Mobiliti 安全漏洞

Mobiliti is an electric vehicle charging station system developed by the Hungarian company Mobiliti. Mobiliti has a security vulnerability, which stems from the lack of a limit on the number of authentication requests made through the WebSocket API. This vulnerability could lead to...

CVE-2026-24912

CVE-2026-24912 affects ePower epower.ie WebSocket backend used for charging stations. The backend associates sessions by station identifiers, but allows multiple endpoints to use the same session identifier, producing predictable session IDs. This enables session hijacking/shadowing where a newer...

CVE-2026-24912

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent...

CVE-2026-24912 ePower epower.ie Insufficient Session Expiration

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent...

CVE-2026-24912 ePower epower.ie Insufficient Session Expiration

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent...

CVE-2026-27778

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain...

CVE-2026-27778 ePower epower.ie Improper Restriction of Excessive Authentication Attempts

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain...

CVE-2026-27778

The CVE-2026-27778 entry concerns the WebSocket API. The root cause is no rate limiting on authentication attempts, allowing potential denial-of-service by disrupting legitimate charger telemetry and enabling brute-force access attempts. The available documents consistently describe the issue but...

CVE-2026-27778 ePower epower.ie Improper Restriction of Excessive Authentication Attempts

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain...

CVE-2026-22552

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

CVE-2026-22552 ePower epower.ie Missing Authentication for Critical Function

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

CVE-2026-22552 ePower epower.ie Missing Authentication for Critical Function

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

CVE-2026-22552

CVE-2026-22552 involves WebSocket endpoints missing authentication in the ePower epower.ie component. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging-station identifier and impersonate a charger, sending/receiving OCPP commands as a legi...

CVE-2026-28472

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting t...

CVE-2026-28472

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting t...

CVE-2026-28468

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve...

CVE-2026-28468

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve...

CVE-2026-28458

OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay extension must be installed and enabled /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit...

CVE-2026-28472 OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting t...

EUVD-2026-9918

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting t...