Lucene search
+L

190 matches found

nvd
nvd
added yesterday6 views

CVE-2026-61436

PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payloads to the webhook endpoint to invoke configured agents with arbitrary sender addresses and message...

8.8CVSS
Exploits0References4
euvd
euvd
added yesterday4 views

EUVD-2026-44626

n8n contains an authentication bypass in the Chat Trigger node when configured with n8n User Auth a non-default configuration. In affected releases — before 1.123.22, the 2.0.0 through 2.9.2 line, and 2.10.0 — the authentication check on the Chat Trigger webhook endpoint can be circumvented,...

6.3CVSS6.1AI score
Exploits0References2
osv
osv
added 6 days ago3 views

CVE-2026-60091 PraisonAI before 4.6.78 Unauthenticated SSRF via webhook_url

PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhookurl parameter is validated at request time but re-resolved at connection time, allowing attackers to use DNS rebinding to reach internal services with a...

6.9CVSS6.1AI score0.0018EPSS
Exploits0References4
nvd
nvd
added 2026/07/04 1:16 p.m.10 views

CVE-2026-14628

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extractmedia of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is...

6.9CVSS0.00551EPSS
Exploits1References5
cvelist
cvelist
added 2026/07/04 1:0 p.m.42 views

CVE-2026-14628 NousResearch hermes-agent Live Webhook Endpoint base.py extract_media path traversal

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extractmedia of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is...

6.9CVSS0.00551EPSS
Exploits1References5
attackerkb
attackerkb
added 2026/07/04 1:0 p.m.9 views

CVE-2026-14628

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extractmedia of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is...

6.9CVSS5.8AI score0.00551EPSS
Exploits1References5Affected Software1
euvd
euvd
added 2026/07/04 1:0 p.m.12 views

EUVD-2026-41673

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extractmedia of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is...

6.9CVSS5.8AI score0.00551EPSS
Exploits1References5
ossf
ossf
added 2026/06/30 8:59 p.m.13 views

Malicious code in @sudoughnym/enviro-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02c1c204d0f458d13d7140f4b7a007d551095665a418e9146037be9a5b2b7957 @sudoughnym/[email protected] ships preinstall.js and postinstall.js lifecycle scripts that run automatically on npm install. Both scripts collect...

5.8AI score
Exploits0References2
osv
osv
added 2026/06/30 8:59 p.m.7 views

MAL-2026-6697 Malicious code in @sudoughnym/enviro-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02c1c204d0f458d13d7140f4b7a007d551095665a418e9146037be9a5b2b7957 @sudoughnym/[email protected] ships preinstall.js and postinstall.js lifecycle scripts that run automatically on npm install. Both scripts collect...

5.8AI score
Exploits0References2
nvd
nvd
added 2026/06/29 6:16 p.m.12 views

CVE-2026-57953

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventingimportautomaticwebhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can...

5.4CVSS0.00249EPSS
Exploits0References4
cvelist
cvelist
added 2026/06/29 5:21 p.m.33 views

CVE-2026-57953 Mythic < 3.4.0.60 - Unauthorized Automation Workflow Modification via eventing_import_automatic_webhook Endpoint

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventingimportautomaticwebhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can...

5.4CVSS0.00249EPSS
Exploits0References4
attackerkb
attackerkb
added 2026/06/29 5:21 p.m.6 views

CVE-2026-57953

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventingimportautomaticwebhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can...

5.4CVSS5.8AI score0.00249EPSS
Exploits0References5
osv
osv
added 2026/06/29 5:21 p.m.3 views

CVE-2026-57953 Mythic < 3.4.0.60 - Unauthorized Automation Workflow Modification via eventing_import_automatic_webhook Endpoint

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventingimportautomaticwebhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can...

5.3CVSS6AI score0.00249EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/29 12:0 a.m.12 views

PT-2026-53671

Name of the Vulnerable Software and Affected Versions Mythic versions prior to 3.4.0.60 Description An authorization bypass exists that allows authenticated users with the spectator role to perform unauthorized write operations. This occurs because the 'eventing import automatic webhook' endpoint...

5.4CVSS6AI score0.00249EPSS
Exploits0References9
attackerkb
attackerkb
added 2026/06/26 4:2 p.m.9 views

CVE-2026-56823

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the POST /api/integrations/webhooks/webhookid/ping endpoint fetches the target webhook by primary key alone without verifying that the webhook belongs to the...

5.4CVSS5.9AI score0.0015EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2026/06/22 2:10 p.m.37 views

CVE-2026-7664 Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS

IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint...

9.8CVSS0.00277EPSS
Exploits0References1
cve
cve
added 2026/06/22 2:10 p.m.15 views

CVE-2026-7664

Summary: IBM Langflow OSS versions 1.0.0–1.8.4 are affected by an unauthenticated access issue due to improper authorization enforcement on the Streamable MCP transport endpoint, potentially allowing access to protected MCP project resources and execution of MCP operations. Affected products/vers...

9.8CVSS5.9AI score0.00277EPSS
Exploits0References1Affected Software1
ibm
ibm
added 2026/06/21 3:51 p.m.3 views

Security Bulletin: Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS

Summary Langflow OSS POST /api/v1/webhook/flowid executes any user's flow without authentication by default. Setting WEBHOOKAUTHENABLE defaults to False in auth configuration. When False, webhook handler calls getuserbyflowidorendpointname and trusts caller unconditionally with no credential chec...

9.8CVSS5.9AI score0.00277EPSS
Exploits0Affected Software1
cvelist
cvelist
added 2026/06/19 6:51 a.m.36 views

CVE-2026-3640 STRABL <= 4.5 - Unauthenticated Arbitrary Webhook Creation via REST API Endpoint

The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permissioncallback of returntrue, which allows all incoming requests...

5.3CVSS0.00382EPSS
Exploits0References14
cve
cve
added 2026/06/19 6:51 a.m.20 views

CVE-2026-3640

The STRABL WordPress plugin (versions

5.3CVSS5.8AI score0.00382EPSS
Exploits0References14
Rows per page
Query Builder