MEDIUMCVE-2026-1835CVSS 4.3

CVE-2026-1835: CSRF in BootDo

Platform

other

Component

bootdo

Fixed in

93.0.1

AI Confidence: mediumNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

A cross-site request forgery (CSRF) vulnerability has been identified in BootDo versions up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This flaw allows an attacker to trick a user into performing unintended actions on the application. Due to BootDo's rolling release model, specific affected versions are not available, but all users of this version range are potentially at risk. A public exploit is available.

Impact and Attack Scenarios

The CSRF vulnerability in BootDo allows an attacker to execute unauthorized actions on behalf of an authenticated user. This could involve modifying configurations, creating or deleting resources, or performing other sensitive operations. The remote nature of the attack means an attacker does not need to be on the same network as the victim. The availability of a public exploit significantly increases the likelihood of exploitation, potentially leading to widespread compromise if not addressed promptly. Given the lack of specific versioning, the impact is broad across all users of the affected commit hash.

Exploitation Context

This vulnerability is publicly known and has a public proof-of-concept available, indicating a higher probability of exploitation. The CVE was published on 2026-02-04. The EPSS score is pending evaluation. No KEV listing is currently available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.01% (0% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentbootdo

Vendorlcg0124

Affected rangeFixed in

e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb – e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb93.0.1

Weakness Classification (CWE)

CWE-352 CWE-862

Timeline

Reserved2026-02-03
Published2026-02-04
Modified2026-02-23
EPSS updated2026-03-23

Unpatched — 109 days since disclosure

Mitigation and Workarounds

Due to BootDo's rolling release strategy, traditional patching is not possible. The primary mitigation is to implement robust input validation and CSRF protection mechanisms. This includes validating all user inputs and using CSRF tokens to prevent unauthorized requests. Consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter malicious requests. Regularly review and update security policies to address emerging threats. Verification can be performed by attempting to trigger an action as a logged-in user from a separate browser session and confirming that the action is blocked.

How to fix

Update to the latest available version of BootDo. Because it uses a rolling release strategy, continuous updating is the best way to mitigate the vulnerability.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-1835 — CSRF in BootDo?

CVE-2026-1835 is a cross-site request forgery vulnerability affecting BootDo versions up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2026-1835 in BootDo?

If you are using BootDo versions up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb, you are potentially affected by this vulnerability due to the rolling release model.

How do I fix CVE-2026-1835 in BootDo?

Due to the rolling release, patching is not possible. Implement robust input validation and CSRF tokens to mitigate the risk.

Is CVE-2026-1835 being actively exploited?

A public exploit exists, indicating a potential for active exploitation, so immediate mitigation is recommended.

Where can I find the official BootDo advisory for CVE-2026-1835?

Refer to the BootDo documentation and security announcements for the latest information regarding this vulnerability.