Lucene search
K

154 matches found

Cvelist
Cvelist
added 2025/08/18 5:41 p.m.22 views

CVE-2025-55300 Komari Allows Cross-site WebSocket Hijacking

Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated user...

8.6CVSS0.00515EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2025/08/12 12:13 a.m.13 views

Komari vulnerable to Cross-site WebSocket Hijacking

Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking CSWSH attacks against authenticated users Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.goL33-L35 Any third party website can send request...

7.7AI score
Exploits0References5Affected Software1
NVD
NVD
added 2025/07/30 3:15 p.m.12 views

CVE-2025-46811

A Missing Authorization vulnerability in SUSE Linux Manager allows anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as root on any client. This issue affects Container suse/manager/5.0/x8664/server:5.0.5.7.30.1: from ? before 5.0.27-150600.3.33.1; Image...

9.8CVSS0.10353EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2025/07/30 2:20 p.m.6 views

CVE-2025-46811 SUSE Multi Linux Manager allows code execution via unprotected websocket endpoint

A Missing Authorization vulnerability in SUSE Linux Manager allows anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as root on any client. This issue affects Container suse/manager/5.0/x8664/server:5.0.5.7.30.1: from ? before 5.0.27-150600.3.33.1; Image...

9.8CVSS6.4AI score0.10353EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/07/23 2:26 p.m.10 views

CVE-2025-36116 IBM Db2 Mirror for i cross-site websocket hijacking

IBM Db2 Mirror for i 7.4, 7.5, and 7.6 GUI is affected by cross-site WebSocket hijacking vulnerability. By sending a specially crafted request, an unauthenticated malicious actor could exploit this vulnerability to sniff an existing WebSocket connection to then remotely perform operations that th...

6.3CVSS0.00155EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/06/24 8:1 p.m.28 views

CVE-2025-52882 Claude Code IDE extensions allow websocket connections from arbitrary origins

Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks e.g., Cursor, Windsurf, and VSCodium and JetBrains IDEs e.g., IntelliJ, Pycharm, and Android Studio are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages...

8.8CVSS0.00316EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/06/24 8:1 p.m.7 views

CVE-2025-52882 Claude Code IDE extensions allow websocket connections from arbitrary origins

Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks e.g., Cursor, Windsurf, and VSCodium and JetBrains IDEs e.g., IntelliJ, Pycharm, and Android Studio are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages...

8.8CVSS7.5AI score0.00316EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/06/24 12:0 a.m.6 views

Claude Code 安全漏洞

Claude Code is an open source proxy coding tool from Anthropic. A security vulnerability exists in Claude Code that originates from an unauthorized WebSocket connection and could result in reading arbitrary files or executing code. The following versions are affected: Claude Code for VSCode...

8.8CVSS9.3AI score0.00316EPSS
Exploits0References2
OSV
OSV
added 2025/06/23 9:22 p.m.8 views

GHSA-9F65-56V6-GXW7 Claude Code Improper Authorization via websocket connections from arbitrary origins

Claude Code extensions in VSCode and forks e.g., Cursor, Windsurf, and VSCodium and JetBrains IDEs e.g., IntelliJ, Pycharm, and Android Studio are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions...

8.8CVSS7.4AI score0.00316EPSS
Exploits0References3
OSV
OSV
added 2025/06/07 8:15 a.m.12 views

CVE-2025-5399

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS...

7.5CVSS7AI score0.01226EPSS
Exploits1References4
Debian CVE
Debian CVE
added 2025/06/07 7:49 a.m.17 views

CVE-2025-5399

Due to a mistake in libcurl's WebSocket code, a malicious server can send a particularly crafted packet which makes libcurl get trapped in an endless busy-loop. There is no other way for the application to escape or exit this loop other than killing the thread/process. This might be used to DoS...

7.5CVSS7AI score0.01226EPSS
Exploits1
Hacker One
Hacker One
added 2025/05/30 3:38 a.m.311 views

curl: CVE-2025-5399: WebSocket endless loop

The function curlwssend in libcurl contains an infinite loop that can be triggered by a malicious server under specific circumstances. The loop is caused by a condition in the code that is not properly handled, leading to the function failing to terminate. This vulnerability was discovered in the...

7.5CVSS7.2AI score0.01226EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/23 10:25 a.m.8 views

CVE-2024-21550

SteVe is an open platform that implements different version of the OCPP protocol for Electric Vehicle charge points, acting as a central server for management of registered charge points. Attackers can inject arbitrary HTML and Javascript code via WebSockets leading to persistent Cross-Site...

6.1CVSS6.5AI score0.00377EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:30 a.m.14 views

CVE-2024-48059

gaizhenbiao/chuanhuchatgpt project, version =20240802 is vulnerable to stored Cross-Site Scripting XSS in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed in the victim's...

6.1CVSS5.9AI score0.0032EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 3:15 p.m.17 views

CVE-2020-16272

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection...

9.1CVSS7AI score0.02775EPSS
Exploits1
Cvelist
Cvelist
added 2025/04/24 1:58 p.m.56 views

CVE-2025-43855 tRPC 11 WebSocket DoS Vulnerability

tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to cras...

8.7CVSS0.00349EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/04/24 1:58 p.m.51 views

CVE-2025-43855 tRPC 11 WebSocket DoS Vulnerability

tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to cras...

8.7CVSS7.1AI score0.00349EPSS
Exploits0References2
Exploit DB
Exploit DB
added 2025/04/11 12:0 a.m.307 views

ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning

ABB Cylon FLXeon 9.3.4 wsConnect.js WebSocket Command Spawning PoC Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: FLXeon Series FBXi Series, FBTi Series, FBVi Series CBX Series FLX Series CBT Series CBV Series Firmware: =9.3.4 Advisory ID: ZSL-2025-5913 Advisory URL:...

9.4CVSS7AI score0.00888EPSS
Exploits4
Debian CVE
Debian CVE
added 2025/04/03 1:36 p.m.12 views

CVE-2025-32049

A flaw was found in libsoup. The SoupWebsocketConnection may accept a large WebSocket message, which may cause libsoup to allocate memory and lead to a denial of service DoS...

7.5CVSS7.3AI score0.00728EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/03/22 12:41 p.m.15 views

CVE-2025-0189

In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large...

7.5CVSS6.9AI score0.0059EPSS
Exploits1References1
Rows per page
Query Builder