Lucene search
K

124 matches found

RedHat Linux
RedHat Linux
added 2026/04/13 2:27 a.m.3 views

undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter

A flaw was found in the undici WebSocket client. A remote malicious server can exploit this vulnerability by sending a WebSocket frame with an invalid servermaxwindowbits parameter within the permessage-deflate extension. This improper validation causes the client's Node.js process to terminate,...

7.5CVSS7.1AI score0.00874EPSS
Exploits0References9
SUSE CVE
SUSE CVE
added 2026/04/11 9:27 a.m.4 views

SUSE CVE-2026-1526

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit...

7.5CVSS7.1AI score0.0115EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2026/04/09 1:4 p.m.3 views

undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression

A flaw was found in undici. A remote attacker can exploit this vulnerability by sending a specially crafted compressed frame, known as a "decompression bomb," during permessage-deflate decompression. The undici WebSocket client does not properly limit the size of decompressed data, leading to...

7.5CVSS7.1AI score0.0115EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.4 views

CVE-2026-32057

OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui...

8.1CVSS5.9AI score0.00335EPSS
Exploits0References1
CNVD
CNVD
added 2026/03/24 12:0 a.m.3 views

OpenClaw Authentication Strengthening Vulnerability

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an authentication hardening vulnerability that is due to an authentication hardening vulnerability in the browser-sourced WebSocket client in a loopback deployment. An attacker can exploit the...

7.5CVSS5.9AI score0.00294EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.8 views

Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vvgp-4c28-m3jm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI...

8.1CVSS5.9AI score0.00335EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/21 3:31 a.m.7 views

GHSA-XH9J-MPC9-2M9P Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vvgp-4c28-m3jm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI...

6CVSS5.9AI score0.00335EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/03/21 12:42 a.m.2 views

CVE-2026-32057

OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui...

6CVSS5.9AI score0.00335EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.5 views

PT-2026-26739

OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui...

6CVSS5.9AI score0.00335EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/13 8:41 p.m.9 views

Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression

Description The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforci...

7.5CVSS5.8AI score0.0115EPSS
Exploits0References7Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/03/13 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2026-2229

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the...

7.5CVSS6.8AI score0.00874EPSS
Exploits0References3
UbuntuCve
UbuntuCve
added 2026/03/12 9:16 p.m.6 views

CVE-2026-1526

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit...

7.5CVSS7.1AI score0.0115EPSS
Exploits0References1
OSV
OSV
added 2026/03/12 9:16 p.m.4 views

UBUNTU-CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. ...

7.5CVSS5.7AI score0.00874EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/03 9:52 p.m.7 views

OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions

Summary A trusted-proxy Control UI pairing bypass accepted client.id=control-ui without device identity checks. The bypass did not require operator role, so an authenticated node role session could connect unpaired and reach node event methods. Impact With trusted-proxy authentication enabled, a...

8.1CVSS6.1AI score0.00335EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2024-1899

Malicious code in bioql PyPI...

7.5CVSS7AI score0.01357EPSS
Exploits0References9
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2022-2390

Malicious code in bioql PyPI...

5.9CVSS5.9AI score0.0066EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2018-0496

Malicious code in bioql PyPI...

7.5CVSS8.8AI score0.213EPSS
Exploits0References72
Tenable Nessus
Tenable Nessus
added 2025/08/18 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2020-15133

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the...

8.7CVSS7.3AI score0.00914EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2025/08/07 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2018-8034

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0....

7.5CVSS7.5AI score0.213EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/22 10:59 a.m.9 views

CVE-2017-1000209

The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS servers via an arbitrary valid certificate...

5.9CVSS6.8AI score0.0066EPSS
Exploits0References1
Rows per page
Query Builder