LOWCVE-2026-4590CVSS 3.1

CVE-2026-4590: XSRF in kalcaddle kodbox

Platform

php

Component

kodbox

Fixed in

1.64.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

A cross-site request forgery (XSRF) vulnerability has been identified in kalcaddle kodbox versions 1.64–1.64. This flaw resides within the loginSubmit API, specifically in the /workspace/source-code/plugins/oauth/controller/bind/index.class.php file. Successful exploitation allows an attacker to perform unauthorized actions on behalf of an authenticated user, potentially leading to data modification or account compromise. The vulnerability was publicly disclosed on 2026-03-23.

Impact and Attack Scenarios

The XSRF vulnerability in kalcaddle kodbox allows an attacker to craft malicious requests that appear to originate from a legitimate user. By tricking a logged-in user into clicking a crafted link or visiting a malicious website, the attacker can execute actions such as changing passwords, modifying data, or performing other privileged operations. The public availability of an exploit significantly increases the risk of exploitation. The low CVSS score reflects the difficulty of exploitation, but the potential impact remains concerning, especially in environments where user accounts have elevated privileges.

Exploitation Context

The vulnerability is publicly known with a proof-of-concept exploit available, increasing the likelihood of exploitation. It has been added to the NVD database. The vendor was contacted but did not respond. The EPSS score is likely medium due to the public exploit and the potential for widespread exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.02% (3% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impact

Affected Software

Componentkodbox

Vendorkalcaddle

Affected rangeFixed in

1.64 – 1.641.64.1

Weakness Classification (CWE)

CWE-352 CWE-862

Timeline

Reserved2026-03-22
Published2026-03-23
EPSS updated2026-03-31

Unpatched — 62 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-4590 is to upgrade to a patched version of kalcaddle kodbox. Since a fixed version is not specified, consider implementing additional security measures as a temporary workaround. These include implementing strict input validation on the loginSubmit API to sanitize the 'third' argument and preventing unauthorized modifications. Employing a Web Application Firewall (WAF) with XSRF protection rules can also help mitigate the risk. Regularly review access logs for suspicious activity and implement multi-factor authentication to reduce the impact of successful attacks. After applying mitigations, verify the integrity of user accounts and data.

How to fix

Update kodbox to a version later than 1.64, if available, to fix the CSRF vulnerability. If no version is available, consider disabling or removing the oauth plugin until a fix is released.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-4590 — XSRF in kalcaddle kodbox?

CVE-2026-4590 is a cross-site request forgery vulnerability in kalcaddle kodbox versions 1.64–1.64, allowing attackers to perform actions as authenticated users.

Am I affected by CVE-2026-4590 in kalcaddle kodbox?

If you are using kalcaddle kodbox version 1.64–1.64, you are potentially affected by this vulnerability.

How do I fix CVE-2026-4590 in kalcaddle kodbox?

Upgrade to a patched version of kalcaddle kodbox. If a patch is unavailable, implement input validation and WAF rules as temporary mitigations.

Is CVE-2026-4590 being actively exploited?

A public exploit is available, suggesting a high probability of active exploitation.

Where can I find the official kalcaddle kodbox advisory for CVE-2026-4590?

The vendor was contacted but did not respond. Check the NVD database for updates.