GHSA-HVPH-5985-R63V Prefect Unauthenticated Event Injection via /api/events/in WebSocket

A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be...

EUVD-2026-12415

Mattermost versions 11.3.x = 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579...

CVE-2026-2578

Mattermost versions 11.3.x = 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579...

CVE-2026-2578

Mattermost versions 11.3.x = 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579...

Authentication Bypass

Signal K Server is vulnerable to Authentication Bypass. The vulnerability is due to unauthenticated exposure of WebSocket server events and access-request status endpoints, which allows an attacker to enumerate request IDs and poll their status to steal plaintext JWT tokens and fully hijack...

EUVD-2025-206136

Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling...

EUVD-2018-13775

Malware in sbrugna...

CVE-2018-21260

An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy...

CVE-2024-54151 Directus allows unauthenticated access to WebSocket events and operations

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions...

Directus allows unauthenticated access to WebSocket events and operations

Summary When setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions with full admin privileges. Details Accountability for unauthenticated WebSocket requests is set to null, which used to be "publi...

GHSA-849R-QRWJ-8RV4 Directus allows unauthenticated access to WebSocket events and operations

Summary When setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions with full admin privileges. Details Accountability for unauthenticated WebSocket requests is set to null, which used to be "publi...

Mattermost 信息泄露漏洞

Mattermost is an open source collaboration platform from US-based Mattermost. Mattermost suffers from an information disclosure vulnerability that stems from an inability to clean up related websocket events sent to the currently connected client. An attacker exploiting the vulnerability could vi...

PT-2023-18709 · Unknown · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost affected versions not specified Description: The issue arises when archiving a team, as Mattermost fails to sanitize the related Websocket event sent to currently connected clients. This allows the clients to see the name, display...

Code injection

An issue was discovered in Mattermost Server before 4.8.1, 4.7.4, and 4.6.3. WebSocket events were accidentally sent during certain user-management operations, violating user privacy...