Csrf

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery (CVE-2026-6075) due to missing nonce verification, allowing unauthenticated attackers to trick an administrator into performing unauthorized bulk actions.

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), leading to arbitrary file deletion via SQL injection and PHP object injection due to missing nonce verification and unsafe deserialization, allowing attackers to delete arbitrary files on the server.

Multiple vulnerabilities in Joomla! versions before 5.4.6 and 6.x before 6.1.1 can allow attackers to perform privilege escalation, compromise data confidentiality, perform cross-site scripting (XSS), and conduct cross-site request forgery (CSRF) attacks.

A CSRF-OOB-Injection vulnerability exists in SolarEdge Monitoring Platform's `/solaredge-web/p/initClient` endpoint due to improper validation of session parameters, allowing attackers to manipulate headers to initiate requests to attacker-controlled domains, potentially leading to session compromise and unauthorized system control.

Multiple vulnerabilities in Symfony, including CVE-2026-45070, CVE-2026-45077, CVE-2026-45304, CVE-2026-45305, CVE-2026-45753, CVE-2026-45754, CVE-2026-45755, CVE-2026-45756, CVE-2026-46626, and CVE-2026-47212, can lead to remote denial of service, cross-site scripting (XSS), and cross-site request forgery (CSRF) attacks.

TextPattern CMS 4.9.0-dev is vulnerable to remote code execution (CVE-2021-47976), allowing authenticated attackers to upload arbitrary PHP files and achieve code execution by exploiting the plugin upload functionality.

Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE) can allow an attacker to perform arbitrary code execution, compromise data confidentiality, perform server-side request forgery (SSRF), and other security breaches.

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss (CVE-2026-4094) due to a missing capability check, allowing authenticated attackers with Contributor-level access or higher to delete the multi-currency configuration.

DivvyDrive versions 4.8.2.9 through 4.8.3.2 are susceptible to cross-site request forgery (CSRF), allowing an attacker to execute unauthorized actions on behalf of an authenticated user.

The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2.9.2, allowing unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with malicious code by tricking a site administrator into clicking a link.

OpenClaw before 2026.3.31 is vulnerable to cross-site request forgery (CSRF) attacks due to missing browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing attackers to perform unauthorized actions.

The Product Feed PRO for WooCommerce WordPress plugin (versions 13.4.6-13.5.2.1) is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing unauthenticated attackers to perform administrative actions by tricking an administrator into clicking a malicious link.

A cross-site request forgery (CSRF) vulnerability exists in the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin (versions n/a through 2.1.1), potentially allowing attackers to execute unauthorized actions on behalf of legitimate users.

CVE-2026-3857 describes a vulnerability in GitLab CE/EE versions 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, where an unauthenticated user can execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection, potentially leading to data modification or privilege escalation.

A vulnerability in FlightPHP core versions before 3.18.1 allows attackers to override HTTP methods via the `X-HTTP-Method-Override` header or `_method` parameter, leading to CSRF escalation, middleware bypass, and cache poisoning.

A critical Cross-Site Request Forgery (CSRF) vulnerability in the MISP Modules website allows an attacker to induce an authenticated user to submit unintended requests to the home endpoint, potentially modifying session query data.

The engramx HTTP server, enabled by default and binding to 127.0.0.1:7337, is vulnerable to CSRF and prompt injection attacks, allowing a malicious website to exfiltrate the local knowledge graph and inject persistent prompt-injection payloads.