{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4971", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-27T08:52:57.705Z", "datePublished": "2026-03-27T19:15:19.715Z", "dateUpdated": "2026-03-27T22:17:31.819Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-27T22:17:31.819Z"}, "title": "SourceCodester Note Taking App cross-site request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "Cross-Site Request Forgery"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "Missing Authorization"}]}], "affected": [{"vendor": "SourceCodester", "product": "Note Taking App", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in SourceCodester Note Taking App up to 1.0. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-27T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-27T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-27T09:58:01.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Anas22335 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.353858", "name": "VDB-353858 | SourceCodester Note Taking App cross-site request forgery", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.353858", "name": "VDB-353858 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.777877", "name": "Submit #777877 | SourceCodester Note Taking App 1.0 Cross Site Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/Mohdanass/b7c5984922238397d10644f5f33ec592", "tags": ["exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in SourceCodester Note Taking App up to 1.0. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. If you want to get best quality of vulnerability data, you may have to visit VulDB."}], "id": "CVE-2026-4971", "lastModified": "2026-03-27T20:16:37.780", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:37.780", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/Mohdanass/b7c5984922238397d10644f5f33ec592"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.353858"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.353858"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.777877"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-862"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T20:23:16.982080+00:00", "value": {"mitigation_remediation": ["Confirm whether your deployment is running SourceCodester Note Taking App version 1.0 or earlier.", "If a newer, patched version is available, upgrade the application to that release.", "In the absence of an official patch, add anti\u2011CSRF tokens to all state\u2011changing requests and validate them on the server side.", "Restrict sensitive operations to POST requests only and check for a valid CSRF token before execution.", "Monitor access logs for repeated or anomalous POST requests originating from unauthenticated or foreign IP addresses."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011site request forgery"}, "threat_synthesis": {"affected_systems": "The affected product is SourceCodester Note Taking App, with all releases up to version 1.0. No finer version granularity is provided beyond the stated maximum. The vendor is SourceCodester.", "description_and_impact": "SourceCodester Note Taking App versions up to 1.0 contain a vulnerability that allows an attacker to forge requests on behalf of a legitimate user. The weakness creates a remote cross\u2011site request forgery (CSRF) condition in an unknown function, enabling the attacker to execute unauthorized actions without the victim's knowledge. This can lead to unauthorized data alteration, deletion, or other privileged operations performed by the authenticated user, thereby compromising the application's confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not provided. The vulnerability is not listed in the CISA KEV catalog. The exploit is publicly available and can be performed remotely by any user with network access to the application. Attackers may craft a malicious web page or email that induces a victim to visit a URL or submit a form that triggers the vulnerable function, thereby bypassing authentication safeguards when a valid session cookie is automatically sent by the browser."}}}}, "created": "2026-03-27T20:27:38.378495+00:00", "updated": "2026-03-27T20:27:38.378516+00:00", "vendors": []}