CVE-2026-5011 elecV2 elecV2P JSON webhook runJSFile code injection

A vulnerability was detected in elecV2 elecV2P up to 3.8.3. This vulnerability affects the function runJSFile of the file /webhook of the component JSON Parser. Performing a manipulation of the argument rawcode results in code injection. Remote exploitation of the attack is possible. The exploit ...

CVE-2026-5011

CVE-2026-5011 affects elecV2 elecV2P up to version 3.8.3. The vulnerability resides in the JSON Parser component, specifically the runJSFile function in the /webhook file. Manipulating the argument rawcode can lead to code injection, enabling remote exploitation. Public exploit exists and may be ...

CVE-2026-4984

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

SUSE CVE-2026-33619

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

SUSE CVE-2026-33677

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

PT-2026-28725

Name of the Vulnerable Software and Affected Versions elecV2 versions prior to 3.8.4 Description A code injection issue exists in the JSON Parser component due to manipulation of the rawcode argument within the runJSFile function of the /webhook file. Remote exploitation is possible. The project...

CVE-2026-33619

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

Weak Password Requirements

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Weak Password Requirements in the authentication process for Telegram webhooks due to missing rate limiting on secret guesses. An attacker can repeatedly attempt to guess weak secrets by...

GHSA-VCX4-4QXG-MFP4 OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret

Summary Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret

Summary Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

GHSA-XQ8G-HGH6-87HV OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing

Summary BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing

Summary BlueBubbles Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Password Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

CVE-2026-3109

Mattermost Plugins versions =11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584...

GHSA-89V5-38XR-9M4J Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader

Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...

Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader

Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...

EUVD-2026-16632

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

CVE-2026-4984

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

CVE-2026-4984

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

CVE-2026-4984 Botpress - Credential Disclosure via Twilio Webhook Handler

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

CVE-2026-4984 Botpress - Credential Disclosure via Twilio Webhook Handler

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...