CWE-352

Medium likelihood

Cross-Site Request Forgery (CSRF)

Parent: CWE-345 - Insufficient Verification of Data Authenticity

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

9,119 vulnerabilities with CWE-352
CVE-2026-3140 MEDIUM
Ultimate Dashboard <= 3.8.14 - Cross-Site Request Forgery to Module Activation/Deactivation
CVSS 4.3
CVE-2026-3772 HIGH
WP Editor <= 1.2.9.2 - Cross-Site Request Forgery to Remote Code Execution via Plugin and Theme File Editor
CVSS 8.8
CVE-2026-42645 MEDIUM
WordPress Barcode Scanner with Inventory & Order Manager plugin <= 1.11.0 - Cross Site Request Forgery (CSRF) vulnerability
CVSS 4.3
CVE-2026-38934 HIGH
diskoverdata diskover-community <=2.3.5 - CSRF
CVSS 8.8
CVE-2026-7108 MEDIUM
code-projects Invoice System in Laravel cross-site request forgery
CVSS 4.3
CVE-2026-41425 MEDIUM
Authlib: Cross-site request forging when using cache
CVSS 5.4
CVE-2026-3565 MEDIUM
Taqnix <= 1.0.3 - Cross-Site Request Forgery to Account Deletion via 'taqnix_delete_my_account' AJAX Action
CVSS 4.3
CVE-2026-41317 MEDIUM
Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation
CVE-2026-27841 HIGH
SenseLive X3050 Cross-Site request forgery
CVSS 8.1
CVE-2026-41347 HIGH
OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints
CVSS 7.1
CVE-2026-40471 CRITICAL
Hackage CSRF vulnerability
CVSS 9.6
CVE-2026-4922 HIGH
Cross-Site Request Forgery (CSRF) in GitLab
CVSS 8.1
CVE-2026-6396 MEDIUM
Fast & Fancy Filter – 3F <= 1.2.2 - Cross-Site Request Forgery to Settings Modification via fff_save_settins AJAX Action
CVSS 4.3
CVE-2026-6294 MEDIUM
Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page
CVSS 4.3
CVE-2026-4140 MEDIUM
Ni WooCommerce Order Export <= 3.1.6 - Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX Action
CVSS 4.3
CVE-2026-4139 MEDIUM
mCatFilter <= 0.5.2 - Cross-Site Request Forgery via compute_post() Function
CVSS 4.3
CVE-2026-4138 MEDIUM
DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update
CVSS 4.3
CVE-2026-4133 MEDIUM
TextP2P Texting Widget <= 1.7 - Cross-Site Request Forgery to Settings Update
CVSS 4.3
CVE-2026-4131 MEDIUM
WP Responsive Popup + Optin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpo_image_url' Parameter
CVSS 6.1
CVE-2026-4121 MEDIUM
Kcaptcha <= 1.0.1 - Cross-Site Request Forgery to Settings Update
CVSS 4.3
CVE-2026-4118 MEDIUM
Call To Action Plugin <= 3.1.3 - Cross-Site Request Forgery via Settings Update
CVSS 4.3
CVE-2026-4090 MEDIUM
Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form
CVSS 6.1
CVE-2026-40929 MEDIUM
WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
CVSS 5.4
CVE-2026-40928 MEDIUM
AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
CVSS 5.4
CVE-2026-40926 HIGH
WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
CVSS 7.1
Details
Vulnerabilities 9,119
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits