Lucene search
K

940 matches found

CVE
CVE
added 4 days ago9 views

CVE-2026-59155

Nezha Monitoring (self-hosted) had a credential exposure flaw prior to version 2.2.5. The GET endpoints /api/v1/ddns and /api/v1/notification returned full resource objects that included plaintext third-party API credentials (Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram ...

6.9CVSS6.1AI score0.00304EPSS
Exploits0References3
OSV
OSV
added 2026/07/02 5:11 p.m.6 views

GHSA-275C-XPVC-JGFW OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload

Summary Slack and Zalo webhook secrets could remain active after secrets.reload. In affected versions, a caller with an old webhook secret during the stale-secret window could keep accepting the previous secret after secrets.reload. This advisory is scoped to the named feature and configuration. ...

6.3CVSS6AI score0.00207EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 4:43 p.m.7 views

GHSA-C29C-2Q9C-PC86 OpenClaw: Slack allowFrom could bind to mutable display names

Summary Slack allowFrom could bind to mutable display names. In affected versions, a Slack account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

8.6CVSS6AI score0.00209EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 4:18 p.m.3 views

GHSA-WV26-J37Q-2G7P OpenClaw's Slack plugin approvals used the exec approver gate for plugin actions

Summary Slack plugin approvals used the exec approver gate for plugin actions. In affected versions, a Slack user authorized only for exec approvals could resolve a plugin approval through the exec approver gate. This advisory is scoped to the named feature and configuration. It does not change...

4.3CVSS6AI score0.00173EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.10 views

PT-2026-57344

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions prior to 2.2.5 Description The software fails to redact sensitive information when returning resource objects. Authenticated administrators or Personal Access Tokens PAT with nezha:ddns:read or nezha:notification:read...

6.9CVSS6.1AI score0.00304EPSS
Exploits0References10
NVD
NVD
added 2026/06/25 8:17 p.m.8 views

CVE-2026-57522

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens, which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template referenc...

5CVSS0.00262EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/25 7:9 p.m.4 views

EUVD-2026-39543

Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens, which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template referenc...

3.5CVSS6AI score0.00262EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.8 views

PT-2026-52576

Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.5.0 Description An issue exists in the IntegrationTemplateProcessor.ReplaceTokens function where user-controlled values are substituted into event-integration templates without proper JSON encoding. An...

5CVSS5.9AI score0.00262EPSS
Exploits1References9
CVE
CVE
added 2026/06/23 8:41 p.m.24 views

CVE-2026-46548

NocoDB (CVE-2026-46548 ) exhibits an SSRF protection bypass in the notification webhook plugins for Slack, Discord, Mattermost, and Teams. Root cause: in the affected code paths, the httpAgent/httpsAgent were incorrectly placed in the request body of axios.post instead of the config argument, all...

4.3CVSS6AI score0.00176EPSS
Exploits0References1
OSV
OSV
added 2026/06/18 8:13 p.m.5 views

GHSA-FCVX-5CXC-V5P8 OpenClaw: Slack reaction events could ignore reaction notification settings

Summary Slack reaction events could ignore reaction notification settings. In affected versions, a Slack reaction event delivered to the configured app could enter the agent pipeline even when reaction notifications were disabled. This advisory is scoped to the named feature and configuration. It...

6.3CVSS5.6AI score0.00191EPSS
Exploits0References4
NVD
NVD
added 2026/06/16 7:17 p.m.17 views

CVE-2026-53851

OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading ...

6.3CVSS0.00191EPSS
Exploits0References2
CVE
CVE
added 2026/06/16 6:5 p.m.18 views

CVE-2026-53851

CVE-2026-53851 affects OpenClaw prior to version 2026.5.12. A notification bypass allows Slack reaction events to be processed by the agent pipeline even when reaction notifications are disabled. An attacker can trigger unintended agent processing by sending reaction events while the feature is e...

6.3CVSS5.3AI score0.00191EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.16 views

PT-2026-49768

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.12 Description A notification bypass allows Slack reaction events to enter the agent pipeline even when reaction notifications are disabled. This can trigger unintended agent processing for reaction events,...

6.3CVSS5.2AI score0.00191EPSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 5:36 p.m.37 views

Malicious code in kinto-slack (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0e0434bc9a31ed977738596bc7326ddbc16d225b80d4e219865cb6ec39ff2d78 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

5.6AI score
Exploits0References1
OSV
OSV
added 2026/06/15 5:36 p.m.15 views

MAL-2026-5815 Malicious code in kinto-slack (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0e0434bc9a31ed977738596bc7326ddbc16d225b80d4e219865cb6ec39ff2d78 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

5.6AI score
Exploits0References1
EUVD
EUVD
added 2026/06/13 12:34 a.m.14 views

EUVD-2026-36618

OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...

6.5CVSS5.2AI score0.00207EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/13 12:34 a.m.10 views

EUVD-2026-36611

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS5.2AI score0.00209EPSS
Exploits0References3
NVD
NVD
added 2026/06/12 10:16 p.m.16 views

CVE-2026-53830

OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...

6.5CVSS0.00207EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 10:16 p.m.14 views

CVE-2026-53823

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...

8.6CVSS0.00209EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 9:56 p.m.9 views

CVE-2026-53830 OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload

OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...

6.5CVSS5.3AI score0.00207EPSS
Exploits0References2
Rows per page
Query Builder