Lucene search
K

192 matches found

CVE
CVE
added 2026/03/20 10:46 p.m.10 views

CVE-2026-27649

Summary: CVE-2026-27649 describes a flaw in the WebSocket backend where charging-station session identifiers are not unique, allowing multiple endpoints to reuse the same session ID. This leads to predictable session identifiers and enables session hijacking or shadowing, where a newer connection...

7.3CVSS5.8AI score0.00328EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 9:48 p.m.5 views

Parse Server LiveQuery subscription query depth bypass

Impact Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrade...

8.2CVSS5.8AI score0.00345EPSS
Exploits0References7Affected Software1
CNNVD
CNNVD
added 2026/03/20 12:0 a.m.6 views

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an authorization bypass vulnerability that is due to an authorization bypass vulnerability in the WebSocket connection path. An attacker can exploit the vulnerability to perform administrator-only...

9.9CVSS5.8AI score0.00505EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.4 views

PT-2026-26686

Name of the Vulnerable Software and Affected Versions CTEK Chargeport affected versions not specified Description WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated...

9.8CVSS5.8AI score0.00483EPSS
Exploits0References12
CNNVD
CNNVD
added 2026/03/20 12:0 a.m.9 views

IGL-Technologies eParking.fi 访问控制错误漏洞

IGL-Technologies eParking.fi is an intelligent parking platform provided by IGL-Technologies, offering features for parking management, charging, and parking space monitoring. IGL-Technologies eParking.fi has a security vulnerability related to access control. This vulnerability stems from the la...

9.8CVSS5.7AI score0.00468EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/19 10:6 p.m.9 views

EUVD-2026-13253

OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject...

5.4CVSS5.8AI score0.00268EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/19 12:0 a.m.9 views

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an authentication hardening vulnerability that is due to an authentication hardening vulnerability in the browser-sourced WebSocket client in a loopback deployment. An attacker can exploit the...

7.5CVSS5.8AI score0.00294EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/16 6:46 p.m.4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through the WebSocket session handling in kernel/util/websocket.go. An attacker can connect to the /ws endpoint and receive real-time document metadata and activity events by using the special id=auth WebSocket...

7.5CVSS5.8AI score0.00361EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/13 8:41 p.m.9 views

Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression

Description The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforci...

7.5CVSS5.8AI score0.0115EPSS
Exploits0References7Affected Software1
UbuntuCve
UbuntuCve
added 2026/03/12 9:16 p.m.3 views

CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. ...

7.5CVSS7.1AI score0.00874EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/12 8:8 p.m.39 views

CVE-2026-1526 undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit...

7.5CVSS0.0115EPSS
Exploits0References4
CVE
CVE
added 2026/03/11 5:27 p.m.35 views

CVE-2026-31975

Cloud CLI (Claude Code UI) vulnerable to OS command injection via WebSocket, affecting claude-code-ui up to version 1.24.0. The root cause is direct interpolation of WebSocket payload values (projectPath and initialCommand) into a bash command string in server/index.js, with a secondary vector th...

9.8CVSS5.9AI score0.03433EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/11 12:0 a.m.7 views

PT-2026-24693

Security Advisory: Insecure Default JWT Secret + WebSocket Auth Bypass Enables Unauthenticated RCE via Shell Injection Download: cve claudecodeui submission v2.zip  Submission Info | Field | Value | |-------|-------| | Package | @siteboon/claude-code-ui | | Ecosystem | npm | | Affected versions ...

8.7CVSS6.2AI score0.03433EPSS
Exploits1References11
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.3 views

PT-2026-24632

Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId and land directly in the...

9.3CVSS5.9AI score
Exploits0References3
OSV
OSV
added 2026/03/06 9:15 p.m.3 views

CVE-2026-30241 Mercurius: queryDepth limit bypassed for WebSocket subscriptions

Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are...

6.9CVSS5.8AI score0.00362EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/06 6:47 p.m.10 views

Mercurius's queryDepth limit bypassed for WebSocket subscriptions

Description Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are parsed and executed without invoking the depth validation...

8.2CVSS5.9AI score0.00362EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/03/06 3:18 p.m.32 views

CVE-2026-20748 Everon api.everon.io Insufficient Session Expiration

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent...

7.3CVSS0.00252EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/06 3:15 p.m.6 views

CVE-2026-26288

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

9.4CVSS5.8AI score0.00637EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/06 12:31 a.m.7 views

EUVD-2026-9943

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain...

8.7CVSS6AI score0.00601EPSS
Exploits1References4
OSV
OSV
added 2026/03/05 10:16 p.m.5 views

CVE-2026-28458

OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay extension must be installed and enabled /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit...

5.4CVSS5.8AI score
Exploits0References3
Rows per page
Query Builder