Description
Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. The application uses a CSRF token, but an attacker can use the hashtag parameter to inject an encoded payload and bypass the CSRF protection, allowing for unauthorized changes to user data. This can be exploited by tricking a user into submitting a crafted form or by using a script to obtain and set the CSRF token.
Published: 2026-05-17
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery that allows an attacker to modify a logged‑in user's information by bypassing the application’s anti‑CSRF protection. An encoded payload can be injected through the hashtag parameter, causing the server to accept the forged request as legitimate.

Affected Systems

The affected application is Zechat 1.5 from Bylancer. Only this version is listed as vulnerable; no other versions were identified in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk and the EPSS score is not available, while the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation activity. Exploitation requires a victim user to be authenticated and to visit a crafted link or form, after which the attacker can inject the malicious payload in the hashtag parameter and alter the user’s data without changing privileges beyond the legitimate session scope.

Generated by OpenCVE AI on May 17, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that Zechat is installed at version 1.5 or newer and check the vendor’s website for a patch or updated release that addresses the CSRF flaw.
  • If no patch is available, restrict the use of the hashtag parameter by validating input against a whitelist or by removing the related functionality from the application.
  • Ensure that the CSRF token is bound to the user’s session, regenerated for each request, and that same‑site policy is enforced so forged requests cannot be submitted from other origins.
  • As an interim measure, disable the functionality that allows changing user information via GET requests or embedded URLs to prevent malicious exploitation.

Generated by OpenCVE AI on May 17, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. The application uses a CSRF token, but an attacker can use the hashtag parameter to inject an encoded payload and bypass the CSRF protection, allowing for unauthorized changes to user data. This can be exploited by tricking a user into submitting a crafted form or by using a script to obtain and set the CSRF token.
Title Zechat 1.5 Cross-Site Request Forgery (CSRF) via hashtag parameter
First Time appeared Zechat Project
Zechat Project zechat
Weaknesses CWE-352
CPEs cpe:2.3:a:zechat_project:zechat:1.5:*:*:*:*:*:*:*
Vendors & Products Zechat Project
Zechat Project zechat
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zechat Project Zechat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-17T12:12:25.417Z

Reserved: 2026-05-17T11:51:56.261Z

Link: CVE-2018-25334

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T13:16:45.097

Modified: 2026-05-17T13:16:45.097

Link: CVE-2018-25334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T14:45:03Z

Weaknesses