CVE-2025-27616

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

CVE-2025-27616

Vela Server (CI/CD framework) is affected in versions prior to 0.25.3 and 0.26.3. By spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo-level CI secrets to another repository. Those secrets could be exfiltrate...

Vela Server 安全漏洞

Vela Server is a Vela open source pipeline automation CI/CD framework built on Linux container technology. A security vulnerability exists in Vela Server versions prior to 0.25.3 and prior to 0.26.3, which stems from a possible repository ownership transfer and secret disclosure via a spoofed...

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 24, 2025 to March 2, 2025)

Did you know Wordfence runs aBug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability , for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we...

GHSA-7WRW-R4P8-38RX vulnerabilities

Vulnerabilities for packages: harbor-scanner-trivy, podman, oras, kube-vip, spire-controller-manager, kubernetes-csi-driver-hostpath, nri-couchbase, aws-flb-firehose, go-licenses, crossplane-provider-sql, nri-jmx, mockgen, nsc, distribution, gptscript, velero-plugin-for-csi, flux-source-controlle...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS through the webhook integration process. An attacker can execute arbitrary scripts in the context of the victim's browser session by injecting malicious payloads into the webhook settings. Details Cross-site...

Malicious code in transaction-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c1efc9cf33a18e7f3c4294c39aabadf136974e4e2ee56c874ba337ac609c6b77 The only thing the package does is send out all the given data about a cryptocurrency transaction, including the private key, to a hardcoded webhook. Feedback...

MAL-2025-191909 Malicious code in transaction-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c1efc9cf33a18e7f3c4294c39aabadf136974e4e2ee56c874ba337ac609c6b77 The only thing the package does is send out all the given data about a cryptocurrency transaction, including the private key, to a hardcoded webhook. Feedback...

Malicious code in spacelift-webhook-receiver (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 6bb9dc87c1669be92bee0be50a372fb87d1d92064bc4db257131d4323c2783e9 The OpenSSF Package Analysis project identified 'spacelift-webhook-receiver' @ 1.1.0 npm as malicious. It is considered malicious because: - The...

MAL-2025-1511 Malicious code in spacelift-webhook-receiver (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 6bb9dc87c1669be92bee0be50a372fb87d1d92064bc4db257131d4323c2783e9 The OpenSSF Package Analysis project identified 'spacelift-webhook-receiver' @ 1.1.0 npm as malicious. It is considered malicious because: - The...

CVE-2024-13879

The Stream plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.2 due to insufficient validation on the webhook feature. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to...

CVE-2024-13879

CVE-2024-13879 – WordPress Stream plugin : The vulnerability is a Server-Side Request Forgery (SSRF) in Stream versions up to 4.0.2, caused by insufficient validation of the webhook feature. Exploitation requires authenticated access with administrator-level privileges or higher, allowing an atta...

WordPress plugin Stream 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability...

PT-2025-6619 · WordPress · Stream

Name of the Vulnerable Software and Affected Versions: The Stream plugin for WordPress versions up to, and including, 4.0.2 Description: The issue is related to Server-Side Request Forgery due to insufficient validation on the webhook feature. This allows authenticated attackers with...

Exploit for Server-Side Request Forgery in Rocket.Chat

CVE-2024-39713: Rocket.Chat SSRF PoC Description A Server...

CVE-2022-39292

Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slac...

CVE-2024-5526

Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers. Grafana OnCall, from version 1.1.37 before 1.5.2 are vulnerable to a Server Side Request Forgery SSRF...

CVE-2024-22408

Shopware is an open headless commerce platform. The implemented Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to perform web requests to internal hosts. This issue has been fix...

CVE-2024-39713

A Server-Side Request Forgery SSRF affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1...