EUVD-2026-30615

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSIONPOOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin...

CVE-2026-44553

Open WebUI (self-hosted offline AI) has a Socket.IO session cache vulnerability where admin role changes or user deletions are not propagated to active sessions. Prior to version 0.9.0, a user whose admin role was revoked can retain admin privileges within their existing Socket.IO session as long...

CVE-2026-44564 Open WebUI: Read-Only Users Can Modify Collaborative Documents via Socket.IO

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room line 678 but does not verify that the sender has write...

Security Bulletin: IBM Maximo Application Suite - Manage Component uses socket.io-parser-4.2.4 in inspections app which is vulnerable to CVE-2026-33151

Summary IBM Maximo Application Suite - Manage Component uses socket.io-parser-4.2.4 in inspections app which is vulnerable to CVE-2026-33151 Vulnerability Details CVEID:CVE-2026-33151 DESCRIPTION: Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior t...

Security Bulletin: IBM Transformation Advisor is affected by multiple vulnerabilities found in Java, JavaScript and IBM WebSphere Application Server Liberty

Summary There are multiple vulnerabilities in Java, JavaScript and IBM WebSphere Application Server Liberty used by IBM Transformation Advisor. Vulnerability Details CVEID:CVE-2026-33151 DESCRIPTION: Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prio...

SUSE CVE-2026-33151

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server...

CVE-2026-33151

A flaw was found in Socket.IO, an open-source, real-time communication framework. A remote attacker could exploit this vulnerability by sending specially crafted Socket.IO packets that cause the server to buffer a large number of binary attachments. This excessive buffering can lead to the server...

CVE-2026-33151

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server...

0.edsql (>=1.0.49 <=1.0.50), 10secondsofcode-custom (=1.0.0) +1925 more potentially affected by CVE-2026-33151 via socket.io-parser (>=4.0.1-rc1 <=4.2.5)

socket.io-parser NPM version =4.0.1-rc1, =1.0.49, =1.0.0, =0.0.28, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =1.0.1, =0.8.2, =1.0.0, =0.1.13, =0.0.4, =0.0.9 and more Source cves: CVE-2026-33151 Source advisory: OSV:GHSA-677M-J7P3-52F9...

Allocation of Resources Without Limits or Throttling

Overview socket.io-parser is a socket.io protocol parser Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Decoder class, which accepts an unlimited number of binary attachments. An attacker can exploit this to exhaust server memory...

@abcpros/bitcore-build (>=8.25.29 <=8.25.30), @acanto/october-scripts (=3.2.2) +1124 more potentially affected by CVE-2026-33151 via socket.io-parser (>=3.1.1 <=3.3.4)

socket.io-parser NPM version =3.1.1, =8.25.29, =1.0.0, =2018.7.11-0, =0.1.14, =1.0.2, =1.0.0, =1.2.0, =0.2.0-preview.3, =0.2.0, =1.0.10, =3.3.91, =3.3.114 and more Source cves: CVE-2026-33151 Source advisory: SNYK:JS-SOCKETIOPARSER-15680278...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:socket.io-parser is a socket.io protocol parser Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Decoder class, which accepts an unlimited number of binary attachments. An attacker can exploit this to exhaust...

0.edsql (>=1.0.49 <=1.0.50), 10secondsofcode-custom (=1.0.0) +1925 more potentially affected by CVE-2026-33151 via socket.io-parser (>=4.0.1-rc1 <=4.2.5)

socket.io-parser NPM version =4.0.1-rc1, =1.0.49, =1.0.0, =0.0.28, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =1.0.1, =0.8.2, =1.0.0, =0.1.13, =0.0.4, =0.0.9 and more Source cves: CVE-2026-33151 Source advisory: SNYK:JS-SOCKETIOPARSER-15680278...

@ckeditor/ckeditor-cloud-services-collaboration (>=23.0.0 <=29.0.0), @ckeditor/ckeditor5-real-time-collaboration (>=29.1.0 <=33.0.0) +2 more potentially affected by CVE-2026-33151 via socket.io-parser (=3.4.1)

socket.io-parser NPM version =3.4.1 is affected by a known vulnerability. The following packages have a transitive dependency on socket.io-parser and may be impacted: - @ckeditor/ckeditor-cloud-services-collaboration =23.0.0, =29.1.0, =29.0.0, =1.5.3, =2.1.0 Source cves: CVE-2026-33151 Source...

EUVD-2026-10827

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter...

python311-python-socketio-5.14.1-1.1 on GA media (moderate)

python311-python-socketio-5.14.1-1.1 on GA media Announcement ID: openSUSE-SU-2025:15613-1 Rating: moderate Cross-References: CVE-2025-61765 CVSS scores: CVE-2025-61765 SUSE : 6.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L Affected Products: openSUSE Tumbleweed An update that solves one...

EUVD-2019-0327

Malware in sbrugna...

EUVD-2018-0312

Malware in sbrugna...

EUVD-2021-1424

Malware in sbrugna...

EUVD-2018-0772

Malware in sbrugna...