Talishar Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Talishar application, a fan-made project for Flesh and Blood. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the application did not implement CSRF protections on critical state-changing endpoints, including 'SubmitChat.php' and various game interaction handlers. This absence of protection allowed third-party malicious websites to forge requests on behalf of authenticated users, enabling unauthorized actions within active game sessions. Exploitation required knowledge of the game name and player ID, as well as user interaction with the malicious website while playing a game.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed in a user's active game session, such as sending messages through the game chat. This could be combined with other vulnerabilities, like the Stored Cross-Site Scripting issue reported in CVE-2026-25144, to inject malicious payloads into the chat.

Reproduction

To reproduce this vulnerability, an attacker must host a script on a malicious website that targets a user playing Talishar. The script can be designed to send a request to 'SubmitChat.php' using the fetch API, including the player's ID and a message. When the victim visits the infected website while logged into Talishar, the request is sent automatically, bypassing CSRF protections and submitting the chat message as if it were from the player.

Remediation

Users should update to the patched version of Talishar, available in commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48.