Lucene search
K

57 matches found

NVD
NVD
added last week11 views

CVE-2026-54351

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger allows an attacker to overwrite the interna...

9.6CVSS0.00461EPSS
Exploits1References1
Cvelist
Cvelist
added last week26 views

CVE-2026-54351 Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger allows an attacker to overwrite the interna...

8.2CVSS0.00461EPSS
Exploits1References1
CVE
CVE
added last week20 views

CVE-2026-54351

Budibase (open-source low-code platform) is affected by CVE-2026-54351 prior to version 3.39.9. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite the internal appId by including it in the webhook POST body, causing the async automation worker to run in the victi...

9.6CVSS6AI score0.00461EPSS
Exploits1References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/22 11:20 p.m.9 views

Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override

Summary The webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger allows an attacker to overwrite the internal appId property by including it in the webhook POST...

9.6CVSS6.6AI score0.00461EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/06/22 10:16 p.m.13 views

CVE-2026-56357

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhoo...

6.3CVSS0.00186EPSS
Exploits0References2
CVE
CVE
added 2026/06/22 9:4 p.m.17 views

CVE-2026-56357

n8n’s GitHub Webhook Trigger node is affected in versions before 1.123.15 and 2.5.0 due to missing HMAC-SHA256 signature verification. This allows an attacker who knows the webhook URL to send unsigned POST requests, potentially triggering workflows with arbitrary data and spoofing GitHub webhook...

6.3CVSS6AI score0.00186EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/22 9:4 p.m.21 views

CVE-2026-56357 n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhoo...

6.3CVSS0.00186EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/01 10:3 p.m.11 views

CVE-2026-44847

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint /api/trigger/v1/webhook/triggerid is accessible without authentication. The WebhookAuth class unconditionally returns None, , which Django REST Framework interprets as successful authentication...

7.5CVSS5.9AI score0.00271EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 8:16 p.m.36 views

CVE-2026-44847 MaxKB: Webhook Trigger Authentication Bypass

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint /api/trigger/v1/webhook/triggerid is accessible without authentication. The WebhookAuth class unconditionally returns None, , which Django REST Framework interprets as successful authentication...

7.5CVSS0.00271EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/26 8:16 p.m.12 views

CVE-2026-44847 MaxKB: Webhook Trigger Authentication Bypass

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint /api/trigger/v1/webhook/triggerid is accessible without authentication. The WebhookAuth class unconditionally returns None, , which Django REST Framework interprets as successful authentication...

7.5CVSS5.9AI score0.00271EPSS
Exploits0References2
CVE
CVE
added 2026/05/26 8:16 p.m.36 views

CVE-2026-44847

MaxKB (enterprise open-source AI assistant) prior to 2.9.0 exposes its webhook trigger endpoint /api/trigger/v1/webhook/{trigger_id} without authentication. The WebhookAuth class unconditionally returns (None, {}), which Django REST Framework treats as valid authentication, allowing an unauthenti...

7.5CVSS5.9AI score0.00271EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.11 views

MaxKB 访问控制错误漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Prior to MaxKB 2.9.0, there was an access control vulnerability. This vulnerability stemmed from the Webhook trigger endpoint/api/trigger/v1/webhook/triggerid, which allowed access...

7.5CVSS5.9AI score0.00271EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/04 6:4 a.m.13 views

Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...

9CVSS6.2AI score0.11982EPSS
Exploits1References6Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/03 3:45 p.m.3 views

CVE-2026-35216 Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the...

9CVSS5.9AI score0.11982EPSS
Exploits1References4
CVE
CVE
added 2026/04/03 3:45 p.m.15 views

CVE-2026-35216

Budibase is an open-source low-code platform. Prior to version 3.33.4 , an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a ** Bash step** via the public webhook endpoint. The process runs as root inside the contai...

9CVSS5.9AI score0.11982EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2026/03/31 12:0 a.m.7 views

Chatwoot 代码问题漏洞

Chatwoot is an open-source application developed by Chatwoot itself. It serves as an alternative to proprietary solutions such as customer engagement suites, intercom systems, Zendesk, and Salesforce service clouds. Versions of Chatwoot prior to 4.11.2 contained a code vulnerability. This...

6.5CVSS6.7AI score0.00259EPSS
Exploits0References3
Snyk
Snyk
added 2026/02/26 3:58 p.m.4 views

User Impersonation

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to User Impersonation via the GitHub Webhook Trigger component. An attacker can trigger unauthorized workflow executions by sending unsigned POST requests to the webhook endpoint, thereby injecting...

6.3CVSS6.1AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/26 3:58 p.m.9 views

n8n: Webhook Forgery on Github Webhook Trigger

Impact An attacker who knows the webhook URL of a workflow using the GitHub Webhook Trigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node did not implement the HMAC-SHA256 signature verification that GitHub provides to authenticate webhook deliverie...

6.3CVSS5.6AI score0.00186EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2025/12/13 4:33 a.m.38 views

XML External Entity (XXE)

org.jenkins-ci.plugins, generic-webhook-trigger is vulnerable to XML External Entity XXE. The vulnerability is due to improper XML parser configuration that does not disable external entity processing, which allows an attacker to exploit crafted XML input to access sensitive information or perfor...

9.8CVSS7.3AI score0.25746EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2022-6991

Malicious code in bioql PyPI...

5.3CVSS5.5AI score0.00501EPSS
Exploits0References4
Rows per page
Query Builder