Lucene search
K

8 matches found

OSV
OSV
added 2026/06/26 11:4 p.m.4 views

GHSA-JG62-J5H6-8MPQ Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS

Description The Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: - POST /api/v1/terminal → createTerminal terminal.go:27-67 - POST /api/v1/file → createFM fm.go:28-67 Both call rpc.NezhaHandlerSingleton.CreateStreamstreamId, ... which inserts a...

6.5CVSS6.1AI score0.00289EPSS
Exploits0References3
OSV
OSV
added 2026/06/12 9:4 p.m.6 views

CVE-2026-53522 Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal...

6.5CVSS5.9AI score0.00289EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/05/16 1:10 a.m.88 views

Exploit for Missing Authentication for Critical Function in Coreweave Marimo

CVE-2026-39987 - Marimo Pre-Auth RCE Unauthenticated Remote...

9.8CVSS7.5AI score0.95645EPSS
Exploits11
Snyk
Snyk
added 2026/01/29 3:52 p.m.3 views

Command Injection

Overview ajenti is a Linux & BSD web admin panel. Affected versions of this package are vulnerable to Command Injection via the /api/terminal/create endpoint. An attacker can execute arbitrary system commands by sending a specially crafted payload after authentication, potentially establishing a...

9.8CVSS6AI score0.00653EPSS
Exploits0References2
OSV
OSV
added 2026/01/13 8:35 p.m.6 views

GHSA-VXW4-WV6M-9HHH OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution

Previously reported via email to [email protected] on 2025-11-17 per the security policy in opencode-sdk-js/SECURITY.md. No response received. Summary OpenCode automatically starts an unauthenticated HTTP server that allows any local process—or any website via permissive CORS—to execute arbitrary...

8.8CVSS7.6AI score0.16955EPSS
Exploits7References4
Github Security Blog
Github Security Blog
added 2025/08/12 12:13 a.m.14 views

Komari vulnerable to Cross-site WebSocket Hijacking

Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated users Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.goL33-L35 Any third party website can send request...

7.7AI score
Exploits0References5Affected Software1
OSV
OSV
added 2025/08/12 12:13 a.m.9 views

GHSA-Q355-H244-969H Komari vulnerable to Cross-site WebSocket Hijacking

Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated users Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.goL33-L35 Any third party website can send request...

8.6CVSS7.7AI score0.00515EPSS
Exploits0References5
CNNVD
CNNVD
added 2023/11/06 12:0 a.m.5 views

1E Platform Security Vulnerability

1E Platform is a terminal endpoint management and automation solution from 1E. A security vulnerability exists in versions prior to 1E Platform v18.1 that stems from a command that fails to properly validate input parameters, allowing specially crafted inputs to execute arbitrary code with system...

9.9CVSS7.8AI score0.00856EPSS
Exploits0References4
Rows per page
Query Builder