CVE-2026-49139

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the...

EUVD-2026-21136

OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through...

CVE-2026-34737 AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions() Bug

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, includin...

SUSE CVE-2026-27626

OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check checkShellArgumentSafety blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell...

GHSA-49GM-HH7W-WFVF OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks

Summary OliveTin's shell mode safety check checkShellArgumentSafety blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via...

OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks

Summary OliveTin's shell mode safety check checkShellArgumentSafety blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the password argument type and webhook JSON extraction bypassing shell safety checks. An attacker can execute arbitrary operating system commands by supplying crafted input to the password argument or by sending...

exploit-surge-radar

Exploit Surge Radar Detect exploit-active vulnerability surge...

GHSA-R5H9-VJQC-HQ3R Nextcloud Talk allowlist bypass via actor.name display name spoofing

Summary In affected versions of the optional Nextcloud Talk plugin installed separately; not bundled with the core OpenClaw install, an untrusted webhook field actor.name, display name could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an...

GO-2025-3996 argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload in github.com/argoproj/argo-cd

argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload in github.com/argoproj/argo-cd...

BIT-ARGO-CD-2025-59531 Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0 through 2.14.19, 3.0.0 through 3.2.0, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a...

EUVD-2022-51611

Malicious code in bioql PyPI...

EUVD-2025-31766

Malicious code in bioql PyPI...

EUVD-2025-31767

Malicious code in bioql PyPI...

CVE-2025-59537

CVE-2025-59537 affects Argo CD. Affected: Argo CD server components in versions 1.2.0–1.8.7, 2.0.0-rc1–2.14.19, 3.0.0-rc1–3.2.0-rc1, 3.1.7, and 3.0.18. Description: receiving a Gogs push webhook with commits[].repo missing or null can crash the argocd-server process via the /api/webhook endpoint,...

CVE-2025-59531 Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate client...

CVE-2025-59531 Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate client...

CVE-2025-59531

CVE-2025-59531 affects Argo CD versions 1.2.0–1.8.7, 2.0.0-rc1–2.14.19, and 3.0.0-rc1–3.2.0-rc1, plus 3.1.7 and 3.0.18. The issue arises when the webhook Bitbucket Server payload is malformed and webhook.bitbucketserver.secret is not configured, causing the /api/webhook endpoint to crash and pote...

argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload

Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process whe...

Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.bitbucketserver.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server...