Cyber Resilience

CWE · MITRE source

CWE-352Cross-Site Request Forgery (CSRF)

Abstraction: Compound · CVEs in our corpus: 9,373

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 7 mapping(s) from 3 framework(s): ASVS 5.0 3 (full) · CAPEC 3 (partial) · OWASP-Web 1 (full)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A01:2025 Broken Access Control.

NIST 800-53 r5 controls that address this weakness (4)AI

Control Title Family Why it addresses this CWE
AT-2Literacy Training and AwarenessATAwareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
IA-11Re-authenticationIARequiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
PM-14Testing, Training, and MonitoringPMSecurity testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
SI-4System MonitoringSIDetects anomalous request patterns consistent with cross-site request forgery.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2014-100005 KEV10.08.00.42412015-01-13
CVE-2016-6277 KEV10.08.80.99782016-12-14
CVE-2020-10181 KEV10.09.80.14212020-03-11
CVE-2023-2533 KEV10.08.40.29252023-06-20
CVE-2007-00448.00.00.55472007-01-03
CVE-2013-64298.00.00.90452014-01-26
CVE-2014-00548.00.00.91352014-04-17
CVE-2015-22958.00.00.65932015-04-10
CVE-2015-69738.00.00.64822015-09-16
CVE-2018-77008.08.80.74842018-03-27
CVE-2019-166678.08.80.54542019-09-26
CVE-2021-217458.04.30.55712021-10-20
CVE-2022-287318.06.50.56262022-08-04
CVE-2022-416228.08.80.87992022-12-07
CVE-2016-66377.09.60.00732016-09-30
CVE-2016-98667.09.80.01022016-12-11
CVE-2017-51457.010.00.01252017-02-13
CVE-2017-59597.09.80.00612017-02-21
CVE-2017-60807.09.80.00732017-03-13
CVE-2016-12657.09.80.02302017-10-13
CVE-2017-167807.09.80.05772017-11-10
CVE-2018-108957.09.30.01192018-07-12
CVE-2018-189347.09.80.00812018-11-05
CVE-2018-205777.09.10.00582018-12-28
CVE-2019-106557.09.80.15352019-03-30