31 matches found
CVE-2026-30846
Wekan versions 8.31.0–8.33 expose all global webhook integrations (including sensitive URL and token fields) via the globalwebhooks publication without server-side access control. Any DDP client, even unauthenticated, can subscribe and receive the data, enabling an attacker to retrieve webhook UR...
CVE-2026-30846 Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is...
EUVD-2026-10064
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...
CVE-2026-30845 Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber...
PT-2026-23745
🚨 CVE-2026-30845 Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to a...
PT-2026-23746
🚨 CVE-2026-30846 Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the...
GHSA-FV2R-R8MP-PG48 Soft Serve does not sanitize ANSI escape sequences in user input
Impact In several places where the user can insert data e.g. names, ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same token, git messages, when printed, are also not being sanitized. Places in which this was found: 1. Repository...
EUVD-2022-5766
Malicious code in bioql PyPI...
Server Side Request Forgery (SSRF)
@strapi/admin is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation of webhook URLs, allowing requests to internal domains such as localhost and 127.0.0.1...
CVE-2019-10459
Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhook URLs containing a secret token unencrypted in its global configuration file and job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system...
CVE-2019-10459
Jenkins Mattermost Notification Plugin 2.7.0 and earlier stored webhook URLs containing a secret token unencrypted in its global configuration file and job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system...