Cyber Resilience

CVE-2026-38934

High

Published: 27 April 2026

Published
27 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0026 17.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-38934 is a high-severity CSRF (CWE-352) vulnerability in Diskover Community (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-38934 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting diskoverdata's diskover-community software in version 2.3.5 and prior releases. The flaw resides in the public/settings_process.php component, enabling a remote attacker to perform unauthorized actions on behalf of an authenticated user. Published on 2026-04-27 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), it poses a high risk due to its potential for significant confidentiality, integrity, and availability impacts.

A remote, unauthenticated attacker can exploit this vulnerability by tricking a victim user—typically an authenticated administrator or privileged user—into interacting with a malicious webpage or link (user interaction required). This induces the victim's browser to submit a forged request to the vulnerable settings_process.php endpoint, allowing the attacker to escalate privileges and access sensitive information without the victim's knowledge.

Mitigation details and advisories are available through vendor resources and CVE writeups, including http://diskover-community.com, http://diskoverdata.com, and https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38934. Security practitioners should consult these references for patching instructions, as no specific remediation steps are detailed in the core CVE description.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF in public-facing web app (settings_process.php) enables unauthorized actions via forged requests; exploited by tricking authenticated users with malicious links/webpages, directly mapping to T1190 (Exploit Public-Facing Application) and T1204.001 (Malicious Link).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70031Shared CWE-352
CVE-2025-23902Shared CWE-352
CVE-2026-34384Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-30550Shared CWE-352
CVE-2024-53829Shared CWE-352
CVE-2025-23805Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2024-13753Shared CWE-352

Affected Assets

Diskover Community
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates mechanisms such as anti-CSRF tokens to verify session authenticity, directly preventing forged requests to the vulnerable settings_process.php endpoint.

prevent

SI-10 requires validation of information inputs like CSRF tokens, blocking unauthorized privilege escalation via forged submissions in diskover-community.

preventrecover

SI-2 ensures timely identification, patching, and verification of the specific CSRF flaw in diskover-community v2.3.5 and prior, eliminating the vulnerability.

References