5292 matches found
RHEL 9 : Satellite 6.18.4 Async Update (Important) (RHSA-2026:5968)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:5968 advisory. Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to...
CVE-2026-30587
A flaw was found in Seafile Server and its Seadoc editor. This Stored Cross-Site Scripting XSS vulnerability allows authenticated remote attackers to inject malicious JavaScript code. The application fails to properly sanitize WebSocket messages during document structure updates. By exploiting...
CVE-2026-33219
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a...
CVE-2026-33219
CVE-2026-33219 affects NATS-Server web sockets handling. A malicious client that connects to the WebSockets port can trigger unbounded memory growth before authentication by sending a大量 amount of data. Affected versions are prior to 2.11.15 and 2.12.6; a fix is available in 2.11.15 and 2.12.6. Th...
CVE-2026-33219
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a...
CVE-2026-27889 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and...
CVE-2026-27889 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and...
CVE-2026-27889
CVE-2026-27889 pertains to the NATS server when WebSockets are enabled. A pre-authentication remote crash can be triggered by a crafted WebSocket frame with a 64-bit extended payload length MSB set, which causes a signed/unsigned handling issue and results in an unrecovered panic, terminating the...
CVE-2026-27889 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and...
Eclipse Che machine-exec Unauthenticated RCE
This module exploits an unauthenticated remote code execution vulnerability in the Eclipse Che machine-exec service CVE-2025-12548. The machine-exec service, exposed on port 3333 within Red Hat OpenShift DevSpaces developer workspace containers, accepts WebSocket connections without authenticatio...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the handling of WebSocket messages for document structure updates in the Seadoc editor. An attacker can execute arbitrary JavaScript code in the context of other users by injecting malicious payloads...
EUVD-2026-15940
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...
Seafile Server has multiple stored XSS vulnerabilities
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...
GHSA-RQJ3-X344-QVXC Seafile Server has multiple stored XSS vulnerabilities
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...
CVE-2026-30587
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc sdoc editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows...
GHSA-W3HV-X4FP-6H6J @grackle-ai/server has Missing WebSocket Origin Header Validation
Impact The WebSocket upgrade handler in the server validates authentication API key token or session cookie but does not check the Origin header. A malicious webpage on a different origin could initiate a WebSocket connection to ws://localhost:3000/ws if it can leverage the user's session cookie...
Origin Validation Error
Overview @grackle-ai/server is a Grackle server orchestrator — spawns and wires core gRPC, web-server HTTP, MCP, and PowerLine Affected versions of this package are vulnerable to Origin Validation Error via the connection handler process. An attacker can gain unauthorized access to real-time...
@grackle-ai/server has Missing WebSocket Origin Header Validation
Impact The WebSocket upgrade handler in the server validates authentication API key token or session cookie but does not check the Origin header. A malicious webpage on a different origin could initiate a WebSocket connection to ws://localhost:3000/ws if it can leverage the user's session cookie...
NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead
Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. When using WebSockets, a malicious client can trigger a server crash with crafted frames, before authentication. Problem Description A missi...
Integer Overflow or Wraparound
Overview github.com/nats-io/nats-server/v2/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the wsRead function. An attacker can cause the server...