Lucene search
K

50 matches found

Cvelist
Cvelist
added 5 days ago29 views

CVE-2026-59155 Nezha Monitoring: DDNS and Notification credential exposure via unredacted list API

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud...

6.9CVSS0.00304EPSS
Exploits0References3
NVD
NVD
added 2026/06/29 6:16 p.m.11 views

CVE-2026-56783

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS0.00264EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 5:16 p.m.3 views

CVE-2026-56783 Parseable < 2.9.2 - Cleartext Credential Exposure in Notification Target API

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS5.9AI score0.00264EPSS
Exploits0References8
CVE
CVE
added 2026/06/29 5:16 p.m.17 views

CVE-2026-56783

Parseable

7.1CVSS5.8AI score0.00264EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/29 5:16 p.m.5 views

CVE-2026-56783

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS5.8AI score0.00264EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/06/29 5:16 p.m.5 views

CVE-2026-56783 Parseable < 2.9.2 - Cleartext Credential Exposure in Notification Target API

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS5.8AI score0.00264EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/29 5:16 p.m.7 views

EUVD-2026-40159

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS5.8AI score0.00264EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/29 5:16 p.m.36 views

CVE-2026-56783 Parseable < 2.9.2 - Cleartext Credential Exposure in Notification Target API

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS0.00264EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.22 views

PT-2026-53660

Name of the Vulnerable Software and Affected Versions Parseable versions prior to 2.9.2 Description An information disclosure issue exists in the notification-target API endpoints where webhook tokens and basic-auth credentials are returned in cleartext. This occurs because the secret-masking...

7.1CVSS5.9AI score0.00264EPSS
Exploits0References9
OSV
OSV
added 2026/04/10 12:30 a.m.5 views

GHSA-59XC-5V89-R7PR Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation...

6.3CVSS5.7AI score0.00244EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:27 p.m.3 views

CVE-2026-35646

OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts,...

6.3CVSS5.9AI score0.00244EPSS
Exploits0References4
OSV
OSV
added 2026/04/09 9:27 p.m.1 views

CVE-2026-35646 OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation

OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts,...

6.3CVSS6AI score0.00244EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/06 7:35 p.m.3 views

CVE-2026-30846 Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...

8.7CVSS5.7AI score0.00345EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/06 7:35 p.m.4 views

CVE-2026-30846

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...

8.7CVSS5.7AI score0.00345EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/03/06 7:35 p.m.38 views

CVE-2026-30846 Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...

8.7CVSS0.00345EPSS
Exploits0References3
CVE
CVE
added 2026/03/06 7:35 p.m.13 views

CVE-2026-30846

Wekan versions 8.31.0–8.33 expose all global webhook integrations (including sensitive URL and token fields) via the globalwebhooks publication without server-side access control. Any DDP client, even unauthenticated, can subscribe and receive the data, enabling an attacker to retrieve webhook UR...

8.7CVSS5.7AI score0.00345EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/06 7:34 p.m.4 views

CVE-2026-30845 Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...

6.9CVSS5.7AI score0.00291EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/06 12:0 a.m.10 views

WeKan 访问控制错误漏洞

WeKan is an open-source dashboard application developed by WeKan. Versions of WeKan from 8.31.0 to 8.33 contain access control vulnerability issues. This vulnerability arises due to the lack of access control in the global Webhook publishing process, which may lead to the exposure of Webhook toke...

8.7CVSS5.8AI score0.00345EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.15 views

PT-2026-23746

🚨 CVE-2026-30846 Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the...

8.7CVSS5.7AI score0.00345EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/02/26 2:58 p.m.7 views

CVE-2026-26077

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...

6.5CVSS5.3AI score0.0024EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder