Cross Site Request Forgery in acknowledging Toast in sissbruecker/linkding


Reported on

May 18th 2022


Hi there linkding maintainers, I would like to report a Cross site request forgery in acknowledging toast.

This is due to the use of GET method.

Proof of Concept

  1. Install a local instance of linkding
  2. Create admin user admin
  3. Log in as admin and create a new toast
  4. Go back to /bookmarks and see that the toast appears in search bar
  5. Access the link /toasts/<toast-id>/acknowledge and see that the toast is forcefully acknowledged.




We are processing your report and will contact the sissbruecker/linkding team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
We have contacted a member of the sissbruecker/linkding team and are waiting to hear back 2 years ago
Sascha Ißbrücker modified the Severity from Critical to None 2 years ago
2 years ago


Thanks for the report, I lowered the severity to none, as you can't really do any harm with this.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Sascha Ißbrücker validated this vulnerability 2 years ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sascha Ißbrücker marked this as fixed in 1.9.1 with commit 117160 2 years ago
The fix bounty has been dropped has been validated
to join this conversation