Lucene search
K

476 matches found

OSV
OSV
added 2026/06/30 11:31 a.m.2 views

OPENSUSE-SU-2026:21182-1 Security update for python-python-engineio

This update for python-python-engineio fixes the following issues: Changes in python-python-engineio: - CVE-2026-48802: remote user can cause the creation of unnecessary background threads in the server through the heartbeat mechanism and cause a DoS bsc1269544 - CVE-2026-48809: size of incoming...

5.8AI score
Exploits0References4
OSV
OSV
added 2026/06/26 8:51 p.m.4 views

GHSA-CGWC-PV48-FHJ5 python-engineio has unbound thread allocation that can cause denial of service

Impact An attacker can cause the creation of unnecessary background threads in the python-engineio server by exploiting the heartbeat mechanism, which launches a thread when a new connection is received, and when the client sends a PONG packet. Note: this issue primarily affects synchronous...

7.5CVSS5.8AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/12 8:34 p.m.14 views

CVE-2026-10142

A flaw was found in kafka-python. A malicious broker or a machine-in-the-middle attacker can exploit a denial-of-service vulnerability in the protocol parser. By sending a specially crafted 4-byte frame length value without proper bounds validation, an attacker can trigger excessive memory...

8.7CVSS5.2AI score0.00348EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.9 views

CVE-2026-2712

The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the receiveheartbeat function in includes/class-wp-optimize-heartbeat.php in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly...

5.4CVSS5.4AI score0.00427EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.8 views

CVE-2026-40943

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat method uses a blocking channel send while holding a mutex, and under specific timin...

8.7CVSS5.7AI score0.00202EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Resets queuepriorityhint when the queue is empty. Originally, with strict order execution, execution could only be completed when the queue was empty. Preempt-to-busy allows for the replacement of an active request...

5.5CVSS6.4AI score0.00269EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/19 7:57 a.m.14 views

CVE-2026-44553

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSIONPOOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin...

8.1CVSS5.7AI score0.00284EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/05/08 7:43 p.m.17 views

Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access Affected Component Socket.IO session state and role-check callsites: - backend/openwebui/socket/main.py lines 330-351, connect handler — role snapshotted into SESSIONPOOL - backend/openwebui/socket/main.py lin...

8.1CVSS5.8AI score0.00284EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/05/08 7:43 p.m.74 views

GHSA-45M8-CPM2-3V65 Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access Affected Component Socket.IO session state and role-check callsites: - backend/openwebui/socket/main.py lines 330-351, connect handler — role snapshotted into SESSIONPOOL - backend/openwebui/socket/main.py lin...

8.1CVSS5.8AI score0.00284EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.22 views

PT-2026-39270

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description Administrative role changes and user deletions do not invalidate the SESSION POOL in-memory dictionary. When a user connects via Socket.IO, their role is snapshotted into this pool. Because the...

8.1CVSS5.8AI score0.00284EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/05/07 8:21 p.m.13 views

CVE-2026-43578

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...

9.1CVSS5.8AI score0.00288EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/06 9:31 p.m.8 views

EUVD-2026-28168

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...

9.1CVSS5.8AI score0.00288EPSS
Exploits0References4
NVD
NVD
added 2026/05/06 8:16 p.m.7 views

CVE-2026-43578

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...

9.1CVSS0.00288EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/06 7:49 p.m.48 views

CVE-2026-43578 OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...

9.1CVSS0.00288EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/06 7:49 p.m.7 views

CVE-2026-43578 OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...

9.1CVSS5.8AI score0.00288EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/06 7:49 p.m.6 views

CVE-2026-43578

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged contex...

9.1CVSS5.8AI score0.00288EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/06 7:49 p.m.18 views

CVE-2026-43578

OpenClaw 2026.3.31 before 2026.4.10 is affected by a privilege-escalation vulnerability in which heartbeat owner downgrade detection misses local background async exec completion events. Attackers can provide untrusted completion content to leave a run in a more privileged context than intended. ...

9.1CVSS5.8AI score0.00288EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/05/06 12:0 a.m.10 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw from 2026.3.31 to 2026.4.10 contained a security vulnerability. This vulnerability stemmed from a failure in the heartbeat owner’s detection mechanism, which overlooked local backend asynchrono...

9.1CVSS5.9AI score0.00288EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/05/05 6:33 p.m.10 views

arthexis (>=0.2.6 <=0.8.0), cg-django-uaa (=2.1.9) +29 more potentially affected by CVE-2026-5766 via django (>=5.2.0 <=5.2.13)

django PYPI version =5.2.0, =0.2.6, =0.1.0, =0.1.0, =1.3.0, =1.92.0.5, =4.2.0, =0.0.7, =3.0.0, =0.1.0, =0.1.1 and more Source cves: CVE-2026-5766 Source advisory: OSV:GHSA-W26R-RMM8-9C29...

6.3CVSS7AI score0.00423EPSS
Exploits0
NVD
NVD
added 2026/05/05 12:16 p.m.18 views

CVE-2026-43566

OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when th...

9.8CVSS0.00423EPSS
Exploits0References3
Rows per page
Query Builder