Lucene search
+L

5758 matches found

euvd
euvd
added 6 hours ago5 views

EUVD-2026-45108

OpenClaw 2026.2.25 before 2026.5.26 allow a lower-trust caller or configured input path to bypass non-browser rate limits on WebSocket authentication attempts. When the affected feature is enabled and reachable by lower-trust input, this can consume gateway resources and reduce service availabili...

6.3CVSS6.1AI score
Exploits0References2
euvd
euvd
added yesterday6 views

EUVD-2026-44798

MCP Python SDK: WebSocket server transport does not support Host/Origin validation...

7.6CVSS6.1AI score0.00181EPSS
Exploits0References5
cve
cve
added yesterday5 views

CVE-2026-62963

CVE-2026-62963 affects Centrifugo prior to 6.8.4. The unidirectional WebSocket transport with uni_websocket.compression enabled did not cap output after decompression in ReadMessage (internal/websocket/conn.go advanceFrame), allowing unauthenticated requests to /connection/uni_websocket to trigge...

8.7CVSS6.1AI score
Exploits0References4
cvelist
cvelist
added yesterday16 views

CVE-2026-54568 Microsoft UFO: Missing Authorization in DEVICE_INFO_REQUEST Allows a DEVICE Client to Read Another Device's system_info

Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICEINFOREQUEST with another device's targetid and receive that device's server-side systeminfo through...

4.3CVSS
Exploits0References3
attackerkb
attackerkb
added yesterday4 views

CVE-2026-54568

Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICEINFOREQUEST with another device's targetid and receive that device's server-side systeminfo through...

4.3CVSS6.1AI score
Exploits0References4Affected Software1
nvd
nvd
added yesterday7 views

CVE-2026-23538

A vulnerability was identified in the Feast Feature Server's /ws/chat endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU...

7.5CVSS0.0074EPSS
Exploits0References4
cvelist
cvelist
added yesterday21 views

CVE-2026-23538 Feast: resource exhaustion via websocket endpoint

A vulnerability was identified in the Feast Feature Server's /ws/chat endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU...

7.5CVSS0.0074EPSS
Exploits0References3
cve
cve
added yesterday20 views

CVE-2026-23538

The CVE affects Feast: Feast Feature Server /ws/chat accepts unauthenticated, persistent WebSocket connections. An attacker can open many concurrent connections to exhaust memory, CPU, and file descriptors, causing DoS. Affected software: Feast (Python SDK context cited by SNYK for Feast >=0.1...

7.5CVSS6.1AI score0.0074EPSS
Exploits0References4
attackerkb
attackerkb
added yesterday5 views

CVE-2026-23538

A vulnerability was identified in the Feast Feature Server's /ws/chat endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU...

7.5CVSS6.1AI score0.0074EPSS
Exploits0References4
euvd
euvd
added yesterday10 views

EUVD-2026-44838

A vulnerability was identified in the Feast Feature Server's /ws/chat endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU...

7.5CVSS6.1AI score0.0074EPSS
Exploits0References3
nessus
nessus
added yesterday4 views

Linux Distros Unpatched Vulnerability : CVE-2026-62389

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ws before 8.21.1 contains a memory exhaustion vulnerability in lib/receiver.js where the fragment guard only triggers when fragment count reaches maxFragments,...

8.7CVSS6.1AI score0.0045EPSS
Exploits0References3
nvd
nvd
added 2 days ago7 views

CVE-2026-54458

WWBN AVideo is an open source video platform. Versions prior to 29.0 contain a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin. Any unauthenticated remote attacker can execute arbitrary JavaScript in the authenticated origin of every administrator currently viewing a page th...

9.6CVSS0.00303EPSS
Exploits0References2
nvd
nvd
added 2 days ago7 views

CVE-2026-49279

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a Stored XSS vulnerability through the autoEvalCodeOnHTML parameter in the MessageSQLite WebSocket Handler. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json'msg', but msgToResourceId reads from...

7.7CVSS0.00327EPSS
Exploits0References2
cve
cve
added 2 days ago16 views

CVE-2026-54458

CVE-2026-54458 (AVideo YPTSocket XSS) affects WWBN’s AVideo with the YPTSocket plugin (versions prior to 29.0). The vulnerability is an unauthenticated stored DOM XSS: getWebSocket.json.php issues a signed WebSocket token; MessageSQLiteV2::onOpen reads webSocketSelfURI and page_title from the Web...

9.6CVSS6.3AI score0.00303EPSS
Exploits0References2
nvd
nvd
added 2 days ago7 views

CVE-2026-59950

The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to 1.28.1, the deprecated mcp.server.websocket.websocketserver transport accepted WebSocket handshakes without applying Host or Origin header validation, leaving no SDK-level way to restric...

7.6CVSS0.00181EPSS
Exploits0References4
cve
cve
added 2 days ago22 views

CVE-2026-49279

CVE-2026-49279 (WWBN AVideo) describes a stored XSS in the WebSocket messaging system. The vulnerability arises because MessageSQLite.php only strips autoEvalCodeOnHTML from json["msg"], while msgToResourceId() favors json over msg, allowing an attacker to place the payload in json and bypass san...

7.7CVSS6.3AI score0.00327EPSS
Exploits0References2
cve
cve
added 2 days ago9 views

CVE-2026-59950

The MCP Python SDK (package name mcp on PyPI) contains a vulnerability in the deprecated mcp.server.websocket.websocket_server transport prior to version 1.28.1, which accepted WebSocket handshakes without Host or Origin header validation. This prevents restrictions on originating connections to ...

7.6CVSS6.1AI score0.00181EPSS
Exploits0References4
nvd
nvd
added 2 days ago5 views

CVE-2026-62389

ws before 8.21.1 contains a memory exhaustion vulnerability in lib/receiver.js where the fragment guard only triggers when fragment count reaches maxFragments, allowing attackers to exhaust memory by sending incomplete fragmented WebSocket messages. Attackers can send a text frame with FIN=0...

8.7CVSS0.0045EPSS
Exploits0References4
cvelist
cvelist
added 2 days ago31 views

CVE-2026-62389 ws < 8.21.1 Default maxFragments Allows Memory Exhaustion DoS

ws before 8.21.1 contains a memory exhaustion vulnerability in lib/receiver.js where the fragment guard only triggers when fragment count reaches maxFragments, allowing attackers to exhaust memory by sending incomplete fragmented WebSocket messages. Attackers can send a text frame with FIN=0...

8.7CVSS0.0045EPSS
Exploits0References4
cve
cve
added 2 days ago5 views

CVE-2026-62389

CVE-2026-62389 affects the ws WebSocket library up to version 8.21.0 (pre-8.21.1). Root cause: in lib/receiver.js, the fragment guard only triggers when fragment count reaches maxFragments, allowing memory exhaustion by sending incomplete fragmented messages; each fragment is stored as a separate...

8.7CVSS6.1AI score0.0045EPSS
Exploits0References4
Rows per page
Query Builder