Lucene search
K

14 matches found

EUVD
EUVD
added 2026/06/26 11:4 p.m.11 views

EUVD-2026-36601

Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS...

6.5CVSS5.8AI score0.00289EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/22 9:4 p.m.6 views

EUVD-2026-38365

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate...

5.3CVSS5.9AI score0.00272EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/22 9:4 p.m.21 views

CVE-2026-56255 Capgo - Denial of Service via Unlimited Demo App Creation

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate...

5.3CVSS0.00272EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 10:16 p.m.21 views

CVE-2026-53522

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal...

6.5CVSS0.00289EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.11 views

PT-2026-49003

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.0.0 through 2.1.x Description The dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: "/api/v1/terminal" which triggers the createTerminal function, and "/api/v1/file" which...

6.5CVSS5.2AI score0.00289EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.9 views

Flowise 安全漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise prior to 3.1.2 contained a security vulnerability. This vulnerability stemmed from the checkBasicAuth endpoint, which validated credentials in plaintext without rate limits,...

9.1CVSS7.2AI score0.00251EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/10 7:22 p.m.9 views

PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

Summary The /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent...

7.5CVSS5.8AI score0.00372EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/10 7:22 p.m.2 views

GHSA-Q5R4-47M9-5MC7 PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

Summary The /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent...

7.5CVSS5.8AI score0.00372EPSS
Exploits1References4
CVE
CVE
added 2026/04/09 9:20 p.m.20 views

CVE-2026-40116

CVE-2026-40116 affects PraisonAI prior to 4.5.128: the /media-stream WebSocket endpoint accepted unauthenticated connections and bypassed Twilio validation, proxying each connection to OpenAI’s Realtime API using the server key with no concurrency/rate/size limits. This could allow an unauthentic...

7.5CVSS5.9AI score0.00372EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/09 9:20 p.m.3 views

CVE-2026-40116 PraisonAI's Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the...

7.5CVSS5.8AI score0.00372EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/09 9:20 p.m.18 views

CVE-2026-40116 PraisonAI's Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the...

7.5CVSS0.00372EPSS
Exploits1References1
Snyk
Snyk
added 2026/01/19 7:48 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to no visible rate limits or monitoring. An attacker can exhaust system resources by opening a large number of connections and transmitting excessive data through the websockets...

8.3CVSS5.6AI score0.00251EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/09/18 2:42 p.m.10 views

CVE-2025-59421 Press vulnerable to email flooding to users due to lack of validation and rate limits

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS. A bad actor can flood the inbox of a user by repeatedly sending invites duplicate. The issue is fixed in commit 83c3fc7676c5dbbe1fd5092d21d95a10c7b48615...

6.9CVSS0.0041EPSS
Exploits0References2
Hacker One
Hacker One
added 2021/04/14 8:4 p.m.24 views

Reddit: [dubsmash] Username and password bruteforce

Summary: Due to less complexity of password and no rate limiting attacker can bruteforce user name and password and takeover the victim account Login Page- No rate limits Password length is minimum five character with no variations. Plain password are easy to bruteforce Reset Password page- No ra...

0.8AI score
Exploits0
Rows per page
Query Builder