21 matches found
CVE-2026-8431
An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior...
PT-2026-40350
An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior...
CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2025-68949
n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured...
CVE-2025-68949
n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured...
CVE-2017-18870
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case...
Improper Validation of Specified Type of Input
Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input that is passed to the handleFormData function. An attacker can gain unauthorized access to files on the underlying server by requests with unexpected...
SUSE CVE-2017-18870
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case...
EUVD-2017-9960
Malware in sbrugna...
EUVD-2024-41455
Malicious code in bioql PyPI...
Server-Side Request Forgery (SSRF)
mautic/core is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to missing validation of webhook destinations, which allows an attacker with webhook permissions to send crafted requests and potentially access internal services, bypassing firewalls...
CVE-2025-9821 SSRF via webhook function
SummaryUsers with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the partial request response is also disclosed DetailsWhen sending webhooks, the destination is not validated, causing SSRF. ImpactBypass of firewalls to interact with internal...
CVE-2025-9821 SSRF via webhook function
SummaryUsers with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the partial request response is also disclosed DetailsWhen sending webhooks, the destination is not validated, causing SSRF. ImpactBypass of firewalls to interact with internal...
CVE-2025-9821
The CVE-2025-9821 relates to Mautic’s webhook feature, where the destination of webhooks is not validated, enabling SSRF when a user with webhook permissions can view webhook logs. This can allow bypassing firewalls to reach internal services and may disclose partial response data. Exploitation d...
PT-2025-35709
Name of the Vulnerable Software and Affected Versions: versions not specified Description: Users with webhook permissions can conduct Server-Side Request Forgery SSRF via webhooks. If they have permission to view the webhook logs, the partial request response is also disclosed. This allows...
CVE-2024-28216
nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery...
CVE-2024-45393
Computer Vision Annotation Tool CVAT is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, including that of other users. For each delivery, this contains...
PT-2024-22342 · Ngrinder · Ngrinder
Name of the Vulnerable Software and Affected Versions: nGrinder versions prior to 3.5.9 Description: The issue is caused by a lack of access control, allowing an attacker to obtain the results of webhook requests. This could lead to information disclosure and limited Server-Side Request Forgery...
Mattermost Server has mishandled webhook access control
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case...
CVE-2017-18870
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case...