CWE-352

Medium likelihood

Cross-Site Request Forgery (CSRF)

Parent: CWE-345 - Insufficient Verification of Data Authenticity

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

9,302 vulnerabilities with CWE-352
CVE-2026-9486 MEDIUM
SourceCodester Student Grades Management System cross-site request forgery
CVSS 4.3
CVE-2026-9303 MEDIUM
calcom cal.diy cross-site request forgery
CVSS 4.3
CVE-2026-41074 HIGH
bestpractical - RT Has Broken CSRF Protection for Authenticated Users
CVSS 7.1
CVE-2026-40864 MEDIUM
JupyterHub: Cross-origin form POSTs bypass XSRF
CVSS 5.4
CVE-2026-8340 MEDIUM
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion
CVSS 4.3
CVE-2026-7615 MEDIUM
Widget Context <= 1.3.3 - Cross-Site Request Forgery to Settings Update via 'wl' Parameter
CVSS 4.3
CVE-2026-4070 MEDIUM
Alfie <= 1.2.1 - Cross-Site Request Forgery to Feed Deletion via 'delete' Parameter
CVSS 4.3
CVE-2026-8435 MEDIUM
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion()
CVSS 6.5
CVE-2026-8434 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple()
CVSS 8.8
CVE-2026-8433 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan()
CVSS 8.8
CVE-2026-8432 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star()
CVSS 8.8
CVE-2026-8427 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id)
CVSS 8.8
CVE-2026-8416 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)
CVSS 8.8
CVE-2026-8415 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder
CVSS 8.8
CVE-2026-8414 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate
CVSS 8.8
CVE-2026-8413 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design
CVSS 8.8
CVE-2026-8412 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache
CVSS 8.8
CVE-2026-8411 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete
CVSS 8.8
CVE-2026-8410 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete
CVSS 8.8
CVE-2026-8409 HIGH
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete
CVSS 8.8
CVE-2026-7882 MEDIUM
Concrete CMS 9.5.0 and below is vulnerable to CSRF via the DeleteFile controller
CVSS 4.3
CVE-2026-8428 HIGH
CSRF token is not validated in the core CMS update controller for Concrete CMS 9.5.0 and below
CVSS 8.8
CVE-2026-8426 HIGH
Concrete CMS 9.5.0 and below is vulnerable to CSRF on prepare_remote_upgrade() leading to one-request RCE via package overwrite
CVSS 8.8
CVE-2026-8421 HIGH
Concrete CMS <= 9.5.0 - Admin Cross-Site Request Forgery Code Execution
CVSS 8.8
CVE-2026-8417 HIGH
Concrete CMS 9.5.0 and below is vulnerable to CSRF in do_update() in the package update controller
CVSS 8.8
Details
Vulnerabilities 9,302
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits