Lucene search
K

201 matches found

NVD
NVD
added yesterday6 views

CVE-2026-15495

A vulnerability has been found in SonicCloudOrg sonic-agent up to 2.7.2. The affected element is an unknown function of the file AndroidWSServer.java of the component Android WebSocket Server. The manipulation of the argument path leads to os command injection. The attack can be initiated remotel...

6.5CVSS
Exploits0References6
EUVD
EUVD
added yesterday6 views

EUVD-2026-43217

A vulnerability has been found in SonicCloudOrg sonic-agent up to 2.7.2. The affected element is an unknown function of the file AndroidWSServer.java of the component Android WebSocket Server. The manipulation of the argument path leads to os command injection. The attack can be initiated remotel...

6.5CVSS6.3AI score
Exploits0References6
CVE
CVE
added 6 days ago13 views

CVE-2026-34047

CVE-2026-34047 affects Coolify prior to 4.0.0-beta.471. The flaw is in terminal WebSocket bootstrap routes where authorization middleware was not enforced, allowing an authenticated user to access terminal functionality for resources outside the authorized scope and potentially execute commands. ...

9.9CVSS6AI score0.00373EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/02 2:19 a.m.8 views

EUVD-2026-41228

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.3CVSS5.8AI score0.00215EPSS
Exploits0References2
OSV
OSV
added 2026/06/30 9:6 a.m.2 views

SUSE-SU-2026:2695-1 Security update for nodejs22

This update for nodejs22 fixes the following issues: - CVE-2026-48618: tls: normalize hostname for server identity checks bsc1268593. - CVE-2026-48933: crypto: guard WebCrypto cipher output length bsc1268592. - CVE-2026-48615: lib,test: redact proxy credentials in tunnel errors bsc1268598. -...

9.8CVSS6.1AI score0.02806EPSS
Exploits3References39
OSV
OSV
added 2026/06/29 12:0 a.m.5 views

MAL-2026-6672 Malicious code in ulid-xyz (npm)

ulid-xyz is a typosquat of the popular ulid library sortable unique IDs and is a cross-platform Remote Access Trojan delivered via a postinstall hook. The package.json postinstall superficially looks like an inline node -e guard that checks for the existence of a dist file, but it actually launch...

5.8AI score
Exploits0References9
OSV
OSV
added 2026/06/26 11:4 p.m.3 views

GHSA-JG62-J5H6-8MPQ Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS

Description The Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: - POST /api/v1/terminal → createTerminal terminal.go:27-67 - POST /api/v1/file → createFM fm.go:28-67 Both call rpc.NezhaHandlerSingleton.CreateStreamstreamId, ... which inserts a...

6.5CVSS6.1AI score0.00289EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/23 5:24 p.m.33 views

CVE-2026-55517 Deno: Denial of service via non-ASCII bytes in WebSocket response headers

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response...

4.3CVSS0.00183EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/06/20 10:33 a.m.85 views

Exploit for Server-Side Request Forgery in Vercel Next.Js

╔═══════════════════════════════════════════════════════════...

8.6CVSS5.9AI score0.38811EPSS
Exploits9
OSV
OSV
added 2026/06/19 2:22 p.m.20 views

GHSA-VXPW-J846-P89Q undici WebSocket client vulnerable to denial of service via fragment count bypass

Impact The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size...

7.5CVSS5.9AI score0.00759EPSS
Exploits0References4
OSV
OSV
added 2026/06/17 6:48 p.m.6 views

GHSA-X2QC-CMH9-F4HF Deno: Denial of service via non-ASCII bytes in WebSocket response headers

Summary A Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCI...

4.3CVSS5.5AI score0.00183EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/12 11:9 p.m.6 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the trusted-proxy Control UI WebSocket process. An attacker can gain unauthorized administrative privileges by connecting as an unpaired or restricted client and...

8.8CVSS5.9AI score0.00289EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 10:16 p.m.12 views

CVE-2026-47124

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users...

6.5CVSS0.0027EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.33 views

CVE-2026-53821 OpenClaw < 2026.5.18 - Scope Elevation in trusted-proxy Control UI WebSocket

OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execut...

8.8CVSS0.00289EPSS
Exploits0References2
CVE
CVE
added 2026/06/11 2:47 p.m.28 views

CVE-2026-53777

Perry before 0.5.1159 contains a path traversal vulnerability in the ArtifactReady WebSocket messages. Unsanitized path components in artifact_name (and download_path) allow a malicious build server to write arbitrary content to any location writable by the running process, potentially overwritin...

8.6CVSS5.6AI score0.00379EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/11 2:47 p.m.35 views

CVE-2026-53777 Perry < 0.5.1159 Path Traversal via ArtifactReady WebSocket

Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifactname field of ArtifactReady WebSocket messages. Attackers controlli...

8.6CVSS0.00379EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.22 views

PT-2026-48626

Name of the Vulnerable Software and Affected Versions Spring for GraphQL versions 1.0.0 through 1.0.6 Spring for GraphQL versions 1.3.0 through 1.3.8 Spring for GraphQL versions 1.4.0 through 1.4.5 Spring for GraphQL versions 2.0.0 through 2.0.3 Description Applications using the WebSocket...

8.1CVSS5.6AI score0.00182EPSS
Exploits0References9
Ubuntu
Ubuntu
added 2026/06/10 6:44 a.m.29 views

USN-8417-1: Tomcat vulnerabilities

It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies. A remote attacker could use this issue to cause Tomcat to consume excessive memory, resulting in a denial of service. CVE-2026-41284 It was discovered that Tomcat incorrectly validated HTTP/2...

9.8CVSS7.7AI score0.01339EPSS
Exploits2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.27 views

PT-2026-48352

Name of the Vulnerable Software and Affected Versions ESF-IDF version 5.2.6 ESF-IDF version 5.3.5 ESF-IDF version 5.4.4 ESF-IDF version 5.5.4 ESF-IDF version 6.0 Description A NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp http server component. During th...

7.5CVSS5.3AI score0.00439EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/06/09 6:1 a.m.43 views

CVE-2026-5067 Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key

A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the...

9.8CVSS0.00643EPSS
Exploits1References1
Rows per page
Query Builder