diff --git a/htdocs/product/stock/stocktransfer/stocktransfer_card.php b/htdocs/product/stock/stocktransfer/stocktransfer_card.php
index f078d5c02c104..59e37349ef305 100644
--- a/htdocs/product/stock/stocktransfer/stocktransfer_card.php
+++ b/htdocs/product/stock/stocktransfer/stocktransfer_card.php
@@ -2,6 +2,7 @@
 /* Copyright (C) 2017 		Laurent Destailleur  	<eldy@users.sourceforge.net>
  * Copyright (C) 2024-2025	MDW						<mdeweerd@users.noreply.github.com>
  * Copyright (C) 2024-2025  Frédéric France             <frederic.france@free.fr>
+ * Copyright (C) 2025          Pierre Ardoin            <developpeur@lesmetiersdubatiment.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -92,6 +93,22 @@
 	}
 }
 
+// Ensure delete-related actions require a valid CSRF token.
+if (in_array($action, array('delete', 'deleteline'), true)) {
+	$csrfToken = GETPOST('token', 'alphanohtml');
+	if (empty($csrfToken)) {
+		accessforbidden();
+	}
+	$expectedToken = currentToken();
+	if (function_exists('hash_equals')) {
+		if (!hash_equals($expectedToken, $csrfToken)) {
+			accessforbidden();
+		}
+	} elseif ($expectedToken !== $csrfToken) {
+		accessforbidden();
+	}
+}
+
 if (empty($action) && empty($id) && empty($ref)) {
 	$action = 'view';
 }
@@ -884,7 +901,9 @@
 				print img_edit() . '</a>';
 				print '</td>';
 				print '<td class="right">';
-				print '<a href="' . $_SERVER["PHP_SELF"] . '?id=' . $id . '&action=deleteline&lineid=' . $line->id . '">' . img_delete($langs->trans("Remove")) . '</a>';
+				// Ensure the delete line link embeds a CSRF token.
+				$deleteLineUrl = $_SERVER["PHP_SELF"] . '?id=' . $id . '&action=deleteline&lineid=' . $line->id . '&token=' . newToken();
+				print '<a href="' . $deleteLineUrl . '">' . img_delete($langs->trans("Remove")) . '</a>';
 				print '</td>';
 			}