Export limit exceeded: 366291 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 12214 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 10340 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (10340 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2008-6449 1 Centurysys 9 Xr-1100, Xr-410, Xr-410-l2 and 6 more 2026-04-23 N/A
Cross-site request forgery (CSRF) vulnerability in multiple Century Systems routers including XR-410 before 1.6.9, XR-510 before 3.5.3, XR-440 before 1.7.8, and other XR series routers from XR-510 to XR-730 allows remote attackers to modify configuration as the administrator via unknown vectors.
CVE-2008-6478 1 Parallels 1 Virtuozzo Containers 2026-04-23 N/A
Cross-site request forgery (CSRF) vulnerability in the file manager in the VZPP web interface for Parallels Virtuozzo 365.6.swsoft (build 4.0.0-365.6.swsoft) and 25.4.swsoft (build 3.0.0-25.4.swsoft) allows remote attackers to create and delete arbitrary files as the administrator via a link or IMG tag to (1) create-file and (2) list-control in vz/cp/vzdir/infrman/envs/files/; or modify system configuration via the path parameter to vz/cp/vzdir/infrman/envs/files/index.
CVE-2008-6479 1 Parallels 1 Parallels Virtuozzo 2026-04-23 N/A
Cross-site request forgery (CSRF) vulnerability in the "change password" feature in the VZPP web interface for Parallels Virtuozzo 25.4.swsoft (build 3.0.0-25.4.swsoft) allows remote attackers to modify the password via a link or IMG tag to vz/cp/pwd.
CVE-2008-6480 1 Softnews Media Group 1 Datalife Engine 2026-04-23 N/A
Cross-site request forgery (CSRF) vulnerability in engine/modules/imagepreview.php in Datalife Engine 6.7 allows remote attackers to hijack the authentication of arbitrary users for requests that use a modified image parameter.
CVE-2008-6498 1 Apachefriends 1 Xampp 2026-04-23 N/A
Cross-site request forgery (CSRF) vulnerability in security/xamppsecurity.php in XAMPP 1.6.8 allows remote attackers to hijack the authentication of users for requests that change a certain .htaccess password via the xampppasswd parameter.
CVE-2008-7082 1 Mybb 1 Mybb 2026-04-23 N/A
MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection mechanism to hijack the authentication of moderators by reading the token from the HTTP Referer header.
CVE-2025-9631 1 Wordpress 1 Wordpress 2026-04-22 4.3 Medium
The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4. This is due to missing or incorrect nonce validation on the autocatset_ajax function. This makes it possible for unauthenticated attackers to trigger automatic recategorization of posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-10311 1 Wordpress 1 Wordpress 2026-04-22 4.3 Medium
The Comment Info Detector plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing nonce validation on the options.php file when handling form submissions. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-12072 1 Wordpress 1 Wordpress 2026-04-22 4.3 Medium
The Disable Content Editor For Specific Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing nonce validation on template configuration updates. This makes it possible for unauthenticated attackers to add or delete template configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
CVE-2025-43500 1 Apple 5 Ios, Ipados, Iphone Os and 2 more 2026-04-22 7.5 High
A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. An app may be able to access sensitive user data.
CVE-2025-43469 1 Apple 3 Macos, Macos Sequoia, Macos Sonoma 2026-04-22 5.5 Medium
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access sensitive user data.
CVE-2024-32537 2 Joshuae1974, Wordpress 2 Flash Video Player, Wordpress 2026-04-22 7.1 High
Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site Request Forgery.This issue affects Flash Video Player: from n/a through 5.0.4.
CVE-2025-14037 2 Invelity, Wordpress 2 Invelity Product Feeds, Wordpress 2026-04-22 8.1 High
The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link.
CVE-2026-4068 2 Pattihis, Wordpress 2 Add Custom Fields To Media, Wordpress 2026-04-22 4.3 Medium
The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is due to missing nonce validation on the field deletion functionality in the admin display template. The plugin properly validates a nonce for the 'add field' operation (line 24-36), but the 'delete field' operation (lines 38-49) processes the $_GET['delete'] parameter and calls update_option() without any nonce verification. This makes it possible for unauthenticated attackers to delete arbitrary custom media fields via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-1378 2 Suifengtec, Wordpress 2 Wp Posts Re-order, Wordpress 2026-04-22 4.3 Medium
The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `cpt_plugin_options()` function. This makes it possible for unauthenticated attackers to update the plugin settings including capability, autosort, and adminsort settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-1503 2 Frankkoenen, Wordpress 2 Plugin Name: Login Register, Wordpress 2026-04-22 4.3 Medium
The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login_register_login_post' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
CVE-2026-1390 2 Haghs, Wordpress 2 Redirect Countdown, Wordpress 2026-04-22 4.3 Medium
The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `countdown_settings_content()` function. This makes it possible for unauthenticated attackers to update the plugin settings including the countdown timeout, redirect URL, and custom text, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-1392 2 Superrishi, Wordpress 2 Sr Wp Minify Html, Wordpress 2026-04-22 4.3 Medium
The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the sr_minify_html_theme() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-1393 2 Omarnas, Wordpress 2 Add Google Social Profiles To Knowledge Graph Box, Wordpress 2026-04-22 4.3 Medium
The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Knowledge Graph settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-12070 1 Wordpress 1 Wordpress 2026-04-22 4.3 Medium
The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.