4 matches found
GHSA-GPH2-J4C9-VHHR WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
Summary The YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval sinks fed directly by those relayed fields...
WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
Summary The YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval sinks fed directly by those relayed fields...
PT-2025-48750
Name of the Vulnerable Software and Affected Versions Arcade MCP versions prior to 1.5.4 Description Arcade MCP’s HTTP server uses a hardcoded default worker secret dev that is not validated or overridden during server startup. This allows unauthenticated attackers who know the default key to for...
EUVD-2025-19216
Malicious code in bioql PyPI...