CVE-2026-27632
Received Received - Intake
CSRF Vulnerability in Talishar Game Allows Unauthorized Actions

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. By failing to require unique, unpredictable session tokens, the application allows third-party malicious websites to forge requests on behalf of authenticated users, leading to unauthorized actions within active game sessions. The attacker would need to know both the proper gameName and playerID for the player. The player would also need to be browsing and interact with the infected website while playing a game. The vulnerability is fixed in commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-05-27
AI Q&A
2026-02-25
EPSS Evaluated
2026-05-25
NVD
CVE-2026-27632
EUVD
EUVD-2026-8603
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
talishar talishar to 2026-02-22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-27632 is a Cross-Site Request Forgery (CSRF) vulnerability in the Talishar PHP web application. The application lacks proper CSRF protections on critical state-changing endpoints like SubmitChat.php and other game interaction handlers.'}, {'type': 'paragraph', 'content': 'Because the application does not require unique, unpredictable session tokens or validate Origin/Referer headers, attackers can create malicious websites that trick authenticated users into unknowingly submitting unauthorized requests.'}, {'type': 'paragraph', 'content': "An attacker must know the victim's gameName and playerID, and the victim must interact with the malicious site while playing the game. This allows the attacker to perform unauthorized actions such as sending arbitrary chat messages on behalf of the user."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48.'}] [1]


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized actions within active game sessions, such as an attacker forcing a player’s browser to submit arbitrary chat messages without their consent.

While it does not impact confidentiality or availability, it has a low impact on integrity by allowing unauthorized modifications to game interactions.

An attacker could chain this vulnerability with others, like Stored Cross-Site Scripting (XSS), to inject malicious payloads remotely into the game chat.

Overall, the impact is considered low severity with a CVSS v3.1 base score of 2.6, but it still poses a risk of unauthorized manipulation of game state and user interactions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or unexpected POST requests to critical state-changing endpoints such as SubmitChat.php. Specifically, look for POST requests that include parameters like playerID and message originating from third-party or external domains.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves Cross-Site Request Forgery (CSRF), detection involves checking whether the application properly validates CSRF tokens or Origin/Referer headers on these endpoints.'}, {'type': 'paragraph', 'content': 'Commands to help detect potential exploitation attempts include using network traffic analysis tools like tcpdump or Wireshark to capture POST requests to SubmitChat.php, for example:'}, {'type': 'list_item', 'content': "tcpdump -i any -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /SubmitChat.php'"}, {'type': 'list_item', 'content': 'Using curl or similar tools to test if the endpoint requires CSRF tokens or validates Origin/Referer headers by sending crafted POST requests without tokens.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing application logs for suspicious POST requests to SubmitChat.php with parameters playerID and message from unexpected sources can help identify exploitation attempts.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the patch introduced in commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48 that adds proper CSRF protections to critical endpoints like SubmitChat.php.

If patching is not immediately possible, consider implementing temporary mitigations such as validating Origin and Referer headers on state-changing requests to ensure they originate from trusted sources.

Additionally, educating users to avoid interacting with untrusted third-party websites while authenticated in the game can reduce the risk of exploitation.

Monitoring and blocking suspicious POST requests to SubmitChat.php from external domains at the network or application firewall level can also help mitigate attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart