Lucene search
K

38 matches found

CVE
CVE
added 2 days ago12 views

CVE-2026-11964

Affected software: User Registration & Membership WordPress plugin (prior to 5.2.2). Vulnerability: The plugin does not verify the authenticity of incoming payment-provider webhook notifications, enabling unauthenticated attackers to forge a payment-approved event. Impact: This can activate a pai...

9.1CVSS6.1AI score0.00261EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/06 9:52 a.m.6 views

EUVD-2026-41867

Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.5 could be used by remote attackers to cause a denial of service or a downgrade attack on other repositories on the...

8.3CVSS6AI score0.00506EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 9:52 a.m.34 views

CVE-2026-44937 SUSE Rancher Fleet had an Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components

Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.5 could be used by remote attackers to cause a denial of service or a downgrade attack on other repositories on the...

8.3CVSS0.00506EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 9:52 a.m.22 views

CVE-2026-44937

Summary: An unauthenticated webhook vulnerability in SUSE Rancher Fleet (versions prior to 0.15.2, 0.14 prior to 0.14.6, 0.13 prior to 0.13.11, 0.12 prior to 0.12.15) allows forging webhook requests via regex-based injection from unsanitized repository URL components, potentially enabling DoS or ...

8.3CVSS6AI score0.00506EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/07/06 9:52 a.m.5 views

CVE-2026-44937 SUSE Rancher Fleet had an Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components

Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.5 could be used by remote attackers to cause a denial of service or a downgrade attack on other repositories on the...

8.3CVSS6AI score0.00506EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/07/01 8:44 p.m.9 views

Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components

Impact A vulnerability has been identified in Fleet when the webhook endpoint is configured without a secret; an attacker can forge webhook requests. The attacker doesn't need to know the specific repository or path configured in the GitRepo resource to make Fleet process these requests. An...

8.3CVSS5.9AI score0.00506EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/07/01 8:44 p.m.3 views

GHSA-JMF4-M7J9-G72R Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components

Impact A vulnerability has been identified in Fleet when the webhook endpoint is configured without a secret; an attacker can forge webhook requests. The attacker doesn't need to know the specific repository or path configured in the GitRepo resource to make Fleet process these requests. An...

7.5CVSS5.9AI score0.00506EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/23 3:42 p.m.51 views

CVE-2026-54308 n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to...

6.3CVSS0.00276EPSS
Exploits0References1
NVD
NVD
added 2026/06/19 8:16 a.m.16 views

CVE-2026-3640

The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permissioncallback of returntrue, which allows all incoming requests...

5.3CVSS0.00382EPSS
Exploits0References14
EUVD
EUVD
added 2026/06/19 6:51 a.m.11 views

EUVD-2026-37995

The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permissioncallback of returntrue, which allows all incoming requests...

5.3CVSS5.8AI score0.00382EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.24 views

PT-2026-50849

Name of the Vulnerable Software and Affected Versions STRABL – A checkout solution plugin for WordPress versions prior to 4.6 Description The plugin contains a missing authentication flaw in the REST API webhook endpoint "/wp-json/strabl/webhook/order". The endpoint uses a permission callback set...

5.3CVSS5.9AI score0.00382EPSS
Exploits0References20
CVE
CVE
added 2026/06/09 6:0 a.m.36 views

CVE-2026-4986

The CVE-2026-4986 entry concerns the WPForms WordPress plugin (pre-1.10.0.5). The issue is that incoming PayPal webhook events are not validated for authenticity before processing, enabling unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transacti...

5.3CVSS5.6AI score0.00197EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/07 8:59 a.m.16 views

CVE-2026-7792

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticat...

5.3CVSS5.4AI score0.00202EPSS
Exploits0References1
CVE
CVE
added 2026/06/06 2:28 a.m.45 views

CVE-2026-7792

Technical details about CVE-2026-7792 are not publicly available in the provided documents. Monitor for updates.

5.3CVSS5.4AI score0.00202EPSS
Exploits0References14
Cvelist
Cvelist
added 2026/06/06 2:28 a.m.49 views

CVE-2026-7792 WPForms <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticat...

5.3CVSS0.00202EPSS
Exploits0References14
Cvelist
Cvelist
added 2026/04/08 3:36 a.m.19 views

CVE-2026-3646 LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update

The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that...

5.3CVSS0.00385EPSS
Exploits0References14
Snyk
Snyk
added 2026/04/04 6:4 a.m.4 views

Command Injection

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Command Injection via the public webhook endpoint. An attacker can execute arbitrary commands as the root user within the application container and exfiltrate sensitive environment secrets by...

9.5CVSS6.1AI score0.11982EPSS
Exploits1References2
OSV
OSV
added 2026/04/04 6:4 a.m.6 views

GHSA-FCM4-4PJ2-M5HF Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...

9CVSS6.2AI score0.11982EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/26 3:10 p.m.6 views

CVE-2026-32896

OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy...

6.5CVSS5.8AI score0.00249EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.7 views

CVE-2026-33143

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler /notification/whatsapp/webhook processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any...

8.7CVSS5.8AI score0.00182EPSS
Exploits1References1
Rows per page
Query Builder