2 matches found
CVE-2026-41896
creationtimestamp| type| source ---|---|--- 2026-06-29 23:13:38+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mphmhrstrp2h 2026-06-29 23:18:12+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mphmq3627t2n...
CVE-2026-41896
CVE-2026-41896 affects Coolify prior to 4.0.0-beta.474. The HMAC key used to validate webhook requests (manual_webhook_secret_github) is nullable with no default, so new apps have a null secret. PHP’s hash_hmac() coerces a null key to an empty string, causing the server to compute hash_hmac('sha2...