CVE-2026-25051 n8n Improper CSP Enforcement in Webhook Responses May Allow Stored XSS

n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting XSS vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy CSP sandbox protection intended to...

CVE-2026-25051 n8n Improper CSP Enforcement in Webhook Responses May Allow Stored XSS

n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting XSS vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy CSP sandbox protection intended to...

CVE-2026-25518 vulnerabilities

Vulnerabilities for packages: mariadb-operator, cert-manager-webhook-pdns, cert-manager-csi-driver, cert-manager-cmctl, step-issuer, cert-manager-istio-csr, opentelemetry-operator, percona-server-mongodb-operator, aws-privateca-issuer...

Nature Easy Soft Network Technology ZenTao 代码问题漏洞

Nature Easy Soft Network Technology ZenTao is an open-source project management software developed by Nature Easy Soft Network Technology. This software includes functions such as product management, project management, quality management, and document management. The version 21.7.6-85642 and...

PT-2026-6071

Name of the Vulnerable Software and Affected Versions ZenTao versions through 21.7.6-85642 Description A server-side request forgery condition exists in ZenTao. The issue is located in the fetchHook function within the module/webhook/model.php file of the Webhook Module component. This manipulati...

n8n 跨站脚本漏洞

n8n is an open-source, scalable workflow automation tool developed by n8n. Versions of n8n prior to 1.123.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper handling of Webhook responses and HTTP endpoints, potentially leading to cross-site scripting attack...

GLPI 代码问题漏洞

GLPI is an open-source IT and asset management software developed by GLPI. This software provides a comprehensive IT resource management interface, allowing you to create databases to manage various IT assets such as computers, monitors, servers, printers, network devices, telephones, and even...

PT-2026-6105

Name of the Vulnerable Software and Affected Versions GLPI versions 11.0.0 through 11.0.4 Description A GLPI administrator can perform Server-Side Request Forgery SSRF requests through the Webhook feature. This allows an attacker to potentially make requests on behalf of the server, accessing...

PT-2026-6260

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.2 Description n8n is a workflow automation platform. A Cross-Site Scripting XSS issue exists in the handling of webhook responses and related HTTP endpoints. The Content Security Policy CSP sandbox protection may no...

PT-2026-6391

Impact A Cross-site Scripting XSS vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy CSP sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user...

GHSA-GX3X-VQ4P-MHHV vulnerabilities

Vulnerabilities for packages: mariadb-operator, cert-manager-webhook-pdns, cert-manager-csi-driver, cert-manager-cmctl, step-issuer, cert-manager-istio-csr, opentelemetry-operator, percona-server-mongodb-operator, aws-privateca-issuer...

GHSA-GX3X-VQ4P-MHHV vulnerabilities

Vulnerabilities for packages: cert-manager-csi-driver, percona-server-mongodb-operator, cert-manager-cmctl, mariadb-operator-fips, cert-manager-openshift-routes, step-issuer, cert-manager-google-cas-issuer, aws-privateca-issuer, mariadb-operator, percona-server-mongodb-operator-fips,...

Improper Access Control.

Weblate is vulnerable to improper access control. The vulnerability is due to insufficient validation of webhook payloads, which allows an attacker to craft malicious webhook requests and trigger unauthorized repository updates across multiple repositories...

BIT-DISCOURSE-2026-24742 Discourse staff action logs expose sensitive information to moderators

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...

CLEANSTART-2026-HV28992 Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3

Multiple security vulnerabilities affect the cert-manager-webhook-pdns-fips package. Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3. See references for individual vulnerability details...

CLEANSTART-2026-QW16951 SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process

Multiple security vulnerabilities affect the cert-manager-webhook-pdns-fips package. SSH clients receiving SSHAGENTSUCCESS when expecting a typed response will panic and cause early termination of the client process. See references for individual vulnerability details...

CLEANSTART-2026-GC16599 Cancelling a query (e

Multiple security vulnerabilities affect the cert-manager-webhook-pdns-fips package. Cancelling a query e. See references for individual vulnerability details...

CLEANSTART-2026-TR11635 Cancelling a query (e

Multiple security vulnerabilities affect the cert-manager-webhook-pdns-fips package. Cancelling a query e. See references for individual vulnerability details...

CLEANSTART-2026-XD92996 Cancelling a query (e

Multiple security vulnerabilities affect the cert-manager-webhook-pdns-fips package. Cancelling a query e. See references for individual vulnerability details...

CVE-2026-24742

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and...