120 matches found
CVE-2026-7724 PrefectHQ prefect Webhook/Notification validate_restricted_url toctou
A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validaterestrictedurl of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is...
EUVD-2026-26109
OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver...
CVE-2026-41351
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature...
CVE-2026-25883
Vexa SSRF via webhook URL validation flaw : The webhook feature allows authenticated users to configure any HTTP POST URL when meetings complete, with no validation of the target. This enables Server-Side Request Forgery to internal services (e.g., Redis/databases/admin panels), cloud metadata en...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the webhook process. An attacker can exhaust system memory by sending oversized POST payloads before signature validation. This is only exploitable if Stripe webhooks are enabled a...
PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API
Summary The /api/v1/runs endpoint accepts an arbitrary webhookurl in the request body with no URL validation. When a submitted job completes success or failure, the server makes an HTTP POST request to this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server...
EUVD-2026-21114
OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook...
PT-2026-31981
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered...
PraisonAI 代码问题漏洞
PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.128 contained code vulnerabilities. These vulnerabilities stemmed from the/api/v1/runs endpoint allowing arbitrary webhook URLs without proper URL validation, which could le...
PT-2026-31783
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook url in the request body with no URL validation. When a submitted job completes success or failure, the server makes an HTTP POST request to this URL using httpx.AsyncClient. An...
EUVD-2026-20042
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that...
CVE-2026-3646
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that...
CVE-2026-3646
The CVE concerns the WordPress plugin LTL Freight Quotes – R+L Carriers Edition (versions up to and including 3.3.13). A standalone PHP webhook handler processes GET parameters without proper authentication, authorization, or nonce verification, allowing unauthenticated attackers to modify subscr...
WordPress plugin LTL Freight Quotes – R+L Carriers Edition 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...
CVE-2026-34590
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl format check, missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The updat...
CVE-2026-5254
The CVE-2026-5254 entry documents a client-side web app vulnerability in welovemedia FFmate up to version 2.0.15. The vulnerability affects an unknown function within the Webhook Handler component, specifically the file /ui/app/components/AppJsonTreeView.vue, where manipulation leads to cross-sit...
CVE-2026-33580
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting...
GHSA-89V5-38XR-9M4J Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader
Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...
Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader
Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...
Improper Authorization
Overview @openclaw/synology-chat is a Synology Chat channel plugin for OpenClaw Affected versions of this package are vulnerable to Improper Authorization in the webhook process. An attacker can gain unauthorized access to direct message policies by exploiting a path collision in the multi-accoun...