Lucene search
K

250 matches found

Nuclei
Nuclei
added yesterday78 views

Rocket.Chat - Server-Side Request Forgery (SSRF)

A Server-Side Request Forgery SSRF affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. id: CVE-2024-39713 info: name: Rocket.Chat - Server-Side Request Forgery SSRF author: iamnoooob,rootxharsh,pdresearch severity: high description: | A Server-Side Request Forgery SSRF affects...

8.6CVSS7AI score0.03201EPSS
Exploits2References3
NVD
NVD
added 5 days ago7 views

CVE-2026-54695

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Prior to 1.4.0, the pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without authentication, reads an attacker-supplied callSid...

7.5CVSS0.00327EPSS
Exploits1References5
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-54695 Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Prior to 1.4.0, the pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without authentication, reads an attacker-supplied callSid...

7.5CVSS0.00327EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 5 days ago5 views

CVE-2026-54695

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Prior to 1.4.0, the pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without authentication, reads an attacker-supplied callSid...

7.5CVSS6AI score0.00327EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/06/18 3:5 p.m.5 views

GHSA-J8CV-X86Q-RJ85 Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID

Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID Summary The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who...

7.5CVSS5.7AI score0.00327EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.10 views

Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID

Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID Summary The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who...

7.5CVSS5.7AI score0.00327EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50727

Name of the Vulnerable Software and Affected Versions Pipecat versions prior to 1.4.0 Description The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without authentication. An unauthenticated remote attacker can connect to this endpoin...

7.5CVSS6AI score0.00327EPSS
Exploits1References8
OSV
OSV
added 2026/06/11 6:13 a.m.13 views

MAL-2026-5621 Malicious code in twilio-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1 Package name twilio-sdk impersonates the official Twilio Node SDK twilio but ships an empty API module.exports = . The only real behavior runs in...

5.5AI score
Exploits0References9
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 6:13 a.m.15 views

Malicious code in twilio-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1 Package name twilio-sdk impersonates the official Twilio Node SDK twilio but ships an empty API module.exports = . The only real behavior runs in...

5.5AI score
Exploits0References9
OSV
OSV
added 2026/05/29 9:32 p.m.26 views

GHSA-55RJ-X2VC-4WHQ Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification

Description The Twilio SMS notifier bridge ships a webhook request parser used to authenticate and decode the status callbacks Twilio POSTs to an application's webhook endpoint. Its doParseRequest $request, \SensitiveParameter string $secret method receives the configured webhook secret but never...

8.2CVSS5.8AI score0.00026EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/05/29 9:32 p.m.30 views

Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification

Description The Twilio SMS notifier bridge ships a webhook request parser used to authenticate and decode the status callbacks Twilio POSTs to an application's webhook endpoint. Its doParseRequest $request, \SensitiveParameter string $secret method receives the configured webhook secret but never...

5.8AI score0.00026EPSS
Exploits0References6Affected Software2
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.23 views

PT-2026-45034

Description The Twilio SMS notifier bridge ships a webhook request parser used to authenticate and decode the status callbacks Twilio POSTs to an application's webhook endpoint. Its doParseRequest $request, SensitiveParameter string $secret method receives the configured webhook secret but never...

8.2CVSS5.8AI score0.00026EPSS
Exploits0References7
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

Missing Authentication for Critical Function

Overview symfony/twilio-notifier is a Symfony Twilio Notifier Bridge Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the doParse webhook request parser in the notifier bridge. An attacker can submit forged webhook status events because the pars...

6.9CVSS5.7AI score0.00026EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/13 3:25 p.m.7 views

Malicious code in twilio-video.js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e9e3803147d3c0bc502c876bc9a0c17ab6abb0f35cef279419245d46843a57ee The package twilio-video.js was found to contain malicious code. Source: ghsa-malware cc5348f21258b1a1e011513da698c5544555a2b78063b41540c04c9b0b0bc58...

5.7AI score
Exploits0References1
Snyk
Snyk
added 2026/04/13 3:25 p.m.8 views

Malicious Package

Overview twilio-video.js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
OSV
OSV
added 2026/04/13 3:25 p.m.6 views

MAL-2026-2610 Malicious code in twilio-video.js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e9e3803147d3c0bc502c876bc9a0c17ab6abb0f35cef279419245d46843a57ee The package twilio-video.js was found to contain malicious code. Source: ghsa-malware cc5348f21258b1a1e011513da698c5544555a2b78063b41540c04c9b0b0bc58...

5.7AI score
Exploits0References1
OSV
OSV
added 2026/04/10 7:22 p.m.2 views

GHSA-Q5R4-47M9-5MC7 PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

Summary The /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent...

7.5CVSS5.8AI score0.00372EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:20 p.m.1 views

CVE-2026-40116

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the...

7.5CVSS5.9AI score0.00372EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/03 11:1 p.m.3 views

CVE-2026-34759

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. Thes...

9.2CVSS5.8AI score0.006EPSS
Exploits1References1
NVD
NVD
added 2026/04/02 7:21 p.m.6 views

CVE-2026-34759

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. Thes...

9.2CVSS0.006EPSS
Exploits1References3
Rows per page
Query Builder