5318 matches found
FUXA Unauthenticated Remote Arbitrary Device Tag Write
Summary Description An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. Impact This affects all deployments, including those...
GHSA-GGXW-G3CP-MGF8 FUXA Unauthenticated Remote Arbitrary Device Tag Write
Summary Description An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. Impact This affects all deployments, including those...
OpenClaw has an unspecified vulnerability
OpenClaw is openclaw open source an intelligent artificial assistant. A security vulnerability exists in versions prior to OpenClaw 2026.1.29, which originates from automatically establishing a WebSocket connection and sending a token, and can be exploited by an attacker to cause an unauthorized...
PT-2026-6662
Name of the Vulnerable Software and Affected Versions FUXA versions through 1.2.9 Description FUXA is a web-based Process Visualization software. An authorization bypass allows a remote attacker to modify device tags via WebSockets. Exploitation bypasses role-based access controls, enabling...
Missing Authentication for Critical Function
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function via config.apply. An attacker can execute arbitrary commands as the gateway process user by supplying crafted cliPath values through the Gatew...
OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply
Summary An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. Impact A local process on the same machine could execute arbitrary...
GHSA-G55J-C2V4-PJCG OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply
Summary An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. Impact A local process on the same machine could execute arbitrary...
PT-2026-6419
Summary An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. Impact A local process on the same machine could execute arbitrary...
PT-2026-6548
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.1.20 Description An unauthenticated local client could leverage the Gateway WebSocket API to modify configuration settings through the config.apply function. Specifically, the ability to set unsafe cliPath value...
Siemens SCALANCE and RUGGEDCOM Generation of Predictable Numbers or Identifiers (CVE-2025-10148)
curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two...
qemu-kvm security update
10.0.0-14.el101.5 - kvm-Revert-i386-cpu-Move-adjustment-of-CPUIDEXTPDCM-be.patch RHEL-135453 - Resolves: RHEL-135453 Live migration after workload update fails with operation failed: guest CPU doesn't match specification: missing features: pdcm rhel-10.1.z 10.0.0-14.el101.4 -...
Oracle Linux 10 : qemu-kvm (ELSA-2026-1831)
The remote Oracle Linux 10 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-1831 advisory. - Resolves: RHEL-120118 CVE-2025-11234 qemu-kvm: VNC WebSocket handshake use-after-free rhel-10.1.z Tenable has extracted the preceding description block...
OpenClaw < 2026.1.29 Multiple Vulnerabilities
The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.1.29. It is, therefore, affected by multiple vulnerabilities: - A command injection vulnerability exists in OpenClaw's Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable...
CVE-2026-23515
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...
GO-2026-4331 Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings...
CVE-2026-25253
OpenClaw aka clawdbot or Moltbot before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value...
PT-2026-6507
Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks in github.com/pterodactyl/wings...
ALSA-2026:1831 Moderate: qemu-kvm security update
Kernel-based Virtual Machine KVM is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fixes: qemu-kvm: VNC WebSocket handshake use-after-free CVE-2025-11234 For more...
CVE-2026-23515
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...
CVE-2026-23515
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...