | 08:50
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Order Delivery Date for WP e-Commerce Plugin <= 1.2 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Ashok Rane Order Delivery Date for WP e-Commerce plugin <= 1.2 versions.

Action-Not Available
Vendor-tychesoftwaresAshok Rane
Product-order_delivery_date_for_woocommerceOrder Delivery Date for WP e-Commerce
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-41650
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.78%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 14:33
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Remove/hide Author, Date, Category Like Entry-Meta Plugin <= 2.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Remove/hide Author, Date, Category Like Entry-Meta plugin <= 2.1 versions.

Action-Not Available
Vendor-remove\/hide_author\,_date\,_category_like_entry-meta_projectVenugopal
Product-remove\/hide_author\,_date\,_category_like_entry-metaRemove/hide Author, Date, Category Like Entry-Meta
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-31690
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-8.8||HIGH
EPSS-0.21% / 11.25%
||
7 Day CHG+0.01%
Published-31 Mar, 2025 | 21:49
Updated-02 Sep, 2025 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cache Utility allows Cross Site Request Forgery.This issue affects Cache Utility: from 0.0.0 before 1.2.1.

Action-Not Available
Vendor-cache_utility_projectThe Drupal Association
Product-cache_utilityCache Utility
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-31677
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-8.8||HIGH
EPSS-0.21% / 11.25%
||
7 Day CHG+0.01%
Published-31 Mar, 2025 | 21:37
Updated-04 Jun, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003

Cross-Site Request Forgery (CSRF) vulnerability in Drupal AI (Artificial Intelligence) allows Cross Site Request Forgery.This issue affects AI (Artificial Intelligence): from 1.0.0 before 1.0.2.

Action-Not Available
Vendor-artificial_intelligence_projectThe Drupal Association
Product-artificial_intelligenceAI (Artificial Intelligence)
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-17590
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.62% / 45.12%
||
7 Day CHG~0.00%
Published-26 Nov, 2019 | 17:34
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The csrf_callback function in the CSRF Magic library through 2016-03-27 is vulnerable to CSRF protection bypass as it allows one to tamper with the csrf token values. A remote attacker can exploit this by crafting a malicious page and dispersing it to a victim via social engineering, enticing them to click the link. Once the user/victim clicks the "try again" button, the attacker can take over the account and perform unintended actions on the victim's behalf. NOTE: A third-party maintainer has stated that this CVE is a false report. They state that the csrf_callback function is actually a callback function to the callers own handler for output. The function called can be changed via configuration to a custom callback to handle failed validation differently. They also stated that there is no way for an attacker to change tokens to make them valid from the client side. The only thing an attack can do is to pull the token out of the javascript, but that will always be possible and has nothing to do with the callback

Action-Not Available
Vendor-csrf_magic_projectn/a
Product-csrf_magicn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-41086
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8.8||HIGH
EPSS-0.24% / 14.49%
||
7 Day CHG~0.00%
Published-03 Oct, 2023 | 00:15
Updated-02 Aug, 2024 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site request forgery (CSRF) vulnerability exists in FURUNO SYSTEMS wireless LAN access point devices. If a user views a malicious page while logged in, unintended operations may be performed. Affected products and versions are as follows: ACERA 1210 firmware ver.02.36 and earlier, ACERA 1150i firmware ver.01.35 and earlier, ACERA 1150w firmware ver.01.35 and earlier, ACERA 1110 firmware ver.01.76 and earlier, ACERA 1020 firmware ver.01.86 and earlier, ACERA 1010 firmware ver.01.86 and earlier, ACERA 950 firmware ver.01.60 and earlier, ACERA 850F firmware ver.01.60 and earlier, ACERA 900 firmware ver.02.54 and earlier, ACERA 850M firmware ver.02.06 and earlier, ACERA 810 firmware ver.03.74 and earlier, and ACERA 800ST firmware ver.07.35 and earlier. They are affected when running in ST(Standalone) mode.

Action-Not Available
Vendor-furunosystemsFURUNO SYSTEMS Co.,Ltd.
Product-acera_900acera_1020_firmwareacera_950acera_1010acera_850f_firmwareacera_1150w_firmwareacera_850facera_1150wacera_810acera_1020acera_900_firmwareacera_800stacera_850macera_810_firmwareacera_1150i_firmwareacera_1150iacera_800st_firmwareacera_1210_firmwareacera_1110acera_1110_firmwareacera_1210acera_950_firmwareacera_1010_firmwareacera_850m_firmwareACERA 1010ACERA 1150wACERA 1150iACERA 900ACERA 850MACERA 1110ACERA 850FACERA 1020ACERA 810ACERA 950ACERA 800STACERA 1210
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2025-31828
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.34%
||
7 Day CHG~0.00%
Published-01 Apr, 2025 | 14:51
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy!Appointments plugin <= 1.4.2 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in alextselegidis Easy!Appointments easyappointments allows Cross Site Request Forgery.This issue affects Easy!Appointments: from n/a through <= 1.4.2.

Action-Not Available
Vendor-easyappointmentsalextselegidis
Product-easy\!appointmentsEasy!Appointments
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-17653
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-8.8||HIGH
EPSS-0.56% / 42.65%
||
7 Day CHG~0.00%
Published-12 Mar, 2020 | 22:07
Updated-25 Oct, 2024 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-Site Request Forgery (CSRF) vulnerability in the user interface of Fortinet FortiSIEM 5.2.5 could allow a remote, unauthenticated attacker to perform arbitrary actions using an authenticated user's session by persuading the victim to follow a malicious link.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisiemFortinet FortiSIEM
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2019-17675
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.80% / 84.74%
||
7 Day CHG~0.00%
Published-17 Oct, 2019 | 12:03
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

Action-Not Available
Vendor-n/aDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxn/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')
CVE-2025-31038
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-8.8||HIGH
EPSS-0.27% / 19.01%
||
7 Day CHG+0.02%
Published-09 Apr, 2025 | 16:10
Updated-28 Apr, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Essential Breadcrumbs plugin <= 1.1.1 - CSRF to Privilege Escalation vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Essential Marketer Essential Breadcrumbs essential-breadcrumbs allows Privilege Escalation.This issue affects Essential Breadcrumbs: from n/a through <= 1.1.1.

Action-Not Available
Vendor-Essential Marketer
Product-Essential Breadcrumbs
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 48
  • 49
  • Next
Details not found