Lucene search
K

31 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/29 5:21 p.m.5 views

CVE-2026-57952

Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints c2profileconfigcheckwebhook, c2profileredirectruleswebhook, c2profilegetiocwebhook, c2profilesamplemessagewebhook that fail to verify payload ownership. An operator in one operation can invoke these...

6CVSS5.8AI score0.00171EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/29 5:21 p.m.7 views

EUVD-2026-40169

Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints c2profileconfigcheckwebhook, c2profileredirectruleswebhook, c2profilegetiocwebhook, c2profilesamplemessagewebhook that fail to verify payload ownership. An operator in one operation can invoke these...

6CVSS5.8AI score0.00171EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/23 3:32 p.m.52 views

CVE-2026-54303 n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints

n8n is an open source workflow automation platform. Prior to 2.24.0, an endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user...

6.8CVSS0.00177EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 3:32 p.m.16 views

CVE-2026-54303

Summary of CVE-2026-54303 (n8n): An endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or CSP headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL. Affected component: n8n trigger no...

6.8CVSS5.9AI score0.00177EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/20 3:24 p.m.7 views

CVE-2026-56295

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the requireapikeyexpiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with...

6.3CVSS5.9AI score0.00188EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/07 1:52 p.m.7 views

CVE-2026-41688 Incomplete fix for CVE-2026-33399: SSRF in Wallos

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname but passes the original hostname to cURL without CURLOPTRESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS...

7.7CVSS7.3AI score0.00282EPSS
Exploits3References2
Snyk
Snyk
added 2026/03/26 10:32 p.m.4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the provisioning contact points API. An attacker can modify protected webhook URLs without possessing the required permissions by sending crafted requests as a user with the Editor role. Remediation Upgrade...

5.4CVSS5.9AI score0.00238EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/26 10:32 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the provisioning contact points API. An attacker can modify protected webhook URLs without possessing the required permissions by sending crafted requests as a user with the Editor role. Remediation Upgrade...

5.4CVSS5.9AI score0.00238EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/26 6:31 p.m.4 views

EUVD-2026-16246

Mattermost Plugins versions =11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589...

4.9CVSS5.8AI score0.00344EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/03/26 12:0 a.m.13 views

Mattermost Plugins 安全漏洞

Mattermost Plugins is a plugin provided by the American company Mattermost, offering powerful feature extensions and tight integration with servers and web/dashboard applications. There are security vulnerabilities in versions prior to 11.4, 11.0.4, 11.1.3, 11.3.2, and 10.11.11.0. These...

4.9CVSS5.8AI score0.00344EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/21 12:0 a.m.10 views

WordPress plugin Appmax 输入验证错误漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

5.3CVSS5.8AI score0.003EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2026/03/06 7:45 p.m.5 views

CVE-2026-27023

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs e.g., webhook endpoints, image URLs could bypass...

5CVSS5.7AI score0.00199EPSS
Exploits0References1
NVD
NVD
added 2026/03/05 10:16 p.m.9 views

CVE-2026-28478

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and...

8.7CVSS0.00436EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/05 4:23 p.m.4 views

CVE-2026-27023

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs e.g., webhook endpoints, image URLs could bypass...

5CVSS5.8AI score0.00199EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/03 1:29 p.m.6 views

BIT-DISCOURSE-2026-26077 Discourse doesn't ensure webhooks require a token

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/27 7:44 p.m.9 views

CVE-2026-26077

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References1
NVD
NVD
added 2026/02/26 3:17 p.m.10 views

CVE-2026-26077

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...

6.5CVSS0.0024EPSS
Exploits0References1
OSV
OSV
added 2026/02/26 2:58 p.m.8 views

CVE-2026-26077 Discourse doesn't ensure webhooks require a token

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/02/26 12:0 a.m.10 views

Discourse 授权问题漏洞

Discourse is an open-source community discussion platform developed by Discourse. This platform includes features such as communities, email communication, and chat rooms. Versions of Discourse before 2025.12.2, 2026.1.1, and 2026.2.0 have vulnerabilities related to authorization. These...

6.5CVSS5.8AI score0.0024EPSS
Exploits0References1
OSV
OSV
added 2026/02/17 6:9 p.m.6 views

GO-2026-4491 Unauthenticated Admission Webhook Endpoints in Yoke ATC in github.com/yokecd/yoke

Unauthenticated Admission Webhook Endpoints in Yoke ATC in github.com/yokecd/yoke...

7.5CVSS5.4AI score0.0041EPSS
Exploits1References3
Rows per page
Query Builder