Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2020-36886 8.8 HIGH 1 PoC Analysis EPSS 0.00

SpinetiX Fusion Digital Signage 3.4.8 - CSRF

SpinetiX Fusion Digital Signage 3.4.8 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that automatically submits a form to create a new admin user with full system privileges when a logged-in user visits the page.

CWE-352 Dec 10, 2025

CVE-2025-34430 4.3 MEDIUM EPSS 0.00

Fit2cloud 1panel < 2.0.15 - CSRF

1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a panel-name change request; if a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows a remote attacker to change the victim’s panel name to an arbitrary value without consent.

CWE-352 Dec 10, 2025

CVE-2025-34429 7.1 HIGH EPSS 0.00

Fit2cloud 1panel < 2.0.15 - CSRF

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a port-change request; when a victim visits it while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the port on which the 1Panel web service listens, causing loss of access on the original port and resulting in service disruption or denial of service, and may unintentionally expose the service on an attacker-chosen port.

CWE-352 Dec 10, 2025

CVE-2025-67639 3.5 LOW EPSS 0.00

Jenkins < 2.528.3 - CSRF

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account.

CWE-352 Dec 10, 2025

CVE-2025-34410 7.1 HIGH EPSS 0.00

Fit2cloud 1panel < 2.0.15 - CSRF

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service.

CWE-352 Dec 10, 2025

CVE-2021-47730 8.8 HIGH 1 PoC Analysis EPSS 0.00

Selea Targa IP OCR-ANPR Camera - CSRF

Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user visits the page.

CWE-352 Dec 09, 2025

CVE-2021-47723 8.8 HIGH 1 PoC Analysis EPSS 0.00

STVS ProVision 5.9.10 - CSRF

STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users.

CWE-352 Dec 09, 2025

CVE-2021-47702 4.3 MEDIUM 1 PoC Analysis EPSS 0.00

Openbmcs - CSRF

OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings.

CWE-352 Dec 09, 2025

CVE-2025-65573 8.8 HIGH EPSS 0.00

Allsky - CSRF

Cross Site Request Forgery (CSRF) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to cause a denial of service via function handle_interface_POST_and_status.

CWE-352 Dec 09, 2025

CVE-2025-13924 4.3 MEDIUM 1 Writeup EPSS 0.00

WooCommerce <1.6.17 - CSRF

The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.17. This is due to missing or incorrect nonce validation on the 'maybe_duplicate' function. This makes it possible for unauthenticated attackers to duplicate and publish product field groups, including draft and pending field groups, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Dec 09, 2025

CVE-2023-22675 4.3 MEDIUM EPSS 0.00

Taylor Hawkes WP Fast Cache - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in Taylor Hawkes WP Fast Cache allows Cross Site Request Forgery.This issue affects WP Fast Cache: from n/a through 1.5.

CWE-352 Dec 09, 2025

CVE-2025-67598 4.3 MEDIUM EPSS 0.00

PSM Plugins SupportCandy <= 3.4.1 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in PSM Plugins SupportCandy supportcandy allows Cross Site Request Forgery.This issue affects SupportCandy: from n/a through <= 3.4.1.

CWE-352 Dec 09, 2025

CVE-2025-67596 4.3 MEDIUM EPSS 0.00

Strategy11 Team Business Directory <6.4.19 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through <= 6.4.19.

CWE-352 Dec 09, 2025

CVE-2025-67595 4.3 MEDIUM EPSS 0.00

Ays-pro Quiz Maker < 6.7.0.83 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Quiz Maker quiz-maker allows Cross Site Request Forgery.This issue affects Quiz Maker: from n/a through <= 6.7.0.82.

CWE-352 Dec 09, 2025

CVE-2025-67593 4.3 MEDIUM EPSS 0.00

Stiofan UsersWP <1.2.48 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery.This issue affects UsersWP: from n/a through <= 1.2.48.

CWE-352 Dec 09, 2025

CVE-2025-67591 4.3 MEDIUM EPSS 0.00

JNews Paywall < 12.0.1 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in jegtheme JNews Paywall jnews-paywall allows Cross Site Request Forgery.This issue affects JNews Paywall: from n/a through < 12.0.1.

CWE-352 Dec 09, 2025

CVE-2025-67590 4.3 MEDIUM EPSS 0.00

Rustaurius Ultimate FAQ <= 2.4.3 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Ultimate FAQ ultimate-faqs allows Cross Site Request Forgery.This issue affects Ultimate FAQ: from n/a through <= 2.4.3.

CWE-352 Dec 09, 2025

CVE-2025-67534 7.1 HIGH EPSS 0.00

Rencontre <4 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS.This issue affects Rencontre: from n/a through <= 3.13.7.

CWE-352 Dec 09, 2025

CVE-2025-67473 8.8 HIGH EPSS 0.00

codeworkweb CWW Companion <= 1.3.2 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in codeworkweb CWW Companion cww-companion allows Cross Site Request Forgery.This issue affects CWW Companion: from n/a through <= 1.3.2.

CWE-352 Dec 09, 2025

CVE-2025-67472 8.8 HIGH EPSS 0.00

Vcita Online Booking & Scheduling Calendar < 4.6.0 - CSRF

Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.

CWE-352 Dec 09, 2025

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps