30 matches found
EUVD-2026-37853
Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action 'a=update' processes POST data via cotconfigupdateoptions without calling cotcheckxg to validate...
WordPress plugin Bottom Bar 跨站请求伪造漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...
SumatraPDF 3.5.2 - Remote Code Execution
Exploit Title: SumatraPDF 3.5.2 - Remote Code Execution Date: 2026-02-10 Exploit Author: Mohammed I. Banyamer Vendor Homepage: https://www.sumatrapdfreader.org/ Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer Version: 3.5.0 - 3.5.2 Tested on: Windows 10 / 11 CVE :...
EUVD-2026-24677
The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.7. This is due to missing nonce validation in the imTextP2POptionPage function which processes settings updates. The form at line 314 does not include a wpnoncefield,...
CVE-2026-33143
CVE-2026-33143 (OneUptime) affects OneUptime prior to version 10.0.34. The WhatsApp POST webhook handler at /notification/whatsapp/webhook processes events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC, enabling unauthenticated attackers to forge webhook payloads. Impact includes m...
GHSA-G5PH-F57V-MWJC OneUptime WhatsApp Webhook Missing Signature Verification
Summary The WhatsApp POST webhook handler /notification/whatsapp/webhook processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery stat...
PT-2026-26199
Summary The WhatsApp POST webhook handler /notification/whatsapp/webhook processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery stat...
CVE-2026-28454
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...
OpenClaw Data Forgery Issue Vulnerability
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw is vulnerable to a data forgery issue. The vulnerability stems from an unverified Telegram key token header and can be exploited by an attacker to process forged updates and perform unexpected actions...
CVE-2026-25474
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...
CVE-2026-25474
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...
CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...
CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...
CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...
OpenClaw 数据伪造问题漏洞
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw is vulnerable to a data forgery issue. The vulnerability stems from an unverified Telegram key token header and can be exploited by an attacker to process forged updates and perform unexpected actions...
GHSA-MP5H-M6QJ-6292 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
Summary In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates for example...
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
Summary In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates for example...
PT-2026-23532
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.2 OpenClaw versions 2026.1.30 and earlier Description When Telegram webhook mode is enabled without a configured webhook secret, the software may accept unauthenticated HTTP POST requests at the Telegram webho...
PT-2026-20324
Name of the Vulnerable Software and Affected Versions openclaw versions prior to 2026.2.1 Description In Telegram webhook mode, if channels.telegram.webhookSecret is not set, the software may accept webhook HTTP requests without verifying Telegram’s secret token header. This can allow forged...
Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-004300)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004300 advisory. An exploitable denial-of-service vulnerability exists in the Linux kernel prior to mainline 5.3. An attacker could exploit this vulnerability by triggering AP to sen...