CWE · MITRE source
CWE-352Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 7 mapping(s) from 3 framework(s): ASVS 5.0 3 (full) · CAPEC 3 (partial) · OWASP-Web 1 (full)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AT-2 | Literacy Training and Awareness | AT | Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF. |
IA-11 | Re-authentication | IA | Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation. |
PM-14 | Testing, Training, and Monitoring | PM | Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications. |
SI-4 | System Monitoring | SI | Detects anomalous request patterns consistent with cross-site request forgery. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2014-100005 KEV | 10.0 | 8.0 | 0.4241 | 2015-01-13 |
CVE-2016-6277 KEV | 10.0 | 8.8 | 0.9978 | 2016-12-14 |
CVE-2020-10181 KEV | 10.0 | 9.8 | 0.1421 | 2020-03-11 |
CVE-2023-2533 KEV | 10.0 | 8.4 | 0.2925 | 2023-06-20 |
CVE-2007-0044 | 8.0 | 0.0 | 0.5547 | 2007-01-03 |
CVE-2013-6429 | 8.0 | 0.0 | 0.9045 | 2014-01-26 |
CVE-2014-0054 | 8.0 | 0.0 | 0.9135 | 2014-04-17 |
CVE-2015-2295 | 8.0 | 0.0 | 0.6593 | 2015-04-10 |
CVE-2015-6973 | 8.0 | 0.0 | 0.6482 | 2015-09-16 |
CVE-2018-7700 | 8.0 | 8.8 | 0.7484 | 2018-03-27 |
CVE-2019-16667 | 8.0 | 8.8 | 0.5454 | 2019-09-26 |
CVE-2021-21745 | 8.0 | 4.3 | 0.5571 | 2021-10-20 |
CVE-2022-28731 | 8.0 | 6.5 | 0.5626 | 2022-08-04 |
CVE-2022-41622 | 8.0 | 8.8 | 0.8799 | 2022-12-07 |
CVE-2016-6637 | 7.0 | 9.6 | 0.0073 | 2016-09-30 |
CVE-2016-9866 | 7.0 | 9.8 | 0.0102 | 2016-12-11 |
CVE-2017-5145 | 7.0 | 10.0 | 0.0125 | 2017-02-13 |
CVE-2017-5959 | 7.0 | 9.8 | 0.0061 | 2017-02-21 |
CVE-2017-6080 | 7.0 | 9.8 | 0.0073 | 2017-03-13 |
CVE-2016-1265 | 7.0 | 9.8 | 0.0230 | 2017-10-13 |
CVE-2017-16780 | 7.0 | 9.8 | 0.0577 | 2017-11-10 |
CVE-2018-10895 | 7.0 | 9.3 | 0.0119 | 2018-07-12 |
CVE-2018-18934 | 7.0 | 9.8 | 0.0081 | 2018-11-05 |
CVE-2018-20577 | 7.0 | 9.1 | 0.0058 | 2018-12-28 |
CVE-2019-10655 | 7.0 | 9.8 | 0.1535 | 2019-03-30 |