Lucene search
K

3714 matches found

NVD
NVD
added yesterday6 views

CVE-2026-56261

Crawl4AI before 0.8.7 contains a server-side request forgery SSRF vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, o...

9.2CVSS
Exploits0References3
EUVD
EUVD
added yesterday5 views

EUVD-2026-42896

PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhookurl parameter is validated at request time but re-resolved at connection time, allowing attackers to use DNS rebinding to reach internal services with a...

7.2CVSS6.1AI score
Exploits0References2
Cvelist
Cvelist
added yesterday8 views

CVE-2026-60091 PraisonAI before 4.6.78 Unauthenticated SSRF via webhook_url

PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhookurl parameter is validated at request time but re-resolved at connection time, allowing attackers to use DNS rebinding to reach internal services with a...

7.2CVSS
Exploits0References2
Cvelist
Cvelist
added yesterday9 views

CVE-2026-56261 Crawl4AI - Server-Side Request Forgery via Webhook URLs

Crawl4AI before 0.8.7 contains a server-side request forgery SSRF vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, o...

9.2CVSS
Exploits0References3
CVE
CVE
added yesterday8 views

CVE-2026-56261

CVE-2026-56261 affects Crawl4AI prior to 0.8.7. The Docker API server endpoints /crawl/job and /llm/job accept webhook URLs without destination validation, allowing SSRF to private/internal IP ranges, Docker networks, or cloud metadata endpoints (e.g., 169.254.169.254). Potential impact is exposu...

9.2CVSS6.1AI score
Exploits0References3
Nuclei
Nuclei
added yesterday16 views

Dozzle - Server Side Request Forgery

Dozzle prior to 10.5.2 contains a server-side request forgery caused by unauthenticated access to POST /api/notifications/test-webhook forwarding attacker-controlled URLs, letting remote attackers send arbitrary HTTP POST requests and receive response data, exploit requires no authentication. id:...

8.6CVSS6.1AI score0.01491EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday39 views

GitLab CI Lint API - Server-Side Request Forgery

GitLab 10.5 and later contain a server-side request forgery caused by insecure handling of webhook requests, letting unauthenticated attackers exploit the server for arbitrary requests, exploit requires sending crafted webhook requests. id: CVE-2021-22175 info: name: GitLab CI Lint API -...

9.8CVSS7.5AI score0.53372EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday60 views

Budibase - Authentication Bypass

Budibase = 3.31.4 contains an authentication bypass caused by unanchored regex in authorized middleware matching webhook path patterns in query strings, letting unauthenticated remote attackers access any server-side API endpoint, exploit requires crafted request with webhook pattern in URL. id:...

9.1CVSS6AI score0.15339EPSS
Exploits2References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago4 views

Malicious code in polipoli-pak (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8693677ff1f1f887c11d3b4f6ad3f1742c7eefd07b6b8cfabd6cfccc32bc48f On npm install, postinstall.js runs automatically and performs two unauthorized actions against the installer. First, it POSTs a JSON fingerprint of...

6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 days ago3 views

CVE-2026-33655

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/blo...

7.7CVSS5.9AI score0.00437EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2 days ago6 views

CVE-2026-53961

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish...

6.5CVSS0.00221EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2 days ago4 views

CVE-2026-53961

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish...

6.5CVSS6AI score0.00221EPSS
Exploits0References10Affected Software1
NVD
NVD
added 2 days ago6 views

CVE-2026-59222

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers.key and webhook configuration, allowing a normal channel...

6.5CVSS0.00259EPSS
Exploits1References3
Cvelist
Cvelist
added 2 days ago29 views

CVE-2026-59222 Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers.key and webhook configuration, allowing a normal channel...

6CVSS0.00259EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2 days ago4 views

CVE-2026-59222

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers.key and webhook configuration, allowing a normal channel...

6CVSS5.9AI score0.00259EPSS
Exploits1References4Affected Software1
Wordfence Blog
Wordfence Blog
added 2 days ago5 views

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 29, 2026 to July 5, 2026)

Last week, there were 246 vulnerabilities disclosed in 179 WordPress Plugins and 40 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 100 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabiliti...

6.3AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago5 views

Malicious code in searchresults (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7d5453a0b1576ed8880071cda901607e79f25378700d3f999ab2c9715e00635 [email protected] is a high-version dependency-confusion squat on the generic name 'searchresults'. package.json declares preinstall and...

6.4AI score
Exploits0References2
NVD
NVD
added 3 days ago8 views

CVE-2026-56360

n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data...

6.3CVSS0.00186EPSS
Exploits0References2
CVE
CVE
added 3 days ago8 views

CVE-2026-56360

n8n is affected in versions prior to 1.123.18 and 2.6.2 where the ZendeskTrigger node fails to verify HMAC-SHA256 signatures on Zendesk webhooks. This allows attackers who know the webhook URL to send unsigned POST requests, potentially triggering workflows with arbitrary data. No remediation det...

6.3CVSS6.1AI score0.00186EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-56360 n8n - Webhook Forgery via Unsigned POST Requests in ZendeskTrigger

n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data...

6.3CVSS0.00186EPSS
Exploits0References2
Rows per page
Query Builder