GHSA-5pm7-cp8f-p2c2: 
PHP vulnerability analysis and mitigation

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered in wallabag versions prior to 2.6.11. The vulnerability was assigned identifier GHSA-5pm7-cp8f-p2c2 and was published on April 8, 2025. The affected package is wallabag/wallabag (Composer) for versions <=2.6.10, with version 2.6.11 containing the fix (GitHub Advisory).

The vulnerabilities allowed attackers to craft malicious links or pages that could trick logged-in users' browsers into performing unauthorized actions. The affected endpoints included API token management (/generate-token, /revoke-token), user rules management, user configuration modification, entry management, tag management, bulk actions, and interface language changes. The vulnerability has a CVSS v3.1 score of 4.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (GitHub Advisory).

Successful exploitation could lead to unauthorized modification or deletion of user data, configuration changes, token manipulation, or interface changes. The vulnerability required user interaction and could affect the integrity of user data and settings within their wallabag account (GitHub Advisory).

The vulnerabilities have been fixed in wallabag version 2.6.11. The patch modifies affected endpoints to require the HTTP POST method along with a valid CSRF token for state-changing actions, preventing attackers from forcing users' browsers to perform unintended actions. Users are strongly advised to upgrade their wallabag instance to version 2.6.11 or later (GitHub Advisory).