Description
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. By failing to require unique, unpredictable session tokens, the application allows third-party malicious websites to forge requests on behalf of authenticated users, leading to unauthorized actions within active game sessions. The attacker would need to know both the proper gameName and playerID for the player. The player would also need to be browsing and interact with the infected website while playing a game. The vulnerability is fixed in commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48.
Published: 2026-02-25
Score: 2.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized state changes via CSRF
Action: Apply Patch
AI Analysis

Impact

Talishar failed to enforce CSRF protections on key state‑changing endpoints, notably SubmitChat.php. Without a unique, unpredictable session token, an attacker can forge requests that appear to come from an authenticated player, allowing malicious actions to be performed during an active game session.

Affected Systems

All versions of Talishar before commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48 are affected. The vulnerability is fixed in that commit, and any downstream builds should be updated to include it.

Risk and Exploitability

The CVSS score is 2.6 and the EPSS probability is under 1 %. The CVE is not listed in the CISA KEV catalog. Exploitation requires the victim to be browsing a malicious site while playing a game, and the attacker must know the gameName and playerID. Given the low severity and low exploitation probability, the risk is moderate, but the attack vector is straightforward once the conditions are met.

Generated by OpenCVE AI on April 18, 2026 at 10:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Talishar to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48 or later, which implements CSRF tokens on all state‑changing endpoints.
  • Refactor SubmitChat.php and all other game‑interaction handlers to validate a unique, unpredictable CSRF token on each request and reject any request lacking a valid token.
  • Scan for any custom or legacy endpoints that still lack CSRF checks and add appropriate token validation or disable them if not required.

Generated by OpenCVE AI on April 18, 2026 at 10:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:talishar:talishar:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Talishar
Talishar talishar
Vendors & Products Talishar
Talishar talishar

Wed, 25 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. By failing to require unique, unpredictable session tokens, the application allows third-party malicious websites to forge requests on behalf of authenticated users, leading to unauthorized actions within active game sessions. The attacker would need to know both the proper gameName and playerID for the player. The player would also need to be browsing and interact with the infected website while playing a game. The vulnerability is fixed in commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48.
Title Talishar Vulnerable to Cross-Site Request Forgery (CSRF)
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Talishar Talishar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T21:33:41.129Z

Reserved: 2026-02-20T22:02:30.028Z

Link: CVE-2026-27632

cve-icon Vulnrichment

Updated: 2026-02-26T21:07:04.492Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T03:16:06.860

Modified: 2026-02-27T19:57:49.900

Link: CVE-2026-27632

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses