{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1835", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-03T15:29:48.182Z", "datePublished": "2026-02-04T00:02:08.877Z", "dateUpdated": "2026-02-23T09:16:25.074Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:16:25.074Z"}, "title": "lcg0124 BootDo cross-site request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "Cross-Site Request Forgery"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "Missing Authorization"}]}], "affected": [{"vendor": "lcg0124", "product": "BootDo", "versions": [{"version": "e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-03T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-05T17:30:28.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Tom132432 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.344028", "name": "VDB-344028 | lcg0124 BootDo cross-site request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344028", "name": "VDB-344028 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.742484", "name": "Submit #742484 | BootDo Web V1.0 CSRF", "tags": ["third-party-advisory"]}, {"url": "https://github.com/webzzaa/CVE-/issues/6", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T20:19:19.371280Z", "id": "CVE-2026-1835", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T20:19:24.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1835", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T20:19:19.371280Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T20:19:22.277Z"}}], "cna": {"title": "lcg0124 BootDo cross-site request forgery", "credits": [{"lang": "en", "type": "reporter", "value": "Tom132432 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "lcg0124", "product": "BootDo", "versions": [{"status": "affected", "version": "e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb"}]}], "timeline": [{"lang": "en", "time": "2026-02-03T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-03T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-05T17:30:28.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.344028", "name": "VDB-344028 | lcg0124 BootDo cross-site request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344028", "name": "VDB-344028 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.742484", "name": "Submit #742484 | BootDo Web V1.0 CSRF", "tags": ["third-party-advisory"]}, {"url": "https://github.com/webzzaa/CVE-/issues/6", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:16:25.074Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1835", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:16:25.074Z", "dateReserved": "2026-02-03T15:29:48.182Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-04T00:02:08.877Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad en lcg0124 BootDo hasta e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Esto afecta una parte desconocida. La manipulaci\u00f3n conduce a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. El ataque puede llevarse a cabo remotamente. El exploit est\u00e1 disponible p\u00fablicamente y podr\u00eda ser utilizado. Este producto adopta una estrategia de lanzamiento continuo para mantener la entrega continua. Por lo tanto, los detalles de la versi\u00f3n para las versiones afectadas o actualizadas no pueden especificarse."}], "id": "CVE-2026-1835", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-04T01:15:56.100", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/webzzaa/CVE-/issues/6"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.344028"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.344028"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.742484"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:58:02.753401+00:00", "value": {"mitigation_remediation": ["Update BootDo to a commit later than e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb when available", "Implement or enforce CSRF protection mechanisms such as synchronizer tokens or same-site cookies to guard against forged requests", "Verify that any deployed instances have CSRF headers and valid tokens enabled and consider disabling vulnerable endpoints until the patch is applied"], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The affected product is lcg0124 BootDo. All releases up to the code revision e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb are affected. Due to the rolling release model, exact version ranges cannot be listed, so any deployment running a commit prior to the identified fix is vulnerable.", "description_and_impact": "A vulnerability in lcg0124 BootDo allows an attacker to forge authenticated requests on behalf of a logged-in user, potentially causing unauthorized state changes or data exposure, as it matches the Cross\u2011Site Request Forgery weakness identified by CWE-352. The issue stems from insufficient request validation, and the affected component is unspecified but exists within the application\u2019s request handling logic. The exploit can be performed remotely and is publicly available, enabling attackers to target users without direct access to the system.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. EPSS shows an exploitation probability of less than 1%, and the vulnerability is not in the CISA KEV catalog. Attackers can leverage the CSRF flaw by getting a victim\u2019s browser to submit a crafted HTTP request, often through a malicious link or embedded content. While the vulnerability does not require authentication to the application itself, it relies on the victim\u2019s authenticated session, making the threat primarily to users with active sessions. The lack of a widespread KEV listing and low EPSS score suggest the risk is moderate, but the vulnerability remains exploitable with readily available payloads."}}}}, "created": "2026-02-04T12:04:57.726734+00:00", "updated": "2026-04-18T00:00:09.488281+00:00", "vendors": ["lcg0124", "lcg0124$PRODUCT$bootdo"]}