2 matches found
@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection
Security Advisory: Insecure Default JWT Secret + WebSocket Auth Bypass Enables Unauthenticated RCE via Shell Injection Download: cveclaudecodeuisubmissionv2.zip Submission Info | Field | Value | |-------|-------| | Package | @siteboon/claude-code-ui | | Ecosystem | npm | | Affected versions | =...
Insecure Default Value for Authentication Variable
Overview Affected versions of this package are vulnerable to Insecure Default Value for Authentication Variable in the GetJwtSecret function in user.go. In the default configuration, the JWT secret value is predictable based on config values such as app.name. An attacker can bypass authentication...