By weakness (CWE)
CWE-352: related vulnerabilities
CVEs classified under CWE-352. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
9 published vulnerabilities
- CVE-2026-43985HIGH 8.8
Tautulli, a Python-based tool that monitors and manages Plex Media Server, contains a critical flaw in how it handles administrator settings changes. In versions before 2.17.1, an attacker can trick a logged-in administrator into visiting a malicious webpage, which silently changes the Tautulli admin username and password without the administrator's knowledge or consent. Once the credentials are changed, the attacker can log in directly and gain complete control of the Tautulli interface. This is a straightforward but dangerous type of attack that exploits the trust between a user's browser and the Tautulli server.
- CVE-2026-35266HIGH 7.9
Oracle REST Data Services contains a vulnerability that allows an attacker with low-level network access and user credentials to manipulate critical data or disrupt service availability. The attack requires tricking another user into taking action, making it moderately difficult to exploit in practice. Versions 24.2.0 through 26.1.0 are affected. Success can lead to unauthorized access, modification, or deletion of sensitive information, as well as partial service outages.
- CVE-2026-11020MEDIUM 6.5
Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser handles extensions that process XML files. An attacker can craft a malicious XML file that, when processed by a vulnerable extension, leaks sensitive data from other websites the user has visited. The vulnerability requires user interaction—specifically, the user must open or interact with the malicious file—but does not require the attacker to have special privileges or bypass additional security controls. This is a cross-origin data leak, meaning information intended to be isolated between websites can be extracted by an attacker.
- CVE-2026-42073MEDIUM 6.5
OpenClaude, an open-source command-line tool for interacting with cloud and local AI models, has a flaw in how it handles user login. When you authenticate using OAuth, the software runs a temporary web server locally to catch the login response. To prevent attackers from hijacking this process, the server checks a security token called a 'state parameter.' However, due to a bug in how the code checks this token, an attacker can bypass the security check entirely and crash the server without even knowing what the token is. This has been fixed in version 0.5.1 and later.
- CVE-2026-34460MEDIUM 5.4
NamelessMC, a website platform for Minecraft servers, contains a vulnerability in how it handles OAuth authentication callbacks. When a user logs in via OAuth (a third-party authentication method), the application fails to verify a security token called a 'state parameter' before accepting the login. An attacker can exploit this by crafting a malicious link that tricks a victim into logging in with the attacker's own account credentials. Once clicked, the victim's session becomes authenticated as the attacker, potentially granting unauthorized access to the victim's account on that NamelessMC instance. The vulnerability affects NamelessMC versions 2.2.4 and earlier.
- CVE-2018-25387MEDIUM 5.3
HaPe PKH 1.1 contains a cross-site request forgery (CSRF) vulnerability that enables attackers to change administrator passwords without needing to log in. An attacker can trick an authenticated administrator into visiting a malicious website or clicking a crafted link, which silently submits a forged request to modify admin credentials. This allows complete account takeover of administrative users.
- CVE-2018-25397MEDIUM 5.3
PHP-SHOP 1.0 is vulnerable to cross-site request forgery (CSRF), a class of attack where malicious actors craft hidden web forms designed to trick authenticated administrators into unknowingly adding new admin accounts. An attacker creates a deceptive webpage containing a concealed form that automatically submits admin account creation requests when an authenticated admin visits the page. This allows the attacker to gain administrative control without needing the victim's credentials.
- CVE-2018-25435MEDIUM 5.3
ZeusCart 4.0 is vulnerable to a cross-site request forgery (CSRF) attack that allows an attacker to trick administrators into unknowingly deactivating customer accounts. By crafting a malicious webpage or email link, an attacker can force an admin to submit a request that disables customer access without their knowledge or consent. The attack requires only that an administrator visit an attacker-controlled page while logged into their ZeusCart admin panel.
- CVE-2026-4071MEDIUM 4.3
The BirdSeed WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to change the plugin's authentication token without the site administrator's knowledge. An attacker can craft a malicious link or webpage that, when clicked by an admin, silently modifies the BirdSeed token stored in the site's database. This breaks the trust chain between your WordPress site and the BirdSeed service. The vulnerability affects all versions up to and including 2.2.0 and requires social engineering—tricking an administrator into clicking a link—but no authentication or special privileges are needed from the attacker's side.