CVE-2026-49433
5.0 MEDIUMThe DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection
Published: 2026-06-01 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 5.0 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
- CWE
- CWE-352
Description
The DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-49396 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (7.1 HIGH)
- CVE-2026-54359 — MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled
- CVE-2026-48612 — Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’... (8.0 HIGH)
- CVE-2022-47150 — Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery (4.3 MEDIUM)
- CVE-2022-44630 — Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery (4.6 MEDIUM)