CVE-2026-24885: Php Json Decode Without Content Type Check
Decoding a request body as JSON without validating the Content-Type header can lead to JSON Cross-Site Request Forgery (CSRF). Attackers can bypass CORS by submitting a cross-origin HTML form with `enctype="text/plain"` that contains a hidden JSON payload. Ensure that the `Content-Type` is validated (e.g., verifying it is `application/json`) before parsing t
PHPβgreprules fetch cve-2026-24885-php-json-decode-without-content-type-check --engine opengrepDescription
Decoding a request body as JSON without validating the Content-Type header can lead to JSON Cross-Site Request Forgery (CSRF). Attackers can bypass CORS by submitting a cross-origin HTML form with `enctype="text/plain"` that contains a hidden JSON payload. Ensure that the `Content-Type` is validated (e.g., verifying it is `application/json`) before parsing t
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0