CVE-2025-23922 — CVSS 10.0 (critical): Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a Web Server.This…
CVE-2017-5145 — CVSS 10.0 (critical): An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful…
CVE-2019-25729 — CVSS 9.8 (critical): PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by…
CVE-2025-48340 — CVSS 9.8 (critical): Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows Privilege Escalation.This…
CVE-2025-2907 — CVSS 9.8 (critical): The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it…
CVE-2025-31033 — CVSS 9.8 (critical): Cross-Site Request Forgery (CSRF) vulnerability in Adam Nowak Buddypress Humanity buddypress-humanity allows Cross Site Request…
CVE-2024-56012 — CVSS 9.8 (critical): Cross-Site Request Forgery (CSRF) vulnerability in lizeipe Flash News / Post (Responsive) flashnews-fading-effect-pearlbells allows…
CVE-2024-34502 — CVSS 9.8 (critical): An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading…
CVE-2024-33449 — CVSS 9.8 (critical): An SSRF issue in the PDFMyURL service allows a remote attacker to obtain sensitive information and execute arbitrary code via a POST…
CVE-2024-29684 — CVSS 9.8 (critical): DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /src/dede/makehtml_homepage.php allowing a…
CVE-2023-4659 — CVSS 9.8 (critical): Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different actions on the platform as an…
CVE-2022-20861 — CVSS 9.8 (critical): Multiple vulnerabilities in Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to execute arbitrary commands, read or…
CVE-2022-1574 — CVSS 9.8 (critical): The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as…
CVE-2022-1020 — CVSS 9.8 (critical): The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the…
CVE-2021-25032 — CVSS 9.8 (critical): The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have…
CVE-2021-32122 — CVSS 9.8 (critical): Certain NETGEAR devices are affected by CSRF. This affects EX3700 before 1.0.0.90, EX3800 before 1.0.0.90, EX6120 before 1.0.0.64, and…
CVE-2020-23426 — CVSS 9.8 (critical): zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify…
CVE-2020-35950 — CVSS 9.8 (critical): An issue was discovered in the XCloner Backup and Restore plugin before 4.2.153 for WordPress. It allows CSRF (via almost any endpoint).
CVE-2019-17600 — CVSS 9.8 (critical): Intelbras IWR 1000N 1.6.4 devices allow disclosure of the administrator login name and password because v1/system/user is mishandled.
CVE-2019-17495 — CVSS 9.8 (critical): A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite…
CVE-2019-14551 — CVSS 9.8 (critical): Das Q before 2019-08-02 allows web sites to execute arbitrary code on client machines, as demonstrated by a cross-origin /install request…
CVE-2018-18934 — CVSS 9.8 (critical): An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by…
CVE-2017-16780 — CVSS 9.8 (critical): The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
CVE-2017-6080 — CVSS 9.8 (critical): An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism…
CVE-2017-5959 — CVSS 9.8 (critical): CSRF token bypass in GeniXCMS before 1.0.2 could result in escalation of privileges. The forgotpassword.php page can be used to acquire a…
CVE-2016-9866 — CVSS 9.8 (critical): An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly…
CVE-2026-55742 — CVSS 9.6 (critical): Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In…
CVE-2026-46786 — CVSS 9.6 (critical): Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that…
CVE-2026-40471 — CVSS 9.6 (critical): hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to…
CVE-2026-39620 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This…
CVE-2026-39619 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue…
CVE-2026-39617 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue…
CVE-2026-28495 — CVSS 9.6 (critical): GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated…
CVE-2025-52835 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator wing-migrator allows Upload a Web Shell to a Web…
CVE-2025-11022 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery. This CSRF vulnerability…
CVE-2024-45538 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and…
CVE-2025-60156 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web…
CVE-2025-58255 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Images custom-post-types-image allows Code Injection.This…
CVE-2025-58997 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow mow allows Code Injection.This issue affects Mow: from n/a through <= 4.10.
CVE-2025-49381 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in ads.txt Guru ads.txt Guru Connect adstxt-guru-connect allows Cross Site Request…
CVE-2025-54010 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets easy-code-manager allows Cross Site Request Forgery.This…
CVE-2025-53095 — CVSS 9.6 (critical): Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against…
CVE-2025-30967 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard allows Upload a Web Shell to a Web Server. This issue affects…
CVE-2025-32641 — CVSS 9.6 (critical): Cross-Site Request Forgery (CSRF) vulnerability in anantaddons Anant Addons for Elementor anant-addons-for-elementor allows Cross Site…