Description
A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified.
Published: 2026-02-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Apply Patch
AI Analysis

Impact

A vulnerability in lcg0124 BootDo allows an attacker to forge authenticated requests on behalf of a logged-in user, potentially causing unauthorized state changes or data exposure, as it matches the Cross‑Site Request Forgery weakness identified by CWE-352. The issue stems from insufficient request validation, and the affected component is unspecified but exists within the application’s request handling logic. The exploit can be performed remotely and is publicly available, enabling attackers to target users without direct access to the system.

Affected Systems

The affected product is lcg0124 BootDo. All releases up to the code revision e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb are affected. Due to the rolling release model, exact version ranges cannot be listed, so any deployment running a commit prior to the identified fix is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS shows an exploitation probability of less than 1%, and the vulnerability is not in the CISA KEV catalog. Attackers can leverage the CSRF flaw by getting a victim’s browser to submit a crafted HTTP request, often through a malicious link or embedded content. While the vulnerability does not require authentication to the application itself, it relies on the victim’s authenticated session, making the threat primarily to users with active sessions. The lack of a widespread KEV listing and low EPSS score suggest the risk is moderate, but the vulnerability remains exploitable with readily available payloads.

Generated by OpenCVE AI on April 17, 2026 at 23:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BootDo to a commit later than e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb when available
  • Implement or enforce CSRF protection mechanisms such as synchronizer tokens or same-site cookies to guard against forged requests
  • Verify that any deployed instances have CSRF headers and valid tokens enabled and consider disabling vulnerable endpoints until the patch is applied

Generated by OpenCVE AI on April 17, 2026 at 23:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Lcg0124
Lcg0124 bootdo
Vendors & Products Lcg0124
Lcg0124 bootdo

Wed, 04 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified.
Title lcg0124 BootDo cross-site request forgery
Weaknesses CWE-352
CWE-862
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lcg0124 Bootdo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:16:25.074Z

Reserved: 2026-02-03T15:29:48.182Z

Link: CVE-2026-1835

cve-icon Vulnrichment

Updated: 2026-02-04T20:19:22.277Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T01:15:56.100

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-1835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:00:09Z

Weaknesses