Plataforma
php
Componente
talishar
Corrigido em
6.0.1
CVE-2026-27632 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Talishar, a fan-made project based on the Flesh and Blood tabletop game. This flaw allows attackers to trick authenticated users into performing unintended actions within their active game sessions. The vulnerability specifically impacts versions of Talishar prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, and a fix is available in that commit.
The impact of this CSRF vulnerability is significant, as it allows an attacker to potentially manipulate game state without the user's knowledge or consent. An attacker could, for example, force a player to concede a game, change their deck composition, or perform other actions that would alter the game's outcome. Successful exploitation requires the attacker to know the target's gameName and playerID, but once obtained, the attack can be executed without further authentication. This vulnerability highlights the importance of proper CSRF protection, even in smaller, fan-made projects, as it can lead to significant disruption and unfair advantages within the game.
CVE-2026-27632 has a LOW CVSS score. There are no publicly known Proof-of-Concept (POC) exploits for this vulnerability at the time of publication. It is not currently listed on KEV or EPSS. Given the relatively niche nature of the Talishar project, the probability of active exploitation is considered low, but the potential impact within the game environment remains a concern.
Status do Exploit
EPSS
0.02% (percentil 4%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-27632 is to upgrade to version 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, which includes the necessary CSRF protections. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding input validation and sanitization to the SubmitChat.php and other game interaction handlers. While not a complete solution, this can reduce the attack surface. Additionally, enforce strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, further limiting the potential for CSRF attacks. After upgrading, confirm the fix by attempting to forge a request to a critical endpoint and verifying that it is rejected.
Atualize o aplicativo Talishar para a versão posterior ao commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48. Esta atualização corrige a vulnerabilidade CSRF nos endpoints críticos. Alternativamente, implemente proteções CSRF em `SubmitChat.php` e outros manipuladores de interação do jogo, exigindo tokens de sessão únicos e imprevisíveis.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-27632 is a Cross-Site Request Forgery (CSRF) vulnerability in Talishar, a fan-made project for the Flesh and Blood tabletop game. It allows attackers to perform unauthorized actions within game sessions.
You are affected if you are using a version of Talishar prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48. Players actively using the application are potentially at risk.
Upgrade to version 6be3871a14c192d1fb8146cdbc76f29f27c1cf48. As a temporary workaround, implement input validation and sanitization in game interaction handlers.
There are currently no publicly known active exploitation campaigns for CVE-2026-27632, but the potential for exploitation remains.
Refer to the project's repository or communication channels for the official advisory regarding CVE-2026-27632.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.