12 matches found
CVE-2026-26077
CVE-2026-26077 – Discourse webhook authentication bypass . Affects Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, where several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the WebhooksController accepted requests without a valid authentication token whe...
CVE-2026-26077 Discourse doesn't ensure webhooks require a token
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...
CVE-2026-26077 Discourse doesn't ensure webhooks require a token
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...
CVE-2026-26077
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...
EUVD-2026-8854
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...
First Malicious MCP Server Found Stealing Emails in Rogue Postmark-MCP Package
Cybersecurity researchers have discovered what has been described as the first-ever instance of a malicious Model Context Protocol MCP server spotted in the wild, raising software supply chain risks. According to Koi Security, a legitimate-looking developer managed to slip in rogue code within an...
Malicious code in postmark-mcp (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security b71142d16d8ed2a6e96b93be35b1378bad054d735c90ce0ab7b20979a8c40ba4 This package turned malicious in v1.0.16 and exfiltrates email data via BCC...
MAL-2025-47604 Malicious code in postmark-mcp (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security b71142d16d8ed2a6e96b93be35b1378bad054d735c90ce0ab7b20979a8c40ba4 This package turned malicious in v1.0.16 and exfiltrates email data via BCC...
CVE-2024-9511
The FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.82 via deserialization of untrusted input in the 'formatResult' function. This makes it...
CVE-2024-9511 FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider <= 2.2.82 - Unauthenticated PHP Object Injection
The FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.82 via deserialization of untrusted input in the 'formatResult' function. This makes it...
CVE-2024-9511
CVE-2024-9511 affects FluentSMTP – WP SMTP Plugin (WordPress) up to version 2.2.82, with unauthenticated PHP Object Injection via deserialization in the formatResult function. Attackers could inject a PHP object if untrusted input is deserialized. Partial mitigation exists in 2.2.82, and PatchSta...
CVE-2024-9511 FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider <= 2.2.82 - Unauthenticated PHP Object Injection
The FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.82 via deserialization of untrusted input in the 'formatResult' function. This makes it...