Search criteria
2 vulnerabilities by Talishar
CVE-2026-27632 (GCVE-0-2026-27632)
Vulnerability from cvelistv5 – Published: 2026-02-25 02:52 – Updated: 2026-02-25 02:52
VLAI?
Title
Talishar Vulnerable to Cross-Site Request Forgery (CSRF)
Summary
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. By failing to require unique, unpredictable session tokens, the application allows third-party malicious websites to forge requests on behalf of authenticated users, leading to unauthorized actions within active game sessions. The attacker would need to know both the proper gameName and playerID for the player. The player would also need to be browsing and interact with the infected website while playing a game. The vulnerability is fixed in commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "Talishar",
"vendor": "Talishar",
"versions": [
{
"status": "affected",
"version": "\u003c 6be3871a14c192d1fb8146cdbc76f29f27c1cf48"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. By failing to require unique, unpredictable session tokens, the application allows third-party malicious websites to forge requests on behalf of authenticated users, leading to unauthorized actions within active game sessions. The attacker would need to know both the proper gameName and playerID for the player. The player would also need to be browsing and interact with the infected website while playing a game. The vulnerability is fixed in commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T02:52:10.061Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Talishar/Talishar/security/advisories/GHSA-73mm-323r-cm3g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-73mm-323r-cm3g"
}
],
"source": {
"advisory": "GHSA-73mm-323r-cm3g",
"discovery": "UNKNOWN"
},
"title": "Talishar Vulnerable to Cross-Site Request Forgery (CSRF)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27632",
"datePublished": "2026-02-25T02:52:10.061Z",
"dateReserved": "2026-02-20T22:02:30.028Z",
"dateUpdated": "2026-02-25T02:52:10.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25144 (GCVE-0-2026-25144)
Vulnerability from cvelistv5 – Published: 2026-02-02 22:54 – Updated: 2026-02-04 16:52
VLAI?
Title
Talishar has a Stored XSS which can lead to data exfiltration & user impersonation
Summary
Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. The playerID parameter in SubmitChat.php and is saved without sanitization and executed whenever a user view the current page game. This vulnerability is fixed by 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4.
Severity ?
5.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:55:16.054941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:52:59.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Talishar",
"vendor": "Talishar",
"versions": [
{
"status": "affected",
"version": "\u003c 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. The playerID parameter in SubmitChat.php and is saved without sanitization and executed whenever a user view the current page game. This vulnerability is fixed by 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T22:54:58.110Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Talishar/Talishar/security/advisories/GHSA-rrr4-h2pc-57g6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Talishar/Talishar/security/advisories/GHSA-rrr4-h2pc-57g6"
},
{
"name": "https://github.com/Talishar/Talishar/commit/09dd00e5452e3cd998eb1406a88e5b0fa868e6b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Talishar/Talishar/commit/09dd00e5452e3cd998eb1406a88e5b0fa868e6b4"
}
],
"source": {
"advisory": "GHSA-rrr4-h2pc-57g6",
"discovery": "UNKNOWN"
},
"title": "Talishar has a Stored XSS which can lead to data exfiltration \u0026 user impersonation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25144",
"datePublished": "2026-02-02T22:54:58.110Z",
"dateReserved": "2026-01-29T15:39:11.821Z",
"dateUpdated": "2026-02-04T16:52:59.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}