38 matches found
CVE-2026-11964
Affected software: User Registration & Membership WordPress plugin (prior to 5.2.2). Vulnerability: The plugin does not verify the authenticity of incoming payment-provider webhook notifications, enabling unauthenticated attackers to forge a payment-approved event. Impact: This can activate a pai...
EUVD-2026-41867
Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.5 could be used by remote attackers to cause a denial of service or a downgrade attack on other repositories on the...
CVE-2026-44937 SUSE Rancher Fleet had an Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.5 could be used by remote attackers to cause a denial of service or a downgrade attack on other repositories on the...
CVE-2026-44937
Summary: An unauthenticated webhook vulnerability in SUSE Rancher Fleet (versions prior to 0.15.2, 0.14 prior to 0.14.6, 0.13 prior to 0.13.11, 0.12 prior to 0.12.15) allows forging webhook requests via regex-based injection from unsanitized repository URL components, potentially enabling DoS or ...
CVE-2026-44937 SUSE Rancher Fleet had an Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.5 could be used by remote attackers to cause a denial of service or a downgrade attack on other repositories on the...
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
Impact A vulnerability has been identified in Fleet when the webhook endpoint is configured without a secret; an attacker can forge webhook requests. The attacker doesn't need to know the specific repository or path configured in the GitRepo resource to make Fleet process these requests. An...
GHSA-JMF4-M7J9-G72R Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
Impact A vulnerability has been identified in Fleet when the webhook endpoint is configured without a secret; an attacker can forge webhook requests. The attacker doesn't need to know the specific repository or path configured in the GitRepo resource to make Fleet process these requests. An...
CVE-2026-54308 n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node
n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to...
CVE-2026-3640
The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permissioncallback of returntrue, which allows all incoming requests...
EUVD-2026-37995
The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permissioncallback of returntrue, which allows all incoming requests...
PT-2026-50849
Name of the Vulnerable Software and Affected Versions STRABL – A checkout solution plugin for WordPress versions prior to 4.6 Description The plugin contains a missing authentication flaw in the REST API webhook endpoint "/wp-json/strabl/webhook/order". The endpoint uses a permission callback set...
CVE-2026-4986
The CVE-2026-4986 entry concerns the WPForms WordPress plugin (pre-1.10.0.5). The issue is that incoming PayPal webhook events are not validated for authenticity before processing, enabling unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transacti...
CVE-2026-7792
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticat...
CVE-2026-7792
Technical details about CVE-2026-7792 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-7792 WPForms <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticat...
CVE-2026-3646 LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that...
Command Injection
Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Command Injection via the public webhook endpoint. An attacker can execute arbitrary commands as the root user within the application container and exfiltrate sensitive environment secrets by...
GHSA-FCM4-4PJ2-M5HF Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...
CVE-2026-32896
OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy...
CVE-2026-33143
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler /notification/whatsapp/webhook processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any...