5304 matches found
CVE-2026-2457 WebSocket Message Spoofing via Permalink Embed Manipulation
Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID:...
CVE-2026-2457
CVE-2026-2457 affects Mattermost versions: 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, and 10.11.x
EulerOS 2.0 SP11 : libwebsockets (EulerOS-SA-2026-1585)
According to the versions of the libwebsockets package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Use After Free vulnerability exists in the WebSocket server implementation in lwshandshakeserver in warmcat libwebsockets. In specific...
PT-2026-25809
Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID:...
Parse Server 访问控制错误漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. There were access control vulnerability issues in versions of Parse Server prior to 8.6.40 and 9.6.0-alpha.14. This vulnerability stemmed from the GraphQL...
AnythingLLM 安全漏洞
AnythingLLM is an integrated AI application developed by Mintplex. Versions of AnythingLLM 1.11.1 and earlier contain security vulnerabilities. These vulnerabilities stem from the default installation, where no password or API key is configured. As a result, all HTTP endpoints and proxy WebSocket...
Mattermost 安全漏洞
Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost 11.3.0 and earlier, including 11.3.x, have security vulnerabilities. These vulnerabilities stem from the failure to preserve the edit state of post-reminder messages during...
PT-2026-25760
A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activity. Executing a manipulation of the argument API KEY WEBSOCKET CV can lead to unprotected storage ...
PT-2026-25701
Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...
PT-2026-26170
Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and earlier SiYuan versions 3.5.9 and earlier Description SiYuan, a personal knowledge management system, has a flaw in its WebSocket endpoint '/ws' that permits unauthenticated connections when specific URL parameters ar...
La Nacion App 安全漏洞
La Nacion App is a news and information application developed by La Nacion Corporation. Version 10.2.25 of La Nacion App contains a security vulnerability. This vulnerability stems from improper handling of the parameter APIKEYWEBSOCKETCV in the file...
EulerOS 2.0 SP11 : libwebsockets (EulerOS-SA-2026-1613)
According to the versions of the libwebsockets package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Use After Free vulnerability exists in the WebSocket server implementation in lwshandshakeserver in warmcat libwebsockets. In specific...
Missing Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the WebSocket connection. An attacker can gain unauthorized access to elevated gateway operations by presenting client-declared scopes that are not properly boun...
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Summary A logic flaw in the OpenClaw gateway WebSocket connect path allowed certain device-less shared-token or password-authenticated backend connections to keep client-declared scopes without server-side binding. A shared-authenticated client could present elevated scopes such as operator.admin...
GHSA-RQPP-RJJ8-7WV8 OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Summary A logic flaw in the OpenClaw gateway WebSocket connect path allowed certain device-less shared-token or password-authenticated backend connections to keep client-declared scopes without server-side binding. A shared-authenticated client could present elevated scopes such as operator.admin...
GHSA-VRM6-8VPV-QV8Q Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
Description The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforci...
EUVD-2026-11699
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression...
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
Description The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforci...
EUVD-2026-11704
Undici has Unhandled Exception in WebSocket Client Due to Invalid servermaxwindowbits Validation...
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
Impact The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression....