Missing Authentication for Critical Function

Overview symfony/twilio-notifier is a Symfony Twilio Notifier Bridge Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the doParse webhook request parser in the notifier bridge. An attacker can submit forged webhook status events because the pars...

EUVD-2026-27283

OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when th...

PT-2026-31981

OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered...

Authentication Bypass

n8n is vulnerable to Authentication Bypass. The vulnerability is due to missing verification of Stripe webhook signatures in the Stripe Trigger node, which allows an attacker to send forged webhook requests and trigger workflows as if they were legitimate Stripe events...

CVE-2024-39807

Mattermost versions 9.5.x = 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels...

CVE-2025-58445 Atlantis Exposes Service Version Publicly on /status API Endpoint

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target known...

GHSA-9MP4-77WG-RWX9 @clerk/backend Performs Insufficient Verification of Data Authenticity

Impact Applications that use the verifyWebhook helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. Patches @clerk/backend: the helper has been patched as of 2.4.0 @clerk/astro: the helper has been patched as of 2.10.2 @clerk/express: the helper...

Official Clerk JavaScript SDKs 数据伪造问题漏洞

Official Clerk JavaScript SDKs is a Clerk open source official Javascript repository for Clerk authentication. A data forgery vulnerability exists in the Official Clerk JavaScript SDKs, which stems from insufficient verifyWebhook validation and may result in the acceptance of unsigned webhook...

CVE-2024-39807

Mattermost versions 9.5.x = 9.5.5 and 9.8.0 fail to properly sanitize the recipients of a webhook event which allows an attacker monitoring webhook events to retrieve the channel IDs of archived or restored channels...

PT-2024-28677 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.5.x through 9.5.5 Mattermost version 9.8.0 Description: The issue arises from the improper sanitization of recipients of a webhook event, allowing an attacker who is monitoring these events to obtain the channel IDs of...

CVE-2023-50728

CVE-2023-50728 affects the octokit/webhooks library used by Node.js projects. The root cause is a flaw in error handling where an error can be undefined, causing an uncaught exception that terminates the Node.js process. Affected versions include 9.26.0 through 9.26.3, 10.9.2, 11.1.2, and 12.0.4....

CVE-2023-50728 Unauthenticated Denial of Service in the octokit/webhooks library

octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request w...

Code injection

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...

CVE-2022-24912 Timing Attack

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...

Atlassian JIRA < 7.6.7 / 7.7.x < 7.11.0 Information Disclosure

According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is potentially affected by an information disclosure vulnerability due to webhook events being sent improperly due to issues in the related JQL filter. %NASLMINLEVEL 70300 C Tenable Netwo...

Atlassian Jira Webhooks Component Information Disclosure Vulnerability

Atlassian Jira is a defect tracking management system from Atlassian Australia. The system is used to track and manage all types of issues and defects in the workplace, and Webhooks is one of the components that provides real-time information to the system. An information disclosure vulnerability...