Cyber Posture

CWE · MITRE source

CWE-352Cross-Site Request Forgery (CSRF)

Abstraction: Compound · CVEs in our corpus: 9,135

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (4)AI

Control Title Family Why it addresses this CWE
AT-2Literacy Training and AwarenessATAwareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
IA-11Re-authenticationIARequiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
PM-14Testing, Training, and MonitoringPMSecurity testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
SI-4System MonitoringSIDetects anomalous request patterns consistent with cross-site request forgery.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2016-6277 KEV9.48.80.94312016-12-14
CVE-2018-77007.48.80.93242018-03-27
CVE-2022-10207.39.80.89532022-04-18
CVE-2022-09527.18.80.88222022-05-02
CVE-2021-250326.99.80.81892022-01-10
CVE-2019-97876.68.80.81022019-03-14
CVE-2022-15746.69.80.76862022-06-27
CVE-2020-57766.58.80.78792020-09-01
CVE-2014-100005 KEV6.48.00.45902015-01-13
CVE-2019-106556.39.80.72442019-03-30
CVE-2023-2533 KEV5.98.40.36322023-06-20
CVE-2018-40665.88.80.67662019-05-06
CVE-2022-416225.38.80.59772022-12-07
CVE-2020-10181 KEV5.29.80.20552020-03-11
CVE-2019-166675.18.80.56102019-09-26
CVE-2022-419245.19.60.53562022-11-23
CVE-2019-198335.06.50.61272019-12-18
CVE-2020-84174.88.80.50312020-01-28
CVE-2019-126164.66.50.55052019-06-05
CVE-2021-250524.38.80.42412022-01-10
CVE-2013-35684.28.80.41062020-02-06
CVE-2020-368364.28.00.43152024-10-16
CVE-2019-72624.18.80.39132019-07-02
CVE-2023-238973.94.30.50972023-07-10
CVE-2013-56963.80.00.63952013-09-23