3449 matches found
GHSA-PJCQ-XVWQ-HHPJ vulnerabilities
Vulnerabilities for packages: nuclei, minio, trufflehog, flux-source-controller, harbor, cert-manager-cmctl, ratify, gitlab-runner, external-secrets-operator, rancher-agent, cert-manager-istio-csr, cert-manager-csi-driver, rancher, percona-server-mongodb-operator, rclone, k6, grafana, teleport,...
CVE-2026-32952 vulnerabilities
Vulnerabilities for packages: nuclei, minio, trufflehog, flux-source-controller, harbor, cert-manager-cmctl, ratify, gitlab-runner, external-secrets-operator, rancher-agent, cert-manager-istio-csr, cert-manager-csi-driver, rancher, percona-server-mongodb-operator, rclone, k6, grafana, teleport,...
CVE-2026-32952 vulnerabilities
Vulnerabilities for packages: versitygw-fips, openbao-fips, kyverno-notation-aws-fips, cloudbeat, minio-fips, gitea-fips, harbor, opentofu-fips, seaweedfs, openbao, gitea, neuvector, cert-manager-google-cas-issuer-fips, zot, cert-manager-openshift-routes-fips, nuclei, kyverno-fips, rancher-agent,...
GHSA-XFF3-5C9P-2MR4 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
Summary A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. The vulnerability stems from three compounding flaws: 1. The Stripe webhook endpoint does n...
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
Summary A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. The vulnerability stems from three compounding flaws: 1. The Stripe webhook endpoint does n...
Insecure Default Initialization of Resource
Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the StripeWebhook process. An attacker can gain unauthorized quota credits and perform financial fraud by forging webhook requests with a publicly computable signature when the webhook...
CVE-2026-41323
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has n...
CVE-2026-41323
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has n...
CVE-2026-41323
Summary of CVE-2026-41323 : Kyverno’s ClusterPolicy apiCall feature leaks the admission controller’s ServiceAccount token by attaching it to outgoing HTTP requests without validating the target URL. This allows tokens (e.g., for the kyverno-admission-controller) to be exfiltrated to attacker-cont...
MAL-2026-3028 Malicious code in amplitude-ma-ts (npm)
npm stealer. Hardcoded Discord webhook id 1497047226428690432 in postinstall Folder/bin/S.js. Exfils hostname, whoami, pwd, publicip api.ipify.org, /etc/hosts via Discord embed. v1.0.21 empty placeholder, v1.0.22 shipped payload — name-squat-then-poison. Typosquats @amplitude/ analytics scope...
Malicious code in amplitude-ma-ts (npm)
npm stealer. Hardcoded Discord webhook id 1497047226428690432 in postinstall Folder/bin/S.js. Exfils hostname, whoami, pwd, publicip api.ipify.org, /etc/hosts via Discord embed. v1.0.21 empty placeholder, v1.0.22 shipped payload — name-squat-then-poison. Typosquats @amplitude/ analytics scope...
EUVD-2026-25335
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature...
GHSA-M958-864J-XQ5W Duplicate Advisory: OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-37v6-fxx8-xjmx. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats...
Duplicate Advisory: OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-37v6-fxx8-xjmx. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats...
GHSA-6477-WVJJ-47V6 Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rxmx-g7hr-8mx4. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows...
EUVD-2026-25338
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...
EUVD-2026-25327
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade...
Duplicate Advisory: OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6336-qqw9-v6x6. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing...
GHSA-2HV5-4H3G-4HJV Duplicate Advisory: OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6336-qqw9-v6x6. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing...
PT-2026-35034
Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.10 Description A flaw in the Stripe webhook handler allows unauthenticated attackers to forge webhook events and credit arbitrary quota to their accounts without payment. This is caused by three issues: the syste...