Lucene search
+L

27 matches found

CVE
CVE
added 2 days ago10 views

CVE-2026-55440

The CVE-2026-55440 flaw affects the Microsoft UFO open-source framework prior to version 3.0.7. In ufo/server/ws/handler.py, the COMMAND_RESULTS handler calls get_or_create_session in ufo/server/services/session_manager.py without owner_client_id, allowing an authenticated client to create an uno...

6.5CVSS6.1AI score0.0066EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.20 views

CVE-2026-46416

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in...

6.3CVSS5.5AI score0.00276EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.10 views

CVE-2026-46538

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by sessionid only and does not verify that a TASKEND message came from the device that originally received the task...

5.9CVSS5.5AI score0.00225EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.15 views

CVE-2026-46544

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied sessionid values in WebSocket task messages and reuses an existing in-memory session object if that sessionid already exists. If a prior session...

5.3CVSS5.5AI score0.00422EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/02 10:2 p.m.24 views

CVE-2026-46414

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK...

8.8CVSS5.8AI score0.00502EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/30 2:12 a.m.24 views

CVE-2026-46402

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled taskname value directly when constructing session log paths. An authenticated client can supply path traversal sequences in taskname and cause...

8.1CVSS5.8AI score0.00674EPSS
Exploits0References1
NVD
NVD
added 2026/05/27 11:16 p.m.24 views

CVE-2026-46544

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied sessionid values in WebSocket task messages and reuses an existing in-memory session object if that sessionid already exists. If a prior session...

5.3CVSS0.00422EPSS
Exploits0References1
NVD
NVD
added 2026/05/27 11:16 p.m.17 views

CVE-2026-46402

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled taskname value directly when constructing session log paths. An authenticated client can supply path traversal sequences in taskname and cause...

8.1CVSS0.00674EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/27 9:56 p.m.13 views

CVE-2026-46538 Microsoft UFO accepts cross-device TASK_END messages by session_id only, allowing peer task-result injection

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by sessionid only and does not verify that a TASKEND message came from the device that originally received the task...

5.9CVSS5.8AI score0.00225EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 9:56 p.m.11 views

CVE-2026-46416

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in...

6.3CVSS5.8AI score0.00276EPSS
Exploits0References2
CVE
CVE
added 2026/05/27 9:56 p.m.34 views

CVE-2026-46416

Microsoft UFO (open-source framework for intelligent automation) in version 3.0.1-4-ge2626659 uses a single shared UFOWebSocketHandler instance for multiple authenticated WebSocket connections. The handler caches per-connection protocol objects in mutable fields, and each new connection overwrite...

6.3CVSS5.8AI score0.00276EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/27 9:56 p.m.13 views

EUVD-2026-32676

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in...

6.3CVSS5.8AI score0.00276EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 9:54 p.m.45 views

CVE-2026-46414 Microsoft UFO WebSocket role spoofing allows authenticated peer task hijacking

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK...

8.8CVSS0.00502EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/27 9:54 p.m.8 views

CVE-2026-46414 Microsoft UFO WebSocket role spoofing allows authenticated peer task hijacking

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK...

8.8CVSS5.8AI score0.00502EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 9:54 p.m.43 views

CVE-2026-46402 Microsoft UFO uses untrusted task_name in log paths, allowing authenticated path traversal and log file creation outside the logs directory

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled taskname value directly when constructing session log paths. An authenticated client can supply path traversal sequences in taskname and cause...

8.1CVSS0.00674EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 9:54 p.m.11 views

CVE-2026-46402

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled taskname value directly when constructing session log paths. An authenticated client can supply path traversal sequences in taskname and cause...

8.1CVSS5.8AI score0.00674EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/27 9:54 p.m.15 views

CVE-2026-46402 Microsoft UFO uses untrusted task_name in log paths, allowing authenticated path traversal and log file creation outside the logs directory

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled taskname value directly when constructing session log paths. An authenticated client can supply path traversal sequences in taskname and cause...

8.1CVSS5.8AI score0.00674EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 9:53 p.m.9 views

CVE-2026-46544

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied sessionid values in WebSocket task messages and reuses an existing in-memory session object if that sessionid already exists. If a prior session...

5.3CVSS5.8AI score0.00422EPSS
Exploits0References2
CVE
CVE
added 2026/05/27 9:53 p.m.27 views

CVE-2026-46544

Technical details beyond the provided CVE description are not publicly available in the supplied documents. Monitor for updates from the referenced UFO advisory and CVE entry.

5.3CVSS5.8AI score0.00422EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/27 9:53 p.m.12 views

CVE-2026-46544 Microsoft UFO reuses client-supplied WebSocket session IDs and replays stale task results to new authenticated requesters

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied sessionid values in WebSocket task messages and reuses an existing in-memory session object if that sessionid already exists. If a prior session...

5.3CVSS5.8AI score0.00422EPSS
Exploits0References1
Rows per page
Query Builder