Lucene search
K

697 matches found

EUVD
EUVD
added 2026/05/08 9:12 p.m.9 views

EUVD-2026-28832

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhoo...

9.1CVSS5.7AI score0.00127EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 8:44 p.m.8 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when handling excessively large HTTP request bodies. A malicious pod on the same cluster can exhaust system memory and trigger an OOM condition. Remediation Upgrade...

7.4CVSS5.8AI score0.00173EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.12 views

PT-2026-39196

Name of the Vulnerable Software and Affected Versions Plunk versions prior to 0.9.0 Description The '/webhooks/sns' endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN. This allows an unauthenticated attack...

9.1CVSS5.8AI score0.00127EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.12 views

n8n-MCP 安全漏洞

n8n-MCP is a model context protocol server developed by Romuald Członkowski, an individual developer. It serves as a connection between AI assistants and automated workflow platforms. Versions of n8n-MCP from 2.18.7 to 2.50.2 contained security vulnerabilities. These vulnerabilities were caused b...

9.1CVSS5.8AI score0.00235EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/07 1:53 p.m.31 views

CVE-2026-41689 Wallos: Shared local webhook allowlist lets low-privilege users send arbitrary requests to allowlisted internal services

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use...

6CVSS0.00176EPSS
Exploits0References1
OSV
OSV
added 2026/05/06 11:16 p.m.6 views

GHSA-248H-974Q-XRC2 axonflow-sdk-java: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification

Summary The AxonFlow SDK's WebhookSubscription or equivalent type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook...

5.9CVSS5.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/06 11:15 p.m.7 views

axonflow-sdk-go: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification

Summary The AxonFlow SDK's WebhookSubscription or equivalent type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook...

5.8AI score
Exploits0References2Affected Software1
Patchstack
Patchstack
added 2026/05/05 6:42 p.m.10 views

NPM: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload

NPM: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.23...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 6:42 p.m.12 views

OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload

Summary OpenClaw webhooks allowed route secrets to be backed by SecretRef values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran openclaw secrets reload, the previous resolved webhook secret could remain valid until the plugin or gateway...

6CVSS5.8AI score0.00288EPSS
Exploits0References5Affected Software1
Patchstack
Patchstack
added 2026/05/05 4:22 p.m.12 views

WordPress Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption vulnerability

Missing Authorization to Authenticated Subscriber+ Stripe Webhook Deletion and Payment Processing Disruption vulnerability discovered by Jared Reyes in WordPress Plugin Paid Memberships Pro versions = 3.6.5...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/05 11:25 a.m.3 views

CVE-2026-43566

OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when th...

9.1CVSS5.9AI score0.00423EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/02 11:16 a.m.5 views

CVE-2026-4100

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/02 12:0 a.m.11 views

PT-2026-36609

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wp ajax pmpro stripe create webhook, wp ajax pmpro stripe delete...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/29 9:25 p.m.6 views

Prototype Pollution

Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Prototype Pollution via the xml2js used for parsing XML request bodies in webhook handlers. An authenticated attacker with permission to create or modify workflows could exploit this to pollute the...

9.9CVSS6.3AI score0.00851EPSS
Exploits1References2
OSV
OSV
added 2026/04/29 8:0 a.m.4 views

MAL-2026-3155 Malicious code in apple-infra-network-v2 (npm)

Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services authentication, PKI, telemetry, CloudKit, and cloud infrastructure. All packages in this campaign execute credential-theft payloads durin...

5.9AI score
Exploits0References1
EUVD
EUVD
added 2026/04/28 6:10 p.m.7 views

EUVD-2026-26112

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resources by bypassing authentication checks...

8.7CVSS5.3AI score0.00481EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.4 views

PT-2026-35785

OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver...

4.2CVSS5.2AI score0.00266EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/28 12:0 a.m.9 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities stemmed from the parsing of MS Teams Webhook request bodies before JWT verification was performed, which could allow...

8.7CVSS5.8AI score0.00481EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/27 10:0 a.m.4 views

CVE-2026-7113

A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument INSECURENOAUTH results in missing authentication. The attack can be...

6.3CVSS5.1AI score0.00362EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/04/27 10:0 a.m.7 views

EUVD-2026-25818

A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument INSECURENOAUTH results in missing authentication. The attack can be...

6.3CVSS4.6AI score0.00362EPSS
Exploits0References6
Rows per page
Query Builder