CVE-2026-41432

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...

CVE-2026-41432 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...

OpenClaw Access Control Error Vulnerability (CNVD-2026-16041)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an Access Control Error vulnerability that stems from the BlueBubbles webhook handler containing a passwordless fallback authentication path, which can be exploited by an attacker to cause an...

PT-2026-26745

OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy...

CVE-2026-29613

OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles optional plugin webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operat...

EUVD-2026-9937

OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles optional plugin webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operat...

CVE-2026-29613 OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust

OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles optional plugin webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operat...

Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering

Summary An unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. Details When Pygments returns more lines than it was given a known upstream quirk...

CVE-2026-26319 OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests

OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are...

PT-2026-20350

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.13 @openclaw/bluebubbles versions prior to 2026.2.13 Description The optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based solely on the TCP peer address being...

CVE-2022-2846

The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and...

CVE-2021-24146 Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export

Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example...