5318 matches found
Authentication Bypass
Signal K Server is vulnerable to Authentication Bypass. The vulnerability is due to unauthenticated exposure of WebSocket server events and access-request status endpoints, which allows an attacker to enumerate request IDs and poll their status to steal plaintext JWT tokens and fully hijack...
CVE-2025-68620
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...
Authentication Bypass Using an Alternate Path or Channel
Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the startServerEvents and queryRequest functions. When allowreadonly is enabled, an unauthenticated...
EUVD-2025-206136
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling...
GHSA-FQ56-HVG6-WVM5 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling
SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. Unauthenticated WebSocket Request Enumeration: When ...
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling
SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. Unauthenticated WebSocket Request Enumeration: When ...
CVE-2025-68620 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...
CVE-2025-68620 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...
CVE-2025-68620
CVE-2025-68620 concerns Signal K Server (v2.19.0 prior) where two flaws enable JWT token theft without authentication. First, Unauthenticated WebSocket Request Enumeration: connecting to the stream endpoint with serverevents=all exposes cached ACCESS_REQUEST events to readonly/unauthenticated use...
Signal K Server 安全漏洞
Signal K Server is a ship centralized server from Signal K open source. A security vulnerability exists in Signal K Server versions prior to 2.19.0 that stems from unauthenticated WebSocket request enumeration and token polling functionality that can be exploited by links, potentially leading to ...
PT-2026-2637
Name of the Vulnerable Software and Affected Versions libsoup2.4, libsoup3 affected versions not specified Description A flaw exists in libsoup’s WebSocket frame processing when handling incoming messages. When the maximum incoming payload size is not set to a default value, the library may read...
PT-2026-1024
Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.19.0 Description Signal K Server is a server application used on boats. Versions prior to 2.19.0 contain issues that allow attackers to steal JWT authentication tokens without prior authentication. This is...
PT-2026-21766
Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.2 NATS-Server versions prior to 2.12.3 Description NATS-Server, a high-performance messaging system, has an issue in its WebSocket implementation. The server handles compressed messages via WebSocket negotiat...
GO-2025-4255 Mattermost fails to check Websocket request for proper UTF-8 format potentially crashing Calls plug-in in github.com/mattermost/mattermost-plugin-calls
Mattermost fails to check Websocket request for proper UTF-8 format potentially crashing Calls plug-in in github.com/mattermost/mattermost-plugin-calls...
curl: WebSocket Logic Error: Control Frame (PING/PONG) Starvation causes Connection Drop (DoS) during large transfers
Summary: I have discovered a logic flaw in lib/ws.c regarding the handling of WebSocket Control Frames PING/PONG. According to RFC 6455, Control Frames should be processed as soon as possible, even in the middle of fragmented data frames, to maintain connection state Keep-Alive. However, libcurl...
Exploit for Command Injection in Fit2Cloud 1Panel
CVE-2025-54424 CVE-2025-54424: 1Panel client vulnerability in...
CVE-2018-25140
FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially...
CVE-2018-25140 FLIR Thermal Traffic Cameras V1.01-0bb5b27 Unauthenticated Websocket Device Manipulation
FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially...
CVE-2018-25140 FLIR Thermal Traffic Cameras V1.01-0bb5b27 Unauthenticated Websocket Device Manipulation
FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially...
CVE-2018-25140
CVE-2018-25140 concerns FLIR thermal traffic cameras. The connected documents confirm an unauthenticated manipulation vulnerability in the cameras’ WebSocket implementation, enabling attackers to bypass authentication/authorization and directly alter device configurations and access system inform...