5293 matches found
PT-2026-26696
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...
SiYuan 访问控制错误漏洞
SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan itself. Versions of SiYuan prior to 3.6.2 contained an access control vulnerability. This vulnerability stemmed from the WebSocket server accepting unauthenticated connections, and no type checking was performed...
PT-2026-26697
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain...
PT-2026-26698
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain...
CTEK Chargeportal 安全漏洞
CTEK Chargeportal is an electric vehicle charging management platform developed by the Swedish company CTEK. CTEK Chargeportal has a security vulnerability, which stems from the lack of a limit on the number of authentication requests in the WebSocket application programming interface. This...
PT-2026-26700
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent...
CVE-2026-32815
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint /ws allows unauthenticated connections when specific URL parameters are provided ?app=siyuan&id=auth&type=auth. This bypass, intended for the login page to keep the kernel alive, allows any...
CVE-2026-32025
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-forc...
CVE-2026-32025
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-forc...
CVE-2026-32001
OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject...
CVE-2026-32001
OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject...
CVE-2026-32025 OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-forc...
EUVD-2026-13298
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-forc...
CVE-2026-32025
OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-forc...
CVE-2026-32001
OpenClaw prior to version 2026.2.22 is affected by an authentication bypass vulnerability during WebSocket handshake. Clients authenticated with a shared gateway token can connect as role=node without device identity verification, enabling attackers to claim the node role and inject unauthorized ...
CVE-2026-32001 OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication
OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject...
CVE-2026-32001
OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject...
CVE-2026-32001 OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication
OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject...
CVE-2026-32815 SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint /ws allows unauthenticated connections when specific URL parameters are provided ?app=siyuan&id=auth&type=auth. This bypass, intended for the login page to keep the kernel alive, allows any...
CVE-2026-32815 SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint /ws allows unauthenticated connections when specific URL parameters are provided ?app=siyuan&id=auth&type=auth. This bypass, intended for the login page to keep the kernel alive, allows any...