Lucene search
K

301 matches found

CVE
CVE
added 2026/02/25 9:46 p.m.25 views

CVE-2026-27148

CVE-2026-27148 affects Storybook’s dev server frontend tooling. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket handlers used to create/save stories do not validate origin, allowing WebSocket hijacking. An unauthenticated attacker can send messages to the local dev server, an...

9.6CVSS5.7AI score0.00542EPSS
Exploits0References12Affected Software1
OSV
OSV
added 2026/02/25 9:46 p.m.7 views

CVE-2026-27148 Storybook Dev Server Vulnerable to WebSocket Hijacking

Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability...

8.9CVSS5.7AI score0.00542EPSS
Exploits0References11
CNNVD
CNNVD
added 2026/02/25 12:0 a.m.10 views

Storybook 跨站脚本漏洞

Storybook is an open-source development environment for UI components. Versions of Storybook prior to 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contained a cross-site scripting vulnerability. This vulnerability stemmed from the WebSocket feature on the development server not verifying the source of...

9.6CVSS6AI score0.00542EPSS
Exploits0References9
NVD
NVD
added 2026/02/23 9:19 p.m.10 views

CVE-2025-68930

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking CSWSH vulnerability in the /api/socket endpoint. The application fails to validate the Origin header during the WebSocket handshake. This allows a remote attacker to bypass...

7.1CVSS0.00541EPSS
Exploits4References1
Cvelist
Cvelist
added 2026/02/23 8:44 p.m.26 views

CVE-2025-68930 Traccar Missing Origin Validation in WebSockets

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking CSWSH vulnerability in the /api/socket endpoint. The application fails to validate the Origin header during the WebSocket handshake. This allows a remote attacker to bypass...

7.1CVSS0.00541EPSS
Exploits4References1
CVE
CVE
added 2026/02/23 8:44 p.m.18 views

CVE-2025-68930

Traccar open-source GPS tracking system versions up to 6.11.1 are affected by a Cross-Site WebSocket Hijacking (CSWSH) in the /api/socket endpoint. The vulnerability arises from the application not validating the Origin header during the WebSocket handshake, allowing an attacker to bypass Same-Or...

7.1CVSS5.5AI score0.00541EPSS
Exploits4References1Affected Software1
OSV
OSV
added 2026/02/23 8:44 p.m.8 views

CVE-2025-68930 Traccar Missing Origin Validation in WebSockets

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking CSWSH vulnerability in the /api/socket endpoint. The application fails to validate the Origin header during the WebSocket handshake. This allows a remote attacker to bypass...

7.1CVSS5.6AI score0.00541EPSS
Exploits4References3
Positive Technologies
Positive Technologies
added 2026/02/23 12:0 a.m.9 views

PT-2026-21550

Name of the Vulnerable Software and Affected Versions Traccar versions up to and including 6.11.1 Description The Traccar GPS tracking system is susceptible to a Cross-Site WebSocket Hijacking CSWSH issue. The application does not properly validate the Origin header during the WebSocket handshake...

7.1CVSS5.2AI score0.00541EPSS
Exploits4References8
GithubExploit
GithubExploit
added 2026/02/08 8:35 a.m.266 views

Exploit for CVE-2026-25253

CVE-2026-25253 Proof of Concept One-click RCE on OpenClaw via...

8.8CVSS6.1AI score0.08016EPSS
Exploits5
GithubExploit
GithubExploit
added 2026/02/05 7:31 a.m.469 views

Exploit for CVE-2026-25253

OpenClaw Security Monitor Proactive security monitoring, thre...

8.8CVSS6.7AI score0.08016EPSS
Exploits5
Packet Storm
Packet Storm
added 2026/02/02 12:0 a.m.159 views

📄 Mailpit 1.28.1 Cross Site WebSocket Hijacking

A cross site websocket hijacking vulnerability exists in Mailpit versions 1.28.1 and below. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time. Mailpit - Cross-Site WebSocket Hijacking CSWSH Advisory ID:...

6.5CVSS5.1AI score0.00208EPSS
Exploits2
OSV
OSV
added 2026/01/28 6:7 p.m.5 views

CVE-2026-24772 OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a share...

8.9CVSS5.9AI score0.00159EPSS
Exploits0References3
OSV
OSV
added 2026/01/23 2:28 a.m.7 views

GO-2026-4310 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails in github.com/axllent/mailpit

Mailpit is vulnerable to Cross-Site WebSocket Hijacking CSWSH allowing unauthenticated access to emails in github.com/axllent/mailpit. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

6.5CVSS5.6AI score0.00208EPSS
Exploits2References3
Tenable Nessus
Tenable Nessus
added 2026/01/11 12:0 a.m.4 views

FreeBSD : mail/mailpit -- Cross-Site WebSocket Hijacking (d822839e-ee4f-11f0-b53e-0897988a1c07)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the d822839e-ee4f-11f0-b53e-0897988a1c07 advisory. Mailpit author reports: The Mailpit WebSocket server is configured to accept connections from any origi...

6.5CVSS5.9AI score0.00208EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/01/10 5:46 a.m.27 views

CVE-2026-22689 Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails

Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicio...

6.5CVSS0.00208EPSS
Exploits2References2
CVE
CVE
added 2026/01/10 5:46 a.m.17 views

CVE-2026-22689

Mailpit prior to v1.28.2 is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) because the WebSocket upgrader accepts connections from any origin (CheckOrigin always true). This enables a malicious site to create a WebSocket to ws://localhost:8025 and receive real-time data such as email conten...

6.5CVSS6.3AI score0.00208EPSS
Exploits2References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.4 views

PT-2026-2243

Name of the Vulnerable Software and Affected Versions Mailpit versions prior to 1.28.2 Description Mailpit, an email testing tool and API for developers, contains a Cross-Site WebSocket Hijacking CSWSH issue in its WebSocket server. The server, in versions prior to 1.28.2, does not validate the...

6.5CVSS6.5AI score0.00208EPSS
Exploits2References13
RedhatCVE
RedhatCVE
added 2026/01/09 9:29 a.m.17 views

CVE-2023-29505

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking...

8.8CVSS6.9AI score0.00894EPSS
Exploits0References1
OSV
OSV
added 2026/01/06 5:53 p.m.3 views

GHSA-793V-589G-574V Bokeh server applications have Incomplete Origin Validation in WebSockets

This vulnerability allows for Cross-Site WebSocket Hijacking CSWSH of a deployed Bokeh server instance. Scope This vulnerability is only relevant to deployed Bokeh server instances. There is no impact on static HTML output, standalone embedded plots, or Jupyter notebook usage. This vulnerability...

7.4CVSS5.8AI score0.00159EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/01/06 5:53 p.m.12 views

Bokeh server applications have Incomplete Origin Validation in WebSockets

This vulnerability allows for Cross-Site WebSocket Hijacking CSWSH of a deployed Bokeh server instance. Scope This vulnerability is only relevant to deployed Bokeh server instances. There is no impact on static HTML output, standalone embedded plots, or Jupyter notebook usage. This vulnerability...

7.4CVSS7.1AI score0.00159EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder