CVE-2026-41886

CVE-2026-41886 affects locize client SDK prior to 4.0.21. The issue is missing validation of event.origin in a window.addEventListener("message", …) handler, allowing an attacker-controlled postMessage to trigger internal handlers (editKey, commitKeys, isLocizeEnabled, etc.). Exploitation require...

Missing Origin Validation in WebSockets

Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via inadequate validation of the Origin header during WebSocket connection upgrades. An attacker can gain unauthorized access to sensitive log data by convincing an authenticated user to visit a...

Missing Origin Validation in WebSockets

Overview next is a react framework. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets in the internal dev endpoint when the Origin header is set to null. An attacker can interact with internal development websocket traffic by connecting from...

CVE-2026-1692

A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a...

GHSA-P773-8MF4-RJM5 @farmfe/core is Missing Origin Validation in WebSocket

npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development hot module reloading server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leake...

CVE-2025-56647

npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development hot module reloading server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leake...

Missing Origin Validation in WebSockets

Overview bokeh is an Interactive plots and applications in the browser from Python Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the matchhost function in the server/util.py file. An attacker can gain unauthorized access to sensitive data or modif...

EUVD-2023-35287

Malicious code in bioql PyPI...

EUVD-2023-1003

Malicious code in bioql PyPI...

Missing Origin Validation in WebSockets

Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the operations API response, which includes secret values used for authenticating WebSocket connections. An attacker can execute arbitrary commands with the privileges of another user by...

Cross-site Request Forgery (CSRF)

Overview @apollo/sandbox is a This repo hosts the source for Apollo Studio's Embeddable Sandbox Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via missing origin validation in the window.postMessage process. An attacker can execute unauthorized GraphQL queries...

Missing Origin Validation

org.apache.zeppelin, zeppelin-shell is vulnerable to Missing Origin Validation. The vulnerability is due to lack of origin validation in WebSocket connections, which allows an attacker to access the Zeppelin server from another origin and retrieve internal information about paragraphs...

Missing Origin Validation in WebSockets

Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the CheckOrigin function in the api/terminal.go file. An attacker can execute arbitrary commands on the target system by tricking an authenticated user into visiting a malicious web page that...

CVE-2024-51775

Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended...

CVE-2024-51775 Apache Zeppelin: Command Injection via CSWSH

Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended...

CVE-2024-51775

CVE-2024-51775 describes a Missing Origin Validation in WebSockets vulnerability affecting Apache Zeppelin (versions 0.11.1 up to, but not including, 0.12.0). The issue allows a client from another origin to connect to Zeppelin’s WebSocket server and access internal information about paragraphs, ...

Missing Origin Validation In WebSockets

Next.js is vulnerable to Missing Origin Validation in WebSockets . The vulnerability is due to limited source code exposure in local development mode when the App Router is enabled, which allows an attacker to trick a user into visiting a malicious webpage while npm run dev is active, potentially...

CVE-2024-55541

Stored cross-site scripting XSS vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 Linux, Windows before build 39169...

CVE-2023-26114

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance...

CVE-2024-48849 Authentication and Authorization Issues

Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON: through = 9.3.4...