Explore CVEs related to CSRF vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing CSRF CVEs published in 2021. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2021-20165 | Trendnet AC2600 TEW-827DRU version 2.08B01 does not properly implement csrf protections. Most pages lack proper usage of CSRF protections or mitigations. Additionally, pages that do make use of CSRF tokens are trivially bypassable as the server does not appear to validate them properly (i.e. re-using an old token or finding the token thru some other method is possible). | 8.8 | 0.10% | 2021-12-30 | 2024-11-21 |
| CVE-2020-29292 | iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses. | 6.5 | 0.05% | 2021-12-30 | 2024-11-21 |
| CVE-2020-21236 | A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie. | 8.8 | 0.14% | 2021-12-27 | 2024-11-21 |
| CVE-2020-20945 | A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member&action=editmember of Qibosoft v7 allows attackers to arbitrarily add administrator accounts. | 8.8 | 0.15% | 2021-12-27 | 2024-11-21 |
| CVE-2020-20943 | A Cross-Site Request Forgery (CSRF) in /member/post.php?job=postnew&step=post of Qibosoft v7 allows attackers to force victim users into arbitrarily publishing new articles via a crafted URL. | 4.3 | 0.05% | 2021-12-27 | 2024-11-21 |
| CVE-2021-24988 | The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter. | 5.4 | 0.17% | 2021-12-27 | 2024-11-21 |
| CVE-2021-4168 | showdoc is vulnerable to Cross-Site Request Forgery (CSRF) | 8.8 | 0.10% | 2021-12-26 | 2024-11-21 |
| CVE-2021-4162 | archivy is vulnerable to Cross-Site Request Forgery (CSRF) | 4.3 | 0.06% | 2021-12-25 | 2024-11-21 |
| CVE-2020-20595 | A cross-site request forgery (CSRF) in OPMS v1.3 and below allows attackers to arbitrarily add a user account via /user/add. | 6.5 | 0.05% | 2021-12-22 | 2024-11-21 |
| CVE-2020-20593 | A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an administrator account. | 8.0 | 0.15% | 2021-12-22 | 2024-11-21 |
| CVE-2021-36886 | Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact Form 7 Database Addon – CFDB7 WordPress plugin (versions <= 1.2.5.9). | 6.5 | 0.11% | 2021-12-22 | 2024-11-21 |
| CVE-2021-43158 | In ProjectWorlds Online Shopping System PHP 1.0, a CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart. | 4.3 | 0.09% | 2021-12-22 | 2025-10-29 |
| CVE-2021-43156 | In ProjectWorlds Online Book Store PHP 1.0 a CSRF vulnerability in admin_delete.php allows a remote attacker to delete any book. | 6.5 | 0.08% | 2021-12-22 | 2024-11-21 |
| CVE-2021-24981 | The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory. | 7.5 | 0.22% | 2021-12-21 | 2024-11-21 |
| CVE-2021-43846 | `solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions 3.1.5, 3.0.5, and 2.11.14 contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side e | 5.3 | 0.07% | 2021-12-20 | 2024-11-21 |
| CVE-2021-36887 | Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) discovered in tarteaucitron.js – Cookies legislation & GDPR WordPress plugin (versions <= 1.5.4), vulnerable parameters "tarteaucitronEmail" and "tarteaucitronPass". | 6.1 | 0.10% | 2021-12-20 | 2024-11-21 |
| CVE-2021-4131 | livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) | 8.8 | 0.14% | 2021-12-18 | 2024-11-21 |
| CVE-2021-4130 | snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) | 8.8 | 0.15% | 2021-12-18 | 2024-11-21 |
| CVE-2021-26800 | Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account. | 6.5 | 0.05% | 2021-12-16 | 2024-11-21 |
| CVE-2021-41260 | Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 do not check for Cross Site Request Forgery attacks. All users are advised to upgrade to 0.9.6 as soon as possible. There are no known workarounds for this issue. | 8.2 | 0.15% | 2021-12-16 | 2024-11-21 |