3449 matches found
CVE-2026-41455
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...
CVE-2026-41455
CVE-2026-41455 affects WeKan
CVE-2026-41455
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...
CVE-2026-41455 WeKan < 8.35 SSRF via Webhook URL
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...
CVE-2026-41455 WeKan < 8.35 SSRF via Webhook URL
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...
CVE-2026-41454 WeKan < 8.35 Missing Authorization via Integration REST API
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new...
CVE-2026-40937 RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any...
GHSA-PFCQ-4GJR-6GJM RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks
Missing Admin Auth on Notification Target Endpoints in RustFS Finding Summary All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any admin-action...
RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks
Missing Admin Auth on Notification Target Endpoints in RustFS Finding Summary All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any admin-action...
WeKan 代码问题漏洞
WeKan is an open-source dashboard application developed by WeKan. Versions of WeKan prior to 8.35 contained code vulnerabilities. These vulnerabilities stemmed from the webhook integration URL processing, where the url pattern field allowed any string without protocol restrictions or target...
PT-2026-34569
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...
CVE-2026-40481
monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...
CVE-2026-25883
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...
CVE-2026-25883 Vexa Webhook Feature has a SSRF Vulnerability
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...
CVE-2026-25883
Vexa SSRF via webhook URL validation flaw : The webhook feature allows authenticated users to configure any HTTP POST URL when meetings complete, with no validation of the target. This enables Server-Side Request Forgery to internal services (e.g., Redis/databases/admin panels), cloud metadata en...
CVE-2026-25883 Vexa Webhook Feature has a SSRF Vulnerability
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...
CVE-2026-25883
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...
EUVD-2026-23893
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...
EUVD-2026-23840
A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function toolcall of the file apps/experimental/toolswebhook/app.py of the component toolswebhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be...
CVE-2026-6635
A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function toolcall of the file apps/experimental/toolswebhook/app.py of the component toolswebhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be...