PT-2026-50154

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.1 Description When opening a WebSocket connection, the runtime validates the destination hostname against --deny-net rules but fails to re-verify the IP addresses the hostname resolves to. This allows an...

PT-2026-40798

Name of the Vulnerable Software and Affected Versions Garmin WDU version 1.4.6 Garmin WDU version 5.0 Description The locally served web site allows authentication to be bypassed because the site only performs authentication within the client's browser. The WebSockets used for communication with...

GHSA-VMFM-CH9H-5C7G Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)

Summary The HTTP login endpoints POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS. The WebSocket login path — sending login: username, password messages over an established WebSocket...

Deserialization of Untrusted Data

Overview pipecat-ai is an An open source framework for voice and multimodal assistants Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialize function of the LivekitFrameSerializer class, which uses pickle.loads on untrusted data received from...

CVE-2026-5919

Insufficient validation of untrusted input in WebSockets in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Low...

GHSA-PFV7-RR5M-QMV6 OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint

Summary When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/ and /cdp required auth. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.17 - Latest published npm version at triage time: 2026.2.17 Impact Thi...

CVE-2026-24772

OpenProject 17.0 introduced a synchronization server that exchanges an encrypted authentication token with the backend. The backend generates a 24-hour token, encrypted with a shared secret, which the frontend passes to the synchronization server. The synchronization server fails to validate the ...

EUVD-2018-16939

Malware in sbrugna...

EUVD-2014-0022

Malware in sbrugna...

EUVD-2018-0484

Malware in sbrugna...

EUVD-2018-2681

Malware in sbrugna...

EUVD-2020-17268

Malware in sbrugna...

EUVD-2019-0183

Malware in sbrugna...

EUVD-2018-18398

Malware in sbrugna...

EUVD-2015-7129

Malware in sbrugna...

EUVD-2023-46375

Malicious code in bioql PyPI...

EUVD-2024-2646

Malicious code in bioql PyPI...

EUVD-2023-27702

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2018-11713

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit, as used in WebKitGTK+ prior to version 2.20.0 or without...

CVE-2024-23657

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the getTextAssetContent RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attack...