Lucene search
K

118 matches found

Vulnrichment
Vulnrichment
added 2026/03/11 7:53 p.m.3 views

CVE-2026-32096 Plunk has SSRF via unvalidated AWS SNS SubscriptionConfirmation in POST /webhooks/sns

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery SSRF vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to an...

9.3CVSS5.9AI score0.00273EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/11 12:0 a.m.7 views

PT-2026-24815

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.7.0, a Server-Side Request Forgery SSRF vulnerability existed in the SNS webhook handler. An unauthenticated attacker could send a crafted request that caused the server to make an arbitrary outbound HTTP GET request to an...

9.3CVSS5.9AI score0.00273EPSS
Exploits1References6
EUVD
EUVD
added 2026/03/09 8:55 p.m.7 views

EUVD-2026-10358

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any...

9.1CVSS5.8AI score0.15339EPSS
Exploits2References1
Vulnrichment
Vulnrichment
added 2026/03/07 11:2 p.m.3 views

CVE-2026-3681 welovemedia FFmate webhook.go fireWebhook server-side request forgery

A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects the function fireWebhook of the file /internal/service/webhook/webhook.go. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The exploit has been made available to...

6.5CVSS6.3AI score0.00224EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/03/07 11:2 p.m.5 views

CVE-2026-3681

A weakness has been identified in welovemedia FFmate up to 2.0.15. This affects the function fireWebhook of the file /internal/service/webhook/webhook.go. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The exploit has been made available to...

6.5CVSS5.5AI score0.00224EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2026/03/07 12:0 a.m.7 views

ffmate 代码问题漏洞

ffmate is an automated media processing engine open source by We Love Media. Versions of ffmate 2.0.15 and earlier contained code vulnerabilities. These vulnerabilities stemmed from incorrect operations on the function fireWebhook in files/internal/service/webhook/webhook.go, which could lead to...

6.5CVSS6.7AI score0.00224EPSS
Exploits0References5
NVD
NVD
added 2026/03/06 10:16 p.m.8 views

CVE-2026-30242

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.isloopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses 10.x.x.x, 172.16.x.x...

8.5CVSS0.00284EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/06 9:19 p.m.3 views

CVE-2026-30242

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.isloopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses 10.x.x.x, 172.16.x.x...

8.5CVSS5.8AI score0.00284EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/03/06 1:0 a.m.3 views

Missing Authentication for Critical Function

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the webhook process of the BlueBubbles plugin due to trusting the loopback remoteAddress without validating forwarding headers. An attacker...

8.2CVSS5.9AI score0.00408EPSS
Exploits0References2
OSV
OSV
added 2026/03/05 9:59 p.m.4 views

CVE-2026-28478 OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and...

8.7CVSS7.2AI score0.00436EPSS
Exploits0References5
Snyk
Snyk
added 2026/02/26 10:47 p.m.2 views

User Impersonation

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to User Impersonation via the ZendeskTrigger component. An attacker can inject arbitrary data into workflows by sending unsigned POST requests to the webhook endpoint. Remediation Upgrade n8n-nodes-bas...

6.3CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/02/26 3:13 a.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Actions V2 webhook. An attacker can access internal network resources and gather information about internal services by specifying target URLs that resolve to local hosts or internal IP addresses...

6.5CVSS6AI score0.00226EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/02/21 12:0 a.m.9 views

OpenClaw 代码问题漏洞

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from a code issue vulnerability that stems from a Cron webhook delivery using fetch direct call, which can be exploited by an attacker to cause the webhook target to access private or internal endpoints...

7.3CVSS5.8AI score0.00327EPSS
Exploits0References3
OSV
OSV
added 2026/02/19 11:30 p.m.7 views

CVE-2026-26957 Libredesk has an SSRF Vulnerability via Webhooks

Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal...

6.9CVSS5.7AI score0.00061EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/02/19 11:30 p.m.4 views

CVE-2026-26957

Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal...

6.9CVSS5.8AI score0.00061EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/02/12 10:16 p.m.7 views

CVE-2026-26055

Yoke is a Helm-inspired infrastructure-as-code IaC package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller ATC component of Yoke. The ATC webhook endpoints lack proper authentication mechanisms, allowing any pod within the cluster network to directly send...

7.5CVSS0.0041EPSS
Exploits1References1
NVD
NVD
added 2026/02/04 5:16 p.m.10 views

CVE-2026-25051

n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting XSS vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy CSP sandbox protection intended to...

8.5CVSS0.00224EPSS
Exploits0References3
EUVD
EUVD
added 2026/02/04 5:10 p.m.6 views

EUVD-2026-5385

GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5...

4.1CVSS5.3AI score0.00317EPSS
Exploits0References2
OSV
OSV
added 2026/02/04 5:10 p.m.5 views

CVE-2026-22247 GLPI is Vulnerable to SSRF via Webhooks

GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5...

4.1CVSS5.3AI score0.00317EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/02/04 5:10 p.m.4 views

CVE-2026-22247

GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5...

4.1CVSS5.3AI score0.00317EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder