CVE-2026-42283
DevSpace UI server WebSocket checks pre-6.3.21 allowed cross-origin connections by default, exposing endpoints via ws://127.0.0.1:8090. A malicious site could trigger a cross-origin WebSocket from the user’s browser to access sensitive endpoints such as /api/logs, /api/enter, and /api/command, en...