19 matches found
CVE-2026-44211
CVE-2026-44211 describes a cross-origin WebSocket hijacking vulnerability in Cline Kanban Server. Three endpoints exposed without Origin validation (ws://127.0.0.1:3484/api/runtime/ws, /api/terminal/io, /api/terminal/control) allow a malicious site to connect from any origin. Potential impacts do...
CVE-2026-42283
DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the UI server WebSocket. An attacker can gain unauthorized access to sensitive endpoints, such as streaming real-time pod logs, opening an interactive shell inside a running pod, or...
PT-2026-38264
Name of the Vulnerable Software and Affected Versions DevSpace versions prior to 6.3.21 Description The UI server WebSocket accepts connections from all origins by default, exposing several endpoints. A malicious website visited by a developer using a browser can establish a cross-origin WebSocke...
PT-2026-32960
Name of the Vulnerable Software and Affected Versions nanobot versions prior to 0.1.5 Description A Cross-Site WebSocket Hijacking CSWSH issue exists in the bridge's WebSocket server within bridge/src/server.ts. The server does not validate the Origin header during the WebSocket handshake, and...
CVE-2026-32815 SiYuan: Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint /ws allows unauthenticated connections when specific URL parameters are provided ?app=siyuan&id=auth&type=auth. This bypass, intended for the login page to keep the kernel alive, allows any...
GHSA-XP2M-98X8-RPJ6 SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure
Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure Summary SiYuan's WebSocket endpoint /ws allows unauthenticated connections when specific URL parameters are provided ?app=siyuan&id=auth&type=auth. This bypass, intended for the login page to keep...
EUVD-2022-33890
Malicious code in bioql PyPI...
CVE-2024-45495
MSA FieldServer Gateway 5.0.0 through 6.5.2 allows cross-origin WebSocket hijacking...
CVE-2022-29555
The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking...
CVE-2024-45495
MSA FieldServer Gateway 5.0.0 through 6.5.2 allows cross-origin WebSocket hijacking...
CVE-2024-45495
MSA FieldServer Gateway 5.0.0 through 6.5.2 allows cross-origin WebSocket hijacking...
CVE-2024-45495
MSA FieldServer Gateway versions 5.0.0–6.5.2 are affected by a cross-origin WebSocket hijacking vulnerability. The issue affects the WebSocket handling in the Gateway, enabling cross-origin hijacking potentially leading to unauthorized connection control. Affected products are MSA FieldServer Gat...
GHSA-4QCV-QF38-5J3J Unintentional leakage of private information via cross-origin websocket session hijacking
Impact Private messages or posts might be leaked to third parties if victim opens the attackers site while browsing nodebb. Patches Patched in v3.1.3 Backported to v2.x line via v2.8.13 Workarounds Users can cherry-pick...
Unintentional leakage of private information via cross-origin websocket session hijacking
Impact Private messages or posts might be leaked to third parties if victim opens the attackers site while browsing nodebb. Patches Patched in v3.1.3 Backported to v2.x line via v2.8.13 Workarounds Users can cherry-pick...
CVE-2022-29555
The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking...
Cross site scripting
The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking...
CVE-2022-29555
The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking...
Cross-site Request Forgery (CSRF)
github.com/gobuffalo/buffalo is vulnerable to cross-site request forgery CSRF attacks. The library does not disable cross-origin websocket requests, allowing a malicious user to conduct a cross-site request forgery attack...