CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 3 days ago•5 views

EUVD-2026-38115

5.4CVSS5.8AI score

RedhatCVE•added 2026/06/05 7:21 p.m.•6 views

CVE-2026-41688

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname but passes the original hostname to cURL without CURLOPTRESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS...

7.7CVSS5.5AI score0.00227EPSS

RedhatCVE•added 2026/05/27 8:13 p.m.•8 views

CVE-2026-44502

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be partially bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For...

4.3CVSS5.8AI score0.00286EPSS

NVD•added 2026/05/26 5:16 p.m.•15 views

CVE-2026-44502

4.3CVSS0.00286EPSS

Cvelist•added 2026/05/26 4:13 p.m.•26 views

CVE-2026-44502 Bugsink: SSRF bypass in `validate_webhook_url`

4.3CVSS0.00286EPSS

ATTACKERKB•added 2026/05/26 4:13 p.m.•6 views

CVE-2026-44502

4.3CVSS5.8AI score0.00286EPSS

Exploits0References4Affected Software1

CNNVD•added 2026/05/26 12:0 a.m.•8 views

Bugsink 代码问题漏洞

Bugsink is an open-source, self-hosted bug tracking software developed by Bugsink. Versions of Bugsink prior to 2.1.3 had code vulnerabilities. These vulnerabilities stemmed from URL parsing issues, which allowed partial bypass of Webhook URL validation. This could enable attackers to circumvent...

4.3CVSS5.9AI score0.00286EPSS

Exploits0References4

CVE•added 2026/05/22 5:12 p.m.•30 views

CVE-2026-34207

TypeBot SSRF protection bypass (CVE-2026-34207) affects versions

7.6CVSS5.8AI score0.00312EPSS

Cvelist•added 2026/05/22 5:12 p.m.•10 views

CVE-2026-34207 TypeBot: SSRF Protection Bypass via DNS-Resolved Hostnames in Webhook / HTTP Request Validation

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.examp...

7.6CVSS0.00312EPSS

OSV•added 2026/05/08 7:9 p.m.•5 views

GHSA-FP53-QCF8-2XX2 Bunsink has an SSRF bypass in `validate_webhook_url`

Summary Bugsink’s webhook URL validation in versions 2.1.2 and earlier could be partially bypassed because of a mismatch in URL parsing. In some malformed URLs, Python’s standard URL parser urllib and the HTTP client stack requests / urllib3 do not agree on which host is actually being targeted...

4.3CVSS6AI score0.00286EPSS

Exploits0References5

Positive Technologies•added 2026/05/08 12:0 a.m.•9 views

PT-2026-39265

4.3CVSS6AI score0.00286EPSS

Exploits0References6

NVD•added 2026/05/07 3:16 p.m.•7 views

CVE-2026-41688

7.7CVSS0.00227EPSS

Positive Technologies•added 2026/05/07 12:0 a.m.•9 views

PT-2026-38445

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname but passes the original hostname to cURL without CURLOPT RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DN...

7.7CVSS5.8AI score0.00227EPSS

Github Security Blog•added 2026/05/06 9:31 p.m.•7 views

Duplicate Advisory: OpenClaw: Feishu webhook and card-action validation now fail closed

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xh72-v6v9-mwhc. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validatio...

9.8CVSS6AI score0.00718EPSS

Exploits1References5Affected Software1

OSV•added 2026/05/04 3:31 a.m.•4 views

GHSA-P3PQ-HXMR-VQQR Prefect SSRF Bypass via DNS Rebinding in validate_restricted_url

A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validaterestrictedurl of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is...

5CVSS5AI score0.0025EPSS

Exploits0References10

CNNVD•added 2026/04/20 12:0 a.m.•7 views

Vexa 安全漏洞

Vexa is an open-source conference robot and real-time transcription API developed by Vexa.ai. Versions of Vexa prior to 0.10.0-260419-1910 contained security vulnerabilities. These vulnerabilities stemmed from a lack of validation in the Webhook URL, which could allow authenticated attackers to...

5.8CVSS5.8AI score0.00203EPSS

Snyk•added 2026/04/10 7:49 p.m.•1 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the validateWebhookURL function. An administrator can access internal network resources and cloud metadata endpoints by submitting webhook URLs that use hostnames resolving to private IP addresses,...

7CVSS5.8AI score

NVD•added 2026/04/08 7:25 p.m.•3 views

CVE-2026-34719

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only the URL scheme HTTP/HTTPS as well as the hostname was checked. This could end up in retrieving...

8.3CVSS0.00244EPSS

EUVD•added 2026/04/08 6:2 p.m.•2 views

EUVD-2026-20559

8.3CVSS5.9AI score0.00244EPSS