Lucene search
K

182 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/26 8:16 p.m.8 views

CVE-2026-44847

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint /api/trigger/v1/webhook/triggerid is accessible without authentication. The WebhookAuth class unconditionally returns None, , which Django REST Framework interprets as successful authentication...

7.5CVSS5.9AI score0.00271EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/22 6:43 p.m.13 views

CVE-2026-39969 TypeBot: WhatsApp Webhook Endpoint Missing Signature Verification

TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both...

6.5CVSS5.8AI score0.0014EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/22 6:43 p.m.8 views

CVE-2026-39969

TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both...

6.5CVSS5.8AI score0.0014EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/20 12:31 a.m.9 views

MAL-2026-4427 Malicious code in @rocketreach/rr-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1c16148ad4c13ad5d5cbfe951d9ca934a0912ab5ad75c3b4afee19be86172fa On npm install, both preinstall and postinstall lifecycle hooks execute postinstall.js, which collects host identifiers hostname, platform, arch, OS...

5.9AI score
Exploits0References1
Cvelist
Cvelist
added 2026/05/19 3:53 p.m.44 views

CVE-2026-47356

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery SSRF via the webhookurl parameter in the file scan endpoint POST /v1/iac/iacVersion/cloud/local/file/scan when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhookurl multipa...

8.7CVSS0.00499EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/15 9:31 p.m.54 views

CVE-2026-45314 Open WebUI: XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profileimageurl values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves...

7.4CVSS0.00212EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/15 9:31 p.m.11 views

CVE-2026-45314 Open WebUI: XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the channel webhook create/update flow accepts arbitrary profileimageurl values, including data:image/svg+xml;base64,... payloads. The profile image endpoint then decodes and serves...

7.4CVSS6AI score0.00212EPSS
Exploits1References1
CVE
CVE
added 2026/05/15 9:31 p.m.26 views

CVE-2026-45314

Open WebUI vulnerability CVE-2026-45314 describes a stored XSS in the profile image handling for webhooks. Before version 0.9.3, the channel webhook create/update flow accepts data URLs (data:image/svg+xml;base64,...) for profile_image_url. The API then serves the decoded SVG as image/svg+xml wit...

7.4CVSS6AI score0.00212EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/14 2:39 p.m.8 views

CVE-2026-44308 Spring Cloud AWS: Missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications

Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support @NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping did n...

6.3CVSS5.8AI score0.00179EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/11 6:11 p.m.10 views

Improper Authentication

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Authentication via the handleBlueBubblesWebhookRequest function. An attacker can gain unauthorized access and potentially compromise confidentiality, integrity, and availability ...

9.8CVSS7.1AI score0.00636EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.14 views

PT-2026-39649

Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.9.0 Description A Server-Side Request Forgery SSRF issue exists where the create webhook function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation. Subsequently, the send webhoo...

7.1CVSS7.2AI score0.00288EPSS
Exploits1References8
OSV
OSV
added 2026/05/06 11:15 p.m.9 views

GHSA-MHC4-QQ83-FMRR axonflow-sdk-go: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification

Summary The AxonFlow SDK's WebhookSubscription or equivalent type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook...

5.9CVSS5.8AI score
Exploits0References2
OSV
OSV
added 2026/05/04 8:11 p.m.5 views

GHSA-JCC8-G2Q4-9FXQ Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor

Severity: Medium Component: Webhook Interceptor server/auth/webhook Vulnerability Type: Denial of Service DoS Description The Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint,...

8.2CVSS6AI score0.00607EPSS
Exploits1References6
NVD
NVD
added 2026/04/27 11:16 a.m.8 views

CVE-2026-7113

A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument INSECURENOAUTH results in missing authentication. The attack can be...

6.3CVSS0.00362EPSS
Exploits0References6
CVE
CVE
added 2026/04/27 10:0 a.m.43 views

CVE-2026-7113

CVE-2026-7113 affects NousResearch hermes-agent 0.8.0, specifically the Webhooks Endpoint in gateway/platforms/webhook.py. The issue arises from manipulating the argument _INSECURE_NO_AUTH, resulting in missing authentication and enabling a remote attack. The description notes high attack complex...

6.3CVSS5.2AI score0.00362EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/04/27 10:0 a.m.34 views

CVE-2026-7113 NousResearch hermes-agent Webhooks Endpoint webhook.py missing authentication

A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument INSECURENOAUTH results in missing authentication. The attack can be...

6.3CVSS0.00362EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/04/27 10:0 a.m.5 views

CVE-2026-7113 NousResearch hermes-agent Webhooks Endpoint webhook.py missing authentication

A vulnerability was found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument INSECURENOAUTH results in missing authentication. The attack can be...

6.3CVSS5.2AI score0.00362EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/23 12:31 a.m.4 views

EUVD-2026-25118

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network...

8.5CVSS6AI score0.00236EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/17 12:0 a.m.9 views

monetr 安全漏洞

Monetr is an open-source personal budget management application developed by Monetr. Versions of Monetr 1.12.3 and earlier contained a security vulnerability. This vulnerability stemmed from the Stripe webhook endpoint, which buffered the entire request body in memory, potentially leading to...

8.2CVSS5.8AI score0.00446EPSS
Exploits1References2
CVE
CVE
added 2026/04/15 2:59 p.m.65 views

CVE-2025-12141

CVE-2025-12141 affects Grafana Alerting: users with edit permissions on a contact point (alert.notifications:write or alert.notifications.receivers:test) granted via the fixed role Contact Point Writer within the Editor role can modify destinations of contact points created by others. An attacker...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder