Cross-Site Request Forgery Vulnerability in ProjectSend by ProjectSend
CVE-2026-5624

5.3MEDIUM

Key Information:

Vendor

ProjectSend

Status
Projectsend
Vendor
CVE Published:
6 April 2026

What is CVE-2026-5624?

A security flaw has been identified in ProjectSend r2002, specifically affecting the file upload.php component. This vulnerability allows remote attackers to conduct Cross-Site Request Forgery (CSRF) attacks against the application. The exploit can be triggered by manipulating requests, thus potentially compromising user data and actions without authentication. To mitigate this risk, it is recommended to upgrade to version r2029, which includes a critical patch addressing this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ProjectSend r2002

ProjectSend r2029

References

https://vuldb.com/vuln/355414
vdb-entry
https://vuldb.com/vuln/355414/cti
signaturepermissions-required
https://vuldb.com/submit/785731
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

AquaNight (VulDB User)
VulDB Vulnerability Moderation Team
JSON
.