CURL-CVE-2026-11586 WS Auto-PONG memory exhaustion

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages...

CVE-2026-11807

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

EUVD-2026-38598

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

CVE-2026-11807 Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

CVE-2026-11807

CVE-2026-11807 affects Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint fails to verify permissions when processing Worker messages, permitting any authenticated user to forge a message with an arbitrary activation_id and access plaintext credentials tied to tha...

CVE-2026-11807

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

CVE-2026-55517

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response...

CVE-2026-55517

CVE-2026-55517 affects Deno prior to 2.7.5, where a client WebSocket handshake could crash the process if the server returned non-ASCII bytes in Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers. The root cause is parsing those headers as ASCII strings, triggering a panic when non-printa...

CVE-2026-49860 Deno: WebSocket API sandbox bypass via missing post-DNS check

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially...

CVE-2026-49860

Summary of CVE-2026-49860 (Deno) A WebSocket sandbox bypass affects Deno prior to 2.8.1. When a WebSocket connection is opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IPs that the hostname resolved to, allowing an attacker-controlled domain to reso...

ROOT-APP-MAVEN-CVE-2024-23672 CVE-2024-23672 in io.root.org.apache.tomcat.embed:tomcat-embed-websocket - Patched by Root

Root has patched CVE-2024-23672 in the io.root.org.apache.tomcat.embed:tomcat-embed-websocket package for Root:Maven. Multiple fixed versions available...

CVE-2026-48779

A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that...

JLSEC-2026-622 Predictable WebSocket masking key and handshake nonce in HTTP.jl client

Description The WebSocket client masking key wssendframe! and the Sec-WebSocket-Key handshake nonce wsrandomhandshakekey were generated with randUInt8, n, which draws from the task-local Xoshiro256++ PRNG. Xoshiro is not cryptographically secure: its internal state can be recovered from a short r...

JLSEC-2026-620 WebSocket reader data race in auto-PONG/CLOSE-echo handling in HTTP.jl

Description The WebSocket reader task processed incoming frames by calling wsonincomingdata! without holding ws.sendlock. That function is not a pure parser: its auto-PONG and CLOSE-echo paths push! onto the shared ws.codec.outgoingframes vector, while application send/ping/pong/close paths mutat...

ROOT-APP-NPM-CVE-2026-48779 CVE-2026-48779 in @rootio/ws - Patched by Root

Root has patched CVE-2026-48779 in the @rootio/ws package for Root:npm. Multiple fixed versions available...

PT-2026-51585

Name of the Vulnerable Software and Affected Versions Event-Driven Ansible affected versions not specified Description A missing authorization issue exists in the websocket API. The '/api/eda/ws/ansible-rulebook' endpoint fails to verify user permissions when processing Worker messages. This allo...

CVE-2026-54236

CVE-2026-54236 affects vLLM versions before 0.23.1rc0. Five code paths bypass the sanitize_message global exception handler, leaking heap addresses via exception messages: (1) Anthropic API router POST /v1/messages and POST /v1/messages/count_tokens (vllm/entrypoints/anthropic/api_router.py), (2)...

CVE-2026-54236

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitizemessage helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo...

CVE-2026-54274

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1...

CVE-2026-54274 AIOHTTP: Incomplete websocket frame payloads bypass memory limits

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1...