3510 matches found
CVE-2026-26077
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...
CVE-2026-26078
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the patreonwebhooksecret site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to th...
CVE-2026-26078 Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the patreonwebhooksecret site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to th...
EUVD-2026-8856
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the patreonwebhooksecret site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to th...
CVE-2026-26078
Discourse’s Patreon webhook vulnerability (CVE-2026-26078) affects releases prior to 2025.12.2, 2026.1.1, and 2026.2.0. When patreon_webhook_secret is blank, an attacker can generate valid webhook signatures by computing an HMAC-MD5 with an empty key, using the known request body to forge arbitra...
CVE-2026-26078 Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the patreonwebhooksecret site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to th...
CVE-2026-26078 Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the patreonwebhooksecret site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to th...
CVE-2026-26077
CVE-2026-26077 – Discourse webhook authentication bypass . Affects Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, where several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the WebhooksController accepted requests without a valid authentication token whe...
CVE-2026-26077 Discourse doesn't ensure webhooks require a token
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...
CVE-2026-26077
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...
CVE-2026-26077 Discourse doesn't ensure webhooks require a token
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Actions V2 webhook. An attacker can access internal network resources and gather information about internal services by specifying target URLs that resolve to local hosts or internal IP addresses...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Actions V2 webhook. An attacker can access internal network resources and gather information about internal services by specifying target URLs that resolve to local hosts or internal IP addresses...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Actions V2 webhook. An attacker can access internal network resources and gather information about internal services by specifying target URLs that resolve to local hosts or internal IP addresses...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Actions V2 webhook. An attacker can access internal network resources and gather information about internal services by specifying target URLs that resolve to local hosts or internal IP addresses...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Actions V2 webhook. An attacker can access internal network resources and gather information about internal services by specifying target URLs that resolve to local hosts or internal IP addresses...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Actions V2 webhook. An attacker can access internal network resources and gather information about internal services by specifying target URLs that resolve to local hosts or internal IP addresses...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Actions V2 webhook. An attacker can access internal network resources and gather information about internal services by specifying target URLs that resolve to local hosts or internal IP addresses...
CVE-2026-27945 ZITADEL has potential SSRF via Actions
ZITADEL is an open source identity management platform. Zitadel Action V2 introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0 is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token. Zitadel's Action target URLs...
Discourse 授权问题漏洞
Discourse is an open-source community discussion platform developed by Discourse. This platform includes features such as communities, email communication, and chat rooms. Versions of Discourse before 2025.12.2, 2026.1.1, and 2026.2.0 have vulnerabilities related to authorization. These...