PT-2026-33790

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...

PT-2026-33757

A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool call of the file apps/experimental/tools webhook/app.py of the component tools webhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be...

rowboat 安全漏洞

Rowboat is an open-source artificial intelligence-driven multi-agent builder developed by RowBoat Labs. Versions of Rowboat prior to 0.1.67 contained a security vulnerability. This vulnerability stemmed from improper handling of the parameter X-Tools-JWE in the toolcall function of the toolswebho...

BIT-GRAFANA-2025-12141 Grafana Alerting Editors can edit destination of webhooks they did not create

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the webhook process. An attacker can exhaust system memory by sending oversized POST payloads before signature validation. This is only exploitable if Stripe webhooks are enabled a...

CVE-2026-40481

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...

CVE-2026-40481

In monetr, versions 1.12.3 and earlier expose a denial-of-service risk where the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. An unauthenticated remote attacker can send oversized POST payloads to trigger uncontrolled memory gr...

CVE-2026-40481 monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...

CVE-2026-40481 monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...

OpenClaw: Feishu webhook and card-action validation now fail closed

Summary Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. Impact A...

GHSA-XH72-V6V9-MWHC OpenClaw: Feishu webhook and card-action validation now fail closed

Summary Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. Impact A...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization due to the heartbeat owner downgrade not properly handling untrusted webhook wake events. An attacker can maintain elevated privileges by sending specially crafted...

OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events

Summary Heartbeat owner downgrade missed untrusted webhook wake events. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.7 = 2026.4.14 Impact Heartbeat owner downgrade logic could skip webhook wake events carrying untrusted content, preserving...

GHSA-G2HM-779G-VM32 OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events

Summary Heartbeat owner downgrade missed untrusted webhook wake events. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.7 = 2026.4.14 Impact Heartbeat owner downgrade logic could skip webhook wake events carrying untrusted content, preserving...

PT-2026-37021

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.4.7 through 2026.4.13 Description A privilege escalation issue exists where the heartbeat owner downgrade logic fails to account for webhook wake events containing untrusted content. This allows attackers to send untrust...

monetr 安全漏洞

Monetr is an open-source personal budget management application developed by Monetr. Versions of Monetr 1.12.3 and earlier contained a security vulnerability. This vulnerability stemmed from the Stripe webhook endpoint, which buffered the entire request body in memory, potentially leading to...

PT-2026-37009

Name of the Vulnerable Software and Affected Versions OpenClaw version 2026.4.9 Description A denial of service issue exists in the voice-call realtime WebSocket path. The system accepts oversized frames without proper validation, allowing remote attackers to send these frames to cause service...

PT-2026-38242

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.15 Description An authentication bypass exists in the Feishu webhook and card-action validation. When the encryptKey configuration is missing or callback tokens are blank, the system fails open rather than...

SUSE CVE-2026-39845

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround...

Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

Summary Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions ...