Lucene search
K

40 matches found

Snyk
Snyk
added 2026/04/09 10:10 p.m.4 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the authentication for Google OIDC tokens in the GCR Receiver webhook endpoint. An attacker can trigger unauthorized reconciliation of resources by presenting any valid Google-issued...

6.3CVSS5.8AI score0.00127EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/02 5:26 p.m.2 views

CVE-2026-34590

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl format check, missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The updat...

5.4CVSS5.8AI score0.00226EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/03/31 11:50 p.m.4 views

Replay Attack

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack in the webhook-security.ts process. An attacker can bypass replay protection by capturing a valid signed webhook and resending it with reordered query parameters, there...

8.2CVSS5.9AI score0.00149EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/31 11:50 p.m.6 views

Replay Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Replay Attack in the webhook-security.ts process. An attacker can bypass replay protection by capturing a valid signed webhook and resending it with reordered query parameters, thereby...

8.2CVSS5.9AI score0.00149EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/31 11:50 p.m.12 views

OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering

Summary Plivo V3 signature verification canonicalized query ordering, but replay detection hashed the raw verification URL. Reordering query parameters preserved a valid signature while producing a fresh replay-cache key. Impact An attacker who captured one valid signed Plivo V3 webhook could...

8.2CVSS5.9AI score0.00149EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/03/26 6:56 p.m.2 views

Replay Attack

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack due to improper derivation of the replay key in the webhook-security.ts process. An attacker can bypass replay protection and submit multiple authenticated requests by...

8.3CVSS5.9AI score0.00283EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/26 6:56 p.m.4 views

OpenClaw: Plivo V2 verified replay identity drifts on query-only variants

Summary Before v2026.3.23, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate baseUrl + nonce, but the replay key was derived from the full verification URL including the query string, so unsigned query-on...

8.3CVSS5.9AI score0.00283EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/03/26 6:56 p.m.2 views

GHSA-CG6C-Q2HX-69H7 OpenClaw: Plivo V2 verified replay identity drifts on query-only variants

Summary Before v2026.3.23, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate baseUrl + nonce, but the replay key was derived from the full verification URL including the query string, so unsigned query-on...

8.2CVSS5.8AI score0.00283EPSS
Exploits0References6
OSV
OSV
added 2026/03/18 5:25 p.m.3 views

GHSA-G5PH-F57V-MWJC OneUptime WhatsApp Webhook Missing Signature Verification

Summary The WhatsApp POST webhook handler /notification/whatsapp/webhook processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery stat...

8.7CVSS6.1AI score0.00182EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/03/13 8:55 p.m.22 views

OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured

Summary Feishu webhook mode allowed deployments that configured only verificationToken without encryptKey. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary. Impact An unauthenticated network...

9.8CVSS5.9AI score0.00247EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/03/03 1:29 p.m.4 views

BIT-DISCOURSE-2026-26077 Discourse doesn't ensure webhooks require a token

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints SendGrid, Mailjet, Mandrill, Postmark, SparkPost in the WebhooksController accepted requests without a valid authentication token when no token was configured. This...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/28 9:16 p.m.6 views

CVE-2026-24736

Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restri...

9.1CVSS6AI score0.0042EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/01/27 8:54 p.m.9 views

CVE-2026-24736

Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define "Webhooks" as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restri...

9.1CVSS6AI score0.0042EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/13 12:0 a.m.5 views

PT-2026-2559

n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured...

5.3CVSS6.5AI score0.00253EPSS
Exploits0References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.9 views

EUVD-2023-1677

Malicious code in bioql PyPI...

4.3CVSS4.7AI score0.00437EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/05/23 4:54 a.m.8 views

CVE-2023-2783

Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps...

4.3CVSS6.6AI score0.00437EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 4:35 a.m.6 views

CVE-2023-41327

WireMock is a tool for mocking HTTP services. WireMock can be configured to only permit proxying and therefore recording to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first. Until WireMock Webhook...

5.4CVSS7AI score0.00469EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/02/05 7:41 p.m.10 views

CVE-2022-39292

Slack Morphism is a modern client library for Slack Web/Events API/Socket Mode and Block Kit. Debug logs expose sensitive URLs for Slack webhooks that contain private information. The problem is fixed in version 1.3.2 which redacts sensitive URLs for webhooks. As a workaround, people who use Slac...

7.5CVSS6.6AI score0.00657EPSS
Exploits0References1
Cvelist
Cvelist
added 2023/01/12 12:0 a.m.32 views

CVE-2022-4342

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the webhook...

5.5CVSS5.7AI score0.00731EPSS
Exploits0References3
OSV
OSV
added 2022/07/28 12:0 a.m.28 views

GHSA-MXCC-7H5M-X57R Jenkins GitHub plugin uses weak webhook signature function

Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature. GitHub Plugin 1.34.5 uses a constant-time comparis...

3.1CVSS6.5AI score0.00721EPSS
Exploits0References7
Rows per page
Query Builder