Total
8611 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67013 | 1 Etlsystems | 54 C0401d1uia-22476, C0401d1uia-22476 Firmware, C0401d1ula-22419 and 51 more | 2026-01-02 | 6.5 Medium |
| The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery (CSRF) protection mechanisms (no tokens, no Origin/Referer validation) on critical configuration endpoints. | ||||
| CVE-2022-50804 | 2026-01-02 | 6.5 Medium | ||
| JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to cross-site request forgery (CSRF) attacks, allowing attackers to perform administrative actions on behalf of authenticated users without their knowledge or consent. | ||||
| CVE-2021-40965 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker. | ||||
| CVE-2022-23044 | 1 Prasathmani | 1 Tiny File Manager | 2025-12-31 | 8.8 High |
| Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. | ||||
| CVE-2025-57310 | 1 Salmen | 1 Simple Faucet Script | 2025-12-31 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) vulnerability in Salmen2/Simple-Faucet-Script v1.07 via crafted POST request to admin.php?p=ads&c=1 allowing attackers to execute arbitrary code. | ||||
| CVE-2020-36901 | 1 Medivision | 3 Digital Signage, Medivision Digital Signage, Medivision Digital Signage Firmware | 2025-12-30 | 8.8 High |
| UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that submits a form to the /query/user/itSet endpoint to add a new admin user with elevated privileges. | ||||
| CVE-2019-25242 | 1 Iwt | 2 Facesentry Access Control System, Facesentry Access Control System Firmware | 2025-12-30 | 4.3 Medium |
| FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage. | ||||
| CVE-2025-59949 | 1 Freshrss | 1 Freshrss | 2025-12-30 | 5.3 Medium |
| FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue. | ||||
| CVE-2023-44475 | 1 Add Shortcodes Actions And Filters Project | 1 Add Shortcodes Actions And Filters | 2025-12-30 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Michael Simpson Add Shortcodes Actions And Filters plugin <= 2.0.9 versions. | ||||
| CVE-2025-63952 | 1 Magewell | 27 Convert, Pro Convert 12g Sdi 4k Plus, Pro Convert 12g Sdi 4k Plus Firmware and 24 more | 2025-12-30 | 5.7 Medium |
| A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | ||||
| CVE-2025-63953 | 1 Magewell | 11 Convert, Ultra Encode Aio, Ultra Encode Aio Firmware and 8 more | 2025-12-30 | 6.5 Medium |
| A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | ||||
| CVE-2025-56400 | 3 Apple, Google, Tuya | 6 Ios, Android, Smart and 3 more | 2025-12-30 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. | ||||
| CVE-2025-60739 | 1 Ilevia | 2 Eve X1 Server, Eve X1 Server Firmware | 2025-12-30 | 9.6 Critical |
| Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | ||||
| CVE-2025-68580 | 2 Pluginsware, Wordpress | 2 Advanced Classifieds & Directory Pro, Wordpress | 2025-12-29 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cross Site Request Forgery.This issue affects Advanced Classifieds & Directory Pro: from n/a through <= 3.2.9. | ||||
| CVE-2018-25150 | 1 Ecessa | 2 Shieldlink Sl175ehq, Shieldlink Sl175ehq Firmware | 2025-12-29 | 5.3 Medium |
| Ecessa ShieldLink SL175EHQ 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a hidden form to add a superuser account by tricking a logged-in administrator into loading the page. | ||||
| CVE-2018-25133 | 1 Synaccess | 1 Netbooter Np-0801du | 2025-12-29 | 4.3 Medium |
| Synaccess netBooter NP-0801DU 7.4 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages with hidden form submissions to add admin users by tricking authenticated administrators into loading a malicious page. | ||||
| CVE-2019-25254 | 1 Kyocera | 1 Net Admin | 2025-12-29 | 5.3 Medium |
| KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page. | ||||
| CVE-2019-25252 | 1 Teradek | 1 Vidiu | 2025-12-29 | 5.3 Medium |
| Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrator visits the page. | ||||
| CVE-2025-68529 | 2 Rhys Wynne, Wordpress | 2 Wp Email Capture, Wordpress | 2025-12-29 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery.This issue affects WP Email Capture: from n/a through <= 3.12.5. | ||||
| CVE-2025-68583 | 1 Wordpress | 1 Wordpress | 2025-12-29 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Tikweb Management Fast User Switching fast-user-switching allows Cross Site Request Forgery.This issue affects Fast User Switching: from n/a through <= 1.4.10. | ||||