GHSA-WV46-V6XC-2QHF OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.

Summary Synology Chat reply delivery could rebind to a mutable username match instead of the stable numeric userid recorded by the webhook event. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

EUVD-2024-46509

Malicious code in bioql PyPI...

Information Disclosure

github.com/mattermost/mattermost-server is vulnerable to Information Disclosure. The vulnerability is due to a failure to properly sanitize the recipients of a webhook event, allowing attackers monitoring webhook events to retrieve the channel IDs of archived or restored channels...

CVE-2024-39807 Channel IDs of archived/restored channels leaked via webhook events

Mattermost versions 9.5.x = 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels...

CVE-2024-5272

Mattermost versions 9.5.x = 9.5.3, 9.6.x = 9.6.1, 8.1.x = 8.1.12 fail to restrict the audience of the "customplaybooksplaybookrunupdated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished...

CVE-2024-5272

Mattermost versions 9.5.x = 9.5.3, 9.6.x = 9.6.1, 8.1.x = 8.1.12 fail to restrict the audience of the "customplaybooksplaybookrunupdated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished...

CVE-2024-5272 Run Details leak to guest via webhook event "custom_playbooks_playbook_run_updated"

Mattermost versions 9.5.x = 9.5.3, 9.6.x = 9.6.1, 8.1.x = 8.1.12 fail to restrict the audience of the "customplaybooksplaybookrunupdated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished...

CVE-2024-5272

The CVE-2024-5272 issue is an Improper Access Control in Mattermost where the audience of the custom_playbooks_playbook_run_updated webhook is not restricted. A guest in a channel with a linked playbook run can view all details of the playbook run once it is marked as finished. Affected versions ...

CVE-2024-5272 Run Details leak to guest via webhook event "custom_playbooks_playbook_run_updated"

Mattermost versions 9.5.x = 9.5.3, 9.6.x = 9.6.1, 8.1.x = 8.1.12 fail to restrict the audience of the "customplaybooksplaybookrunupdated" webhook event, which allows a guest on a channel with a playbook run linked to see all the details of the playbook run when the run is marked by finished...

CVE-2022-24912 Timing Attack

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...