Lucene search
K

120 matches found

Vulnrichment
Vulnrichment
added 2026/05/04 2:45 a.m.6 views

CVE-2026-7724 PrefectHQ prefect Webhook/Notification validate_restricted_url toctou

A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validaterestrictedurl of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is...

5CVSS5.1AI score0.0025EPSS
Exploits0References9
EUVD
EUVD
added 2026/04/28 6:9 p.m.6 views

EUVD-2026-26109

OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver...

4.2CVSS5.2AI score0.00266EPSS
Exploits0References3
NVD
NVD
added 2026/04/23 10:16 p.m.8 views

CVE-2026-41351

OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature...

6.3CVSS0.0033EPSS
Exploits0References3
CVE
CVE
added 2026/04/20 4:4 p.m.23 views

CVE-2026-25883

Vexa SSRF via webhook URL validation flaw : The webhook feature allows authenticated users to configure any HTTP POST URL when meetings complete, with no validation of the target. This enables Server-Side Request Forgery to internal services (e.g., Redis/databases/admin panels), cloud metadata en...

5.8CVSS5.9AI score0.00203EPSS
Exploits0References1Affected Software1
Snyk
Snyk
added 2026/04/18 12:47 a.m.4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the webhook process. An attacker can exhaust system memory by sending oversized POST payloads before signature validation. This is only exploitable if Stripe webhooks are enabled a...

8.2CVSS5.5AI score0.00446EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/10 7:28 p.m.6 views

PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API

Summary The /api/v1/runs endpoint accepts an arbitrary webhookurl in the request body with no URL validation. When a submitted job completes success or failure, the server makes an HTTP POST request to this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server...

10CVSS6.2AI score0.0028EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/04/10 12:30 a.m.7 views

EUVD-2026-21114

OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook...

6.3CVSS5.9AI score0.00287EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.3 views

PT-2026-31981

OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered...

6CVSS5.8AI score0.00236EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/04/09 12:0 a.m.5 views

PraisonAI 代码问题漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.128 contained code vulnerabilities. These vulnerabilities stemmed from the/api/v1/runs endpoint allowing arbitrary webhook URLs without proper URL validation, which could le...

10CVSS6AI score0.0028EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.10 views

PT-2026-31783

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook url in the request body with no URL validation. When a submitted job completes success or failure, the server makes an HTTP POST request to this URL using httpx.AsyncClient. An...

7.2CVSS6.1AI score0.0028EPSS
Exploits1References5
EUVD
EUVD
added 2026/04/08 6:31 a.m.5 views

EUVD-2026-20042

The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that...

5.3CVSS5.9AI score0.00385EPSS
Exploits0References15
NVD
NVD
added 2026/04/08 5:16 a.m.5 views

CVE-2026-3646

The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that...

5.3CVSS0.00385EPSS
Exploits0References14
CVE
CVE
added 2026/04/08 3:36 a.m.9 views

CVE-2026-3646

The CVE concerns the WordPress plugin LTL Freight Quotes – R+L Carriers Edition (versions up to and including 3.3.13). A standalone PHP webhook handler processes GET parameters without proper authentication, authorization, or nonce verification, allowing unauthenticated attackers to modify subscr...

5.3CVSS5.9AI score0.00385EPSS
Exploits0References14
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.8 views

WordPress plugin LTL Freight Quotes – R+L Carriers Edition 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

5.3CVSS5.8AI score0.00385EPSS
Exploits0References14
NVD
NVD
added 2026/04/02 6:16 p.m.5 views

CVE-2026-34590

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl format check, missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The updat...

5.4CVSS0.00226EPSS
Exploits1References3
CVE
CVE
added 2026/04/01 4:15 a.m.14 views

CVE-2026-5254

The CVE-2026-5254 entry documents a client-side web app vulnerability in welovemedia FFmate up to version 2.0.15. The vulnerability affects an unknown function within the Webhook Handler component, specifically the file /ui/app/components/AppJsonTreeView.vue, where manipulation leads to cross-sit...

5.1CVSS4.1AI score0.00239EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/03/31 2:10 p.m.3 views

CVE-2026-33580

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting...

6.5CVSS5.9AI score0.00365EPSS
Exploits0References4
OSV
OSV
added 2026/03/27 3:47 p.m.2 views

GHSA-89V5-38XR-9M4J Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader

Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...

7.8CVSS6AI score
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/27 3:47 p.m.8 views

Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader

Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...

6AI score
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/03/26 9:45 p.m.4 views

Improper Authorization

Overview @openclaw/synology-chat is a Synology Chat channel plugin for OpenClaw Affected versions of this package are vulnerable to Improper Authorization in the webhook process. An attacker can gain unauthorized access to direct message policies by exploiting a path collision in the multi-accoun...

7.2CVSS5.9AI score0.00245EPSS
Exploits0References2
Rows per page
Query Builder