Open WebUI: Any authenticated user can read other users' private notes via Socket.IO

Summary The ydoc:document:join Socket.IO handler checks note ownership only when the documentid starts with note: colon. However, the YdocManager storage layer normalizes all document IDs by replacing colons with underscores documentid.replace":", "". An attacker can join a document room using no...

PT-2026-47616

Summary An unauthenticated attacker Alice connects to FUXA's Socket.IO endpoint and emits a device-webapi-request event whose property.address field names an arbitrary URL. FUXA's DEVICE WEBAPI REQUEST handler at server/runtime/index.js:296 calls axios.getaddress server-side and broadcasts the fu...

ROOT-APP-NPM-CVE-2024-38355 CVE-2024-38355 in @rootio/socket.io - Patched by Root

Root has patched CVE-2024-38355 in the @rootio/socket.io package for Root:npm. Multiple fixed versions available...

org.webjars.npm:browser-sync-ui (=2.27.11), org.webjars.npm:nestjs__platform-socket.io (=9.0.0-next.2) +3 more potentially affected by CVE-2026-33151 via org.webjars.npm:socket.io-parser (>=2.3.1 <=4.2.5)

org.webjars.npm:socket.io-parser MAVEN version =2.3.1, =0.3.1, =0.5.0 - org.webjars.npm:socket.io-client =4.8.3 Source cves: CVE-2026-33151 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15680279...

ROS-20260216-73-0004

Vulnerability in python-socketio related to a flaw in the deserialization mechanism. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code...

CVE-2020-24928

managers/socketManager.ts in PreMiD through 2.1.3 has a locally hosted socketio web server port 3020 open to all origins, which allows attackers to obtain sensitive Discord user information...

EUVD-2025-179866

Malicious code in cassini-socketio-concurrently-forever npm...

Malicious code in socketio-chalk-middleware-public (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5456f60ff4b15c35d27afbffb27cbe1a99bfed860e26c0f7ecd263251301e09b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-175861

Malicious code in typeorm-csv-troposphere-socketio npm...

Malicious code in socketio-spawn-pyxis-nestjs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e9d1cf25a81466709ef959f4e99e76747753682450c3efeb51214af159a4a9a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-175461

Malicious code in yakutsk-blueshift-supervisor-socketio npm...

EUVD-2025-176300

Malicious code in socketio-canopus-palynology-jupiter npm...

EUVD-2025-176296

Malicious code in socketio-polaris-restart-adonis npm...

EUVD-2025-176294

Malicious code in socketio-webdriver-mocha-kinetic-quantum npm...

EUVD-2025-178644

Malicious code in gridsome-slides-pipe-socketio npm...

EUVD-2025-178845

Malicious code in fornax-socketio-ganymede-boson npm...

EUVD-2025-178410

Malicious code in ini-mongodb-got-socketio npm...

EUVD-2025-176297

Malicious code in socketio-elara-europa-dotenv npm...

Malicious code in typeorm-csv-troposphere-socketio (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e73547aa88679589280af7f97832cc643441c415a7b0c69aa00448db76023b7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-176295

Malicious code in socketio-spawn-pyxis-nestjs npm...