733 matches found
CVE-2026-62234
Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to...
CVE-2025-71388
CVE-2025-71388 affects stoatchat (delta/Revolt) versions from 20241213-1 up to before 20250210-1. The issue stems from the webhook fetch endpoint checking ViewChannel (read) instead of ManageWebhooks, allowing users with only channel read permission to retrieve the channel’s webhooks and their to...
n8n Webhooks - Remote Code Execution
n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker,...
CVE-2026-11964
The User Registration & Membership WordPress plugin before 5.2.2 does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved event and activate a paid membership subscription without...
CVE-2026-56252
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks...
EUVD-2026-43225
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks...
CVE-2026-56252 Capgo - Scope Isolation Failure in Webhook Test Endpoint
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks...
CVE-2026-56252
Capgo before 12.128.2 is affected by a scope isolation vulnerability in the POST /webhooks/test endpoint. The issue allows app-scoped API keys to invoke organization-scoped webhook operations, enabling attackers with app-scoped credentials to trigger signed outbound webhook deliveries for arbitra...
CVE-2026-56252 Capgo - Scope Isolation Failure in Webhook Test Endpoint
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks...
Malicious code in google-caja-bower (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e34339f1be6afb8a41b6dbe2f7d7c480d5a438a67ff119b235d1d98ffa2b2e4a [email protected] declares scripts.preinstall = 'node index.js', so index.js runs automatically on npm install. index.js walks the...
CVE-2026-59155
Nezha Monitoring (self-hosted) had a credential exposure flaw prior to version 2.2.5. The GET endpoints /api/v1/ddns and /api/v1/notification returned full resource objects that included plaintext third-party API credentials (Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram ...
EUVD-2026-42880
Crawl4AI before 0.8.7 contains a server-side request forgery SSRF vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, o...
CVE-2026-15192
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to...
CVE-2026-15192
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to...
EUVD-2026-42624
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to...
CVE-2026-15192
CVE-2026-15192 affects mettle SendPortal up to version 3.0.1, targeting APIv1 Webhooks. The vulnerability involves the sendgrid/postmark/postal/mailjet functions, with missing authentication reported as remotely exploitable. Public disclosure and PoC–level exploit maturity are indicated, but no e...
CVE-2026-15192 mettle sendportal APIv1 Webhooks mailjet missing authentication
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to...
CVE-2026-15192 mettle sendportal APIv1 Webhooks mailjet missing authentication
A vulnerability has been found in mettle sendportal up to 3.0.1. This issue affects the function sendgrid/postmark/postal/mailjet of the component APIv1 Webhooks. The manipulation leads to missing authentication. The attack is possible to be carried out remotely. The exploit has been disclosed to...
EUVD-2026-42258
n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data...
CVE-2026-44937
Potential forgery of webhook requests when using a unauthenticated webhook in SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.5 could be used by remote attackers to cause a denial of service or a downgrade attack on other repositories on the...