Lucene search
K

697 matches found

CNNVD
CNNVD
added 2026/04/27 12:0 a.m.6 views

Hermes Agent 授权问题漏洞

Hermes Agent is an AI agent tool developed by Nous Research, featuring a self-learning mechanism. Version 0.8.0 of Hermes Agent contains an authorization vulnerability. This vulnerability arises from an unknown function in the Webhooks Endpoint component’s gateway/platforms/webhook.py file, which...

6.3CVSS6.2AI score0.00362EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/27 12:0 a.m.8 views

PT-2026-35395

Name of the Vulnerable Software and Affected Versions NousResearch hermes-agent version 0.8.0 Description A flaw in the Webhooks Endpoint component, specifically within the gateway/platforms/webhook.py file, allows for missing authentication. This occurs through the manipulation of the INSECURE N...

6.3CVSS6AI score0.00362EPSS
Exploits0References12
EUVD
EUVD
added 2026/04/24 8:40 p.m.7 views

EUVD-2026-25631

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback...

8.8CVSS5.6AI score0.00773EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/24 12:31 a.m.7 views

Duplicate Advisory: OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-37v6-fxx8-xjmx. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats...

6.3CVSS5.7AI score0.0033EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/24 12:31 a.m.9 views

Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rxmx-g7hr-8mx4. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows...

6.3CVSS5.7AI score0.00278EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/04/23 10:16 p.m.5 views

CVE-2026-41354

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

6.3CVSS0.00278EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/23 9:58 p.m.36 views

CVE-2026-41354 OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

6.3CVSS0.00278EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/22 9:8 p.m.5 views

CVE-2026-41454

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new...

8.7CVSS5.8AI score0.00274EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/22 8:15 p.m.3 views

CVE-2026-40937 RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any...

8.3CVSS5.7AI score0.00293EPSS
Exploits0References2
CVE
CVE
added 2026/04/22 8:15 p.m.14 views

CVE-2026-40937

Summary: RustFS prior to 1.0.0-alpha.94 exposes a critical admin-authorization flaw in the notification target endpoints. The four endpoints in rustfs/src/admin/handlers/event.rs call a check_permissions (auth only) instead of validate_admin_request with a specific AdminAction, unlike other admin...

8.3CVSS5.7AI score0.00293EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/04/22 7:24 p.m.5 views

EUVD-2026-25092

RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks...

8.3CVSS5.8AI score0.00293EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 12:47 a.m.4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the webhook process. An attacker can exhaust system memory by sending oversized POST payloads before signature validation. This is only exploitable if Stripe webhooks are enabled a...

8.2CVSS5.5AI score0.00446EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/17 10:54 p.m.4 views

CVE-2026-40481

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...

8.2CVSS5.7AI score0.00446EPSS
Exploits1References3Affected Software1
Snyk
Snyk
added 2026/04/17 10:32 p.m.1 views

Insecure Default Initialization of Resource

Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via improper validation of the encryptKey configuration and blank callback tokens. An attacker can ga...

9.8CVSS5.8AI score0.00718EPSS
Exploits1References3
The Hacker News
The Hacker News
added 2026/04/15 5:9 p.m.7 views

n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails

Threat actors have been observed weaponizing n8n, a popular artificial intelligence AI workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. "By leveraging trusted infrastructure, these...

5.9AI score
Exploits0
EUVD
EUVD
added 2026/04/14 6:30 p.m.4 views

EUVD-2026-22298

A Server-Side Request Forgery SSRF in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request...

8.5CVSS5.8AI score0.00249EPSS
Exploits1References3
OSV
OSV
added 2026/04/14 6:30 p.m.5 views

GHSA-FPX9-9HQ8-W2XC Webkul Krayin CRM has Server-Side Request Forgery (SSRF)

A Server-Side Request Forgery SSRF in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request...

8.5CVSS5.8AI score0.00249EPSS
Exploits1References3
NVD
NVD
added 2026/04/14 4:16 p.m.4 views

CVE-2026-38527

A Server-Side Request Forgery SSRF in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request...

8.5CVSS0.00249EPSS
Exploits1References2
OSV
OSV
added 2026/04/14 12:3 a.m.3 views

GHSA-V7XQ-3WX6-FQC2 In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation

Summary The public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service. Details When Stripe webhooks are enabled,...

8.2CVSS6AI score0.00446EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.7 views

PT-2026-32681

CVE-2026-38527 A Server-Side Request Forgery SSRF in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying … https://t.co/UnVbPvc3Tv...

8.5CVSS5.7AI score0.00249EPSS
Exploits1References5
Rows per page
Query Builder