6.0.1
CVE-2026-27632 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Talishar, a fan-made project based on the Flesh and Blood tabletop game. This flaw allows attackers to trick authenticated users into performing unintended actions within their active game sessions. The vulnerability specifically impacts versions of Talishar prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, and a fix is available in that commit.
The impact of this CSRF vulnerability is significant, as it allows an attacker to potentially manipulate game state without the user's knowledge or consent. An attacker could, for example, force a player to concede a game, change their deck composition, or perform other actions that would alter the game's outcome. Successful exploitation requires the attacker to know the target's gameName and playerID, but once obtained, the attack can be executed without further authentication. This vulnerability highlights the importance of proper CSRF protection, even in smaller, fan-made projects, as it can lead to significant disruption and unfair advantages within the game.
CVE-2026-27632 has a LOW CVSS score. There are no publicly known Proof-of-Concept (POC) exploits for this vulnerability at the time of publication. It is not currently listed on KEV or EPSS. Given the relatively niche nature of the Talishar project, the probability of active exploitation is considered low, but the potential impact within the game environment remains a concern.
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-27632 is to upgrade to version 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, which includes the necessary CSRF protections. If upgrading is not immediately feasible, consider implementing a temporary workaround by adding input validation and sanitization to the SubmitChat.php and other game interaction handlers. While not a complete solution, this can reduce the attack surface. Additionally, enforce strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, further limiting the potential for CSRF attacks. After upgrading, confirm the fix by attempting to forge a request to a critical endpoint and verifying that it is rejected.
将 Talishar 应用程序更新到提交 6be3871a14c192d1fb8146cdbc76f29f27c1cf48 之后的版本。此更新修复了关键端点上的 CSRF 漏洞。或者,在 `SubmitChat.php` 和其他游戏交互处理程序中实施 CSRF 保护,要求使用唯一的、不可预测的会话令牌。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-27632 is a Cross-Site Request Forgery (CSRF) vulnerability in Talishar, a fan-made project for the Flesh and Blood tabletop game. It allows attackers to perform unauthorized actions within game sessions.
You are affected if you are using a version of Talishar prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48. Players actively using the application are potentially at risk.
Upgrade to version 6be3871a14c192d1fb8146cdbc76f29f27c1cf48. As a temporary workaround, implement input validation and sanitization in game interaction handlers.
There are currently no publicly known active exploitation campaigns for CVE-2026-27632, but the potential for exploitation remains.
Refer to the project's repository or communication channels for the official advisory regarding CVE-2026-27632.