Lucene search
K

4 matches found

OSV
OSV
added 2026/04/14 10:50 p.m.35 views

GHSA-GPH2-J4C9-VHHR WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks

Summary The YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval sinks fed directly by those relayed fields...

10CVSS6AI score0.00645EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/14 10:50 p.m.7 views

WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks

Summary The YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval sinks fed directly by those relayed fields...

10CVSS6AI score0.00645EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2025/12/02 12:0 a.m.5 views

PT-2025-48750

Name of the Vulnerable Software and Affected Versions Arcade MCP versions prior to 1.5.4 Description Arcade MCP’s HTTP server uses a hardcoded default worker secret dev that is not validated or overridden during server startup. This allows unauthenticated attackers who know the default key to for...

6.5CVSS7AI score0.00281EPSS
Exploits0References16
EUVD
EUVD
added 2025/10/03 8:7 p.m.9 views

EUVD-2025-19216

Malicious code in bioql PyPI...

8.6CVSS6.3AI score0.0041EPSS
Exploits0References5
Rows per page
Query Builder