Explore CVEs related to CSRF vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing CSRF CVEs published in 2009. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2009-4517 | Cross-site request forgery (CSRF) vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that access unpublished content. | 6.8 | 0.11% | 2009-12-31 | 2026-04-23 |
| CVE-2009-1797 | Multiple cross-site request forgery (CSRF) vulnerabilities on the Network Management Card (NMC) on American Power Conversion (APC) Switched Rack PDU (aka Rack Mount Power Distribution) devices and other devices allow remote attackers to hijack the authentication of (1) administrator or (2) device users for requests that create new administrative users or have unspecified other impact. | 6.8 | 0.21% | 2009-12-28 | 2026-04-23 |
| CVE-2009-4407 | Multiple cross-site request forgery (CSRF) vulnerabilities in PyForum 1.0.3 and possibly earlier versions, and possibly zForum, allow remote attackers to hijack the authentication of victims for requests that change passwords, and other unspecified requests, via unknown vectors. | 6.8 | 0.14% | 2009-12-23 | 2026-04-23 |
| CVE-2009-3580 | Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger 2.8.24 allows remote attackers to hijack the authentication of arbitrary users for requests that change a password via the login, new_password, and confirm_password parameters in a preferences action. | 6.8 | 0.13% | 2009-12-23 | 2026-04-23 |
| CVE-2009-4385 | Multiple cross-site request forgery (CSRF) vulnerabilities in Scriptsez.net Ez Poll Hoster (EPH) allow remote attackers to (1) hijack the authentication of arbitrary users for requests that delete polls via the delete_poll action to index.php; and hijack the authentication of administrators for requests that (2) delete users via the manage action to admin.php, or (3) send arbitrary email to arbitrary users in the email action to admin.php. | 6.8 | 0.12% | 2009-12-22 | 2026-04-23 |
| CVE-2009-4365 | Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ScriptsEz Ez Blog 1.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add a blog via the add_blog action, (2) approve a comment via the approve_comment action, (3) change administrator information including the password via the admin_opt action, and (4) delete a blog via the delete action. | 4.3 | 0.15% | 2009-12-21 | 2026-04-23 |
| CVE-2009-4349 | Cross-site request forgery (CSRF) vulnerability in administration/administrators.php in Link Up Gold 5.0 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts. | 6.8 | 1.90% | 2009-12-17 | 2026-04-23 |
| CVE-2009-4297 | Multiple cross-site request forgery (CSRF) vulnerabilities in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 | 0.40% | 2009-12-16 | 2026-04-23 |
| CVE-2009-4173 | Cross-site request forgery (CSRF) vulnerability in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote attackers to hijack the authentication of administrators for requests that create new users, including a new administrator, via an adduser action in the editusers module in index.php. | 6.8 | 0.47% | 2009-12-02 | 2026-04-23 |
| CVE-2009-4121 | Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.CMS 2.4 and Quick.CMS.Lite 2.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete web pages via a p-delete action to admin.php, and possibly (2) delete products or (3) delete orders via unspecified vectors. NOTE: some of these details are obtained from third party information. | 6.8 | 0.19% | 2009-12-01 | 2026-04-23 |
| CVE-2009-4120 | Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Cart 3.4 allow remote attackers to hijack the authentication of the administrator for requests that (1) delete orders via an orders-delete action to admin.php, and possibly (2) delete products or (3) delete pages via unspecified vectors. | 6.8 | 0.10% | 2009-12-01 | 2026-04-23 |
| CVE-2009-4092 | Cross-site request forgery (CSRF) vulnerability in user.php in Simplog 0.9.3.2, and possibly earlier, allows remote attackers to hijack the authentication of administrators and users for requests that change passwords. | 6.8 | 0.37% | 2009-11-29 | 2026-04-23 |
| CVE-2009-4079 | Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and earlier allows remote attackers to hijack the authentication of users for requests that delete a ticket via unspecified vectors. | 6.8 | 0.27% | 2009-11-25 | 2026-04-23 |
| CVE-2009-4077 | Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076. | 6.8 | 0.21% | 2009-11-25 | 2026-04-23 |
| CVE-2009-4076 | Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077. | 6.8 | 0.21% | 2009-11-25 | 2026-04-23 |
| CVE-2009-4066 | Multiple cross-site request forgery (CSRF) vulnerabilities in the "My Account" feature in PHPList Integration module 5 before 5.x-1.2 and 6 before 6.x-1.1 for Drupal allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) subscribing or (2) unsubscribing to mailing lists. | 6.8 | 0.20% | 2009-11-24 | 2026-04-23 |
| CVE-2009-2746 | Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | 6.8 | 0.15% | 2009-11-16 | 2026-04-23 |
| CVE-2009-2816 | The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page. | 6.8 | 2.15% | 2009-11-13 | 2026-04-23 |
| CVE-2009-3922 | Multiple cross-site request forgery (CSRF) vulnerabilities in the User Protect module 5.x before 5.x-1.4 and 6.x before 6.x-1.3, a module for Drupal, allow remote attackers to hijack the authentication of administrators for requests that (1) delete the editing protection of a user or (2) delete a certain type of administrative-bypass rule. | 6.8 | 0.14% | 2009-11-09 | 2026-04-23 |
| CVE-2009-3633 | Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm. | 4.3 | 0.38% | 2009-11-02 | 2026-04-23 |