92 matches found
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
ngrok is Vulnerable to Command Injection
ngrok v4.3.3 and 5.0.0-beta.2 are vulnerable to Command Injection...
GHSA-QR28-P3WR-MXQ3 ngrok is Vulnerable to Command Injection
ngrok v4.3.3 and 5.0.0-beta.2 are vulnerable to Command Injection...
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
ngrok 命令注入漏洞
Ngrok is a security internal network penetration and application access platform developed by the US company Ngrok. Versions 4.3.3 and 5.0.0-beta.2 of Ngrok contain command injection vulnerabilities, which are vulnerable to command injection attacks...
CVE-2025-57282
CVE-2025-57282 affects ngrok v4.3.3 and 5.0.0-beta.2 and is described as vulnerable to Command Injection. The connected documents confirm the affected software and the vulnerability class but do not provide exploitation details, root cause specifics, or remediation steps beyond what is stated. No...
PT-2026-41678
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
CVE-2025-57282
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
EUVD-2025-209888
ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection...
GHSA-52CQ-7V8R-62C6 gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense
Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls at Operator Expense The gmaps-mcp codebase was reviewed at commit e671db68c804c9e67d51582d3280839ffa65f127 and three issues worth flagging were discovered — one high-severity, one medium, one structural. There were no...
gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense
Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls at Operator Expense The gmaps-mcp codebase was reviewed at commit e671db68c804c9e67d51582d3280839ffa65f127 and three issues worth flagging were discovered — one high-severity, one medium, one structural. There were no...
CVE-2026-29606 OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility
OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly...
CVE-2026-29606 OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility
OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly...
CVE-2026-29606
OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly...
CVE-2026-29606
OpenClaw before version 2026.2.14 contains a webhook signature-verification bypass in the voice-call extension when tunnel.allowNgrokFreeTierLoopbackBypass is enabled, allowing unauthenticated requests to the publicly reachable webhook endpoint. This can lead to unauthorized webhook event handlin...
OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled
Summary A Twilio webhook signature-verification bypass in the voice-call extension could allow unauthenticated webhook requests when a specific ngrok free-tier compatibility option is enabled. Impact This issue is limited to configurations that explicitly enable and expose the voice-call webhook...
GHSA-C37P-4QQG-3P76 OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled
Summary A Twilio webhook signature-verification bypass in the voice-call extension could allow unauthenticated webhook requests when a specific ngrok free-tier compatibility option is enabled. Impact This issue is limited to configurations that explicitly enable and expose the voice-call webhook...
Improper Authentication
Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Improper Authentication in resolveProvider for Ngrok webhooks. An attacker can cause unauthorized webhook requests to be accepted by supplying malicious headers, including Forwarded ...