CVE & Exploit Intelligence Database

CVE-2025-5521 4.3 MEDIUM EPSS 0.00

A vulnerability was found in WuKongOpenSource WukongCRM 9.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /system/user/updataPassword. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE-862 Jun 03, 2025

CVE-2025-49069 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Cross Site Request Forgery.This issue affects Contact Forms by Cimatti: from n/a through 1.9.8.

CWE-352 Jun 02, 2025

CVE-2025-5410 4.3 MEDIUM 2 Writeups EPSS 0.00

A vulnerability was found in Mist Community Edition up to 4.7.1. It has been declared as problematic. This vulnerability affects the function session_start_response of the file src/mist/api/auth/middleware.py. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.7.2 is able to address this issue. The patch is identified as db10ecb62ac832c1ed4924556d167efb9bc07fad. It is recommended to upgrade the affected component.

CWE-862 Jun 01, 2025

CVE-2025-48885 1 Writeup EPSS 0.00

application-urlshortener create shortened URLs for XWiki pages. Versions prior to 1.2.4 are vulnerable to users with view access being able to create arbitrary pages. Any user (even guests) can create these docs, even if they don't exist already. This can enable guest users to denature the structure of wiki pages, by creating 1000's of pages with random name, that then become very difficult to handle by admins. Version 1.2.4 fixes the issue. No known workarounds are available.

CWE-352 May 30, 2025

CVE-2025-5142 6.5 MEDIUM EPSS 0.00

The Simple Page Access Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.31. This is due to missing nonce validation and capability checks in the settings save handler in the settings.php script. This makes it possible for unauthenticated attackers to (1) enable or disable access protection on all post types or taxonomies, (2) force every new page/post to be public or private, regardless of meta-box settings, (3) cause a silent wipe of all plugin data when it’s later removed, or (4) to conduct URL redirection attacks via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 May 30, 2025

CVE-2025-48483 5.4 MEDIUM EPSS 0.00

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data during mail signature sanitization. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Additionally, if an administrator accesses one of these emails with a modified signature, it could result in a subsequent Cross-Site Request Forgery (CSRF) vulnerability. This issue has been patched in version 1.8.180.

CWE-352 May 30, 2025

CVE-2024-12224 8.8 HIGH EPSS 0.00

Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

CWE-352 May 30, 2025

CVE-2025-26211 3.7 LOW 1 Writeup EPSS 0.00

Gibbon before 29.0.00 allows CSRF.

CWE-352 May 27, 2025

CVE-2025-5185 4.3 MEDIUM EPSS 0.00

A vulnerability was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.

CWE-862 May 26, 2025

CVE-2025-5132 4.3 MEDIUM EPSS 0.00

A vulnerability was found in Tmall Demo up to 20250505. It has been rated as problematic. This issue affects some unknown processing of the file tmall/admin/account/logout. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

CWE-862 May 24, 2025

CVE-2025-48740 EPSS 0.00

A Cross-Site Request Forgery (CSRF) vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows a remote attacker to trigger requests on their victim's behalf, if the attacker lures a privileged user, authenticated with basic authentication.

CWE-352 May 23, 2025

CVE-2025-46458 8.2 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in x000x occupancyplan allows SQL Injection. This issue affects occupancyplan: from n/a through 1.0.3.0.

CWE-352 May 23, 2025

CVE-2025-5033 4.3 MEDIUM 1 PoC EPSS 0.00

A vulnerability classified as problematic was found in XiaoBingby TeaCMS 2.0.2. Affected by this vulnerability is an unknown functionality of the file src/main/java/me/teacms/controller/admin/UserManageController/addUser. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CWE-862 May 21, 2025

CVE-2025-48340 9.8 CRITICAL EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through 1.02.

CWE-352 May 19, 2025

CVE-2025-43840 7.1 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Ref CheckBot allows Stored XSS.This issue affects CheckBot: from n/a through 1.05.

CWE-352 May 19, 2025

CVE-2025-43835 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in ktsvetkov allows Cross Site Request Forgery.This issue affects wp-cyr-cho: from n/a through 0.1.

CWE-352 May 19, 2025

CVE-2025-47583 5.4 MEDIUM EPSS 0.00

Unauthenticated Cross Site Request Forgery (CSRF) in Salon booking system <= 10.16 versions.

CWE-352 May 19, 2025

CVE-2025-39375 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Ashok G Easy Child Theme Creator allows Cross Site Request Forgery.This issue affects Easy Child Theme Creator: from n/a through 1.3.1.

CWE-352 May 19, 2025

CVE-2025-39374 7.1 HIGH EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in aseem1234 Best Posts Summary allows Stored XSS.This issue affects Best Posts Summary: from n/a through 1.0.

CWE-352 May 19, 2025

CVE-2025-39371 4.3 MEDIUM EPSS 0.00

Cross-Site Request Forgery (CSRF) vulnerability in Sanjeev Mohindra Author Box Plugin With Different Description allows Cross Site Request Forgery.This issue affects Author Box Plugin With Different Description: from n/a through 1.3.5.

CWE-352 May 19, 2025