3442 matches found
CVE-2026-39969
TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both...
CVE-2026-39969 TypeBot: WhatsApp Webhook Endpoint Missing Signature Verification
TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both...
EUVD-2026-31485
TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both...
CVE-2026-39969 TypeBot: WhatsApp Webhook Endpoint Missing Signature Verification
TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both...
CVE-2026-39969
CVE-2026-39969 (TypeBot) affects TypeBot prior to 3.17.0. The WhatsApp Cloud API webhook endpoint POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook did not verify the x-hub-signature-256 HMAC in deliveries. The endpoint also exposes workspaceId and credentialsId in the URL path, ...
aiosend: Deserialization of request body before signature verification (Pre-auth DoS) in webhook handler
Vulnerability Description In aiosend/webhook/base.py, the WebhookHandler.feedupdate method performs full deserialization of the incoming JSON via Pydantic before verifying the HMAC signature. Anyone can send a request with an arbitrary body — the server will parse it, spend CPU and memory, and on...
GHSA-7M8F-HGJQ-8GC9 aiosend: Deserialization of request body before signature verification (Pre-auth DoS) in webhook handler
Vulnerability Description In aiosend/webhook/base.py, the WebhookHandler.feedupdate method performs full deserialization of the incoming JSON via Pydantic before verifying the HMAC signature. Anyone can send a request with an arbitrary body — the server will parse it, spend CPU and memory, and on...
CVE-2026-34207
TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.examp...
CVE-2026-28444
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker...
CVE-2026-34207 TypeBot: SSRF Protection Bypass via DNS-Resolved Hostnames in Webhook / HTTP Request Validation
TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.examp...
CVE-2026-34207
TypeBot SSRF protection bypass (CVE-2026-34207) affects versions
EUVD-2026-31470
TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.examp...
CVE-2026-34207 TypeBot: SSRF Protection Bypass via DNS-Resolved Hostnames in Webhook / HTTP Request Validation
TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.examp...
CVE-2026-34207
TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.examp...
Malicious code in @shwfed/nuxt (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 87ac343d6f89a601749bb115fa6902e7d39c71a0a6469690ecef56e9ea8a135e @shwfed/nuxt is published as a Nuxt UI module but contains undocumented build-hook code that, when a consumer integrates the module and runs a build...
MAL-2026-4444 Malicious code in @shwfed/nuxt (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 87ac343d6f89a601749bb115fa6902e7d39c71a0a6469690ecef56e9ea8a135e @shwfed/nuxt is published as a Nuxt UI module but contains undocumented build-hook code that, when a consumer integrates the module and runs a build...
MAL-2026-4582 Malicious code in ignite-market-contracts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3632f7802511e2852d33925ab4d8612fe588de1f8a1d832011cd3588d23f62bc The package's preinstall lifecycle hook in package.json runs wget --quiet...
Malicious code in ignite-market-contracts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3632f7802511e2852d33925ab4d8612fe588de1f8a1d832011cd3588d23f62bc The package's preinstall lifecycle hook in package.json runs wget --quiet...
Malicious code in ignite-market-contractstest (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9babd9b088785649368dbf885050b6a15b218a6b38d2dcd058f0c9eda5109da package.json declares a preinstall lifecycle hook that runs wget --quiet...
MAL-2026-4583 Malicious code in ignite-market-contractstest (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9babd9b088785649368dbf885050b6a15b218a6b38d2dcd058f0c9eda5109da package.json declares a preinstall lifecycle hook that runs wget --quiet...