5292 matches found
CVE-2026-34952
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...
CVE-2026-34824
Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession o...
CVE-2026-34952 PraisonAI: Missing Authentication in WebSocket Gateway
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...
EUVD-2026-18923
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...
CVE-2026-34952
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...
CVE-2026-34952 PraisonAI: Missing Authentication in WebSocket Gateway
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...
CVE-2026-34952
CVE-2026-34952 affects PraisonAI (Gateway) prior to version 4.5.97, where the WebSocket gateway at /ws and the topology endpoint at /info accept unauthenticated connections. This allows any network client to enumerate registered agents and send arbitrary messages to agents and their tool sets, en...
CVE-2026-34824 Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service
Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession o...
CVE-2026-34824
Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession o...
CVE-2026-34824
CVE-2026-34824 targets the Mesop Python-based UI framework. A vulnerability in the WebSocket handler from version 1.2.3 up to, but not including, 1.2.5 allows an unauthenticated attacker to flood the server with rapid WebSocket messages, causing unbounded thread creation. This thread exhaustion l...
EUVD-2026-18909
Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service...
Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service
Summary An uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to threa...
GHSA-3JR7-6HQP-X679 Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service
Summary An uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to threa...
Allocation of Resources Without Limits or Throttling
Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the voice-call process. An attacker can cause excessive resource consumption by sending oversized WebSocket frames before...
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)
Summary Incomplete fix for CVE-2026-32062: voice-call still parses large WebSocket frames before start validation Current Maintainer Triage - Normalized severity: medium - Assessment: v2026.3.28 still parses oversized pre-start voice-call WebSocket frames before start validation, and the unreleas...
Insufficient Session Expiration
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration due to the device.token.rotate process not terminating active WebSocket sessions after credential rotation. An attacker can maintain unauthorized access to...
GHSA-RFQG-QGF8-XR9X OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
Summary Gateway device.token.rotate does not terminate active WebSocket sessions after credential rotation Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a...
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
Summary Gateway device.token.rotate does not terminate active WebSocket sessions after credential rotation Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: v2026.3.28 rotates device tokens without disconnecting already-authenticated WebSocket sessions, which is a...
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
Summary Fake DeviceToken Bypasses Shared Auth Rate Limiting Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable...
PT-2026-30269
Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession o...