CVE-2026-38934
Published: 27 April 2026
Summary
CVE-2026-38934 is a high-severity CSRF (CWE-352) vulnerability in Diskover Community (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-38934 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting diskoverdata's diskover-community software in version 2.3.5 and prior releases. The flaw resides in the public/settings_process.php component, enabling a remote attacker to perform unauthorized actions on behalf of an authenticated user. Published on 2026-04-27 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), it poses a high risk due to its potential for significant confidentiality, integrity, and availability impacts.
A remote, unauthenticated attacker can exploit this vulnerability by tricking a victim user—typically an authenticated administrator or privileged user—into interacting with a malicious webpage or link (user interaction required). This induces the victim's browser to submit a forged request to the vulnerable settings_process.php endpoint, allowing the attacker to escalate privileges and access sensitive information without the victim's knowledge.
Mitigation details and advisories are available through vendor resources and CVE writeups, including http://diskover-community.com, http://diskoverdata.com, and https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38934. Security practitioners should consult these references for patching instructions, as no specific remediation steps are detailed in the core CVE description.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25889
Vulnerability details
Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing web app (settings_process.php) enables unauthorized actions via forged requests; exploited by tricking authenticated users with malicious links/webpages, directly mapping to T1190 (Exploit Public-Facing Application) and T1204.001 (Malicious Link).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 mandates mechanisms such as anti-CSRF tokens to verify session authenticity, directly preventing forged requests to the vulnerable settings_process.php endpoint.
SI-10 requires validation of information inputs like CSRF tokens, blocking unauthorized privilege escalation via forged submissions in diskover-community.
SI-2 ensures timely identification, patching, and verification of the specific CSRF flaw in diskover-community v2.3.5 and prior, eliminating the vulnerability.