CVE-2026-54274

A flaw was found in aiohttp, an asynchronous HTTP client/server framework. An attacker can exploit this vulnerability by sending large, incomplete websocket frame payloads. This can bypass normal memory usage limits, potentially leading to a Denial of Service DoS where the affected system becomes...

CVE-2026-54236

CVE-2026-54236 affects vLLM versions before 0.23.1rc0. Five code paths bypass the sanitize_message global exception handler, leaking heap addresses via exception messages: (1) Anthropic API router POST /v1/messages and POST /v1/messages/count_tokens (vllm/entrypoints/anthropic/api_router.py), (2)...

CVE-2026-54236

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitizemessage helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo...

CVE-2026-54274

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1...

CVE-2026-54274

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1...

Linux Distros Unpatched Vulnerability : CVE-2026-54274

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads,...

Astra Linux – Vulnerability in libvncserver

It was discovered that the websockets.c file in LibVNCServer prior to version 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by sending specially crafted WebSocket frames to a server, resulting in a heap-based buffer overflow...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the websocket checks. An attacker can exhaust system memory by sending large incomplete frame payloads, potentially leading to service disruption. Remediation Upgrade aiohttp to...

Asymmetric Resource Consumption (Amplification)

Overview ws is a simple to use websocket client, server and console for node.js. Affected versions of this package are vulnerable to Asymmetric Resource Consumption Amplification when handling a large number of very small fragments and data chunks. An attacker can cause excessive memory allocatio...

Asymmetric Resource Consumption (Amplification)

Overview org.webjars.npm:ws is a simple to use websocket client, server and console for node.js. Affected versions of this package are vulnerable to Asymmetric Resource Consumption Amplification when handling a large number of very small fragments and data chunks. An attacker can cause excessive...

CVE-2026-49842 FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, modverto's WebSocket frame loop intercepts a -prefixed speed-test protocol SPU / SPB / SP...

FreeSWITCH 安全漏洞

FreeSWITCH is a free and open-source communication software developed by Anthony Minessale, an individual developer from the United States. This software can be used to create audio, video, and messaging-related products and applications. Prior to FreeSWITCH version 1.11.1, there were security...

PT-2026-47851

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes...

CVE-2026-5740

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users v...

CVE-2026-44545

CVE-2026-44545 affects daphne before 4.2.2. The issue arises because it did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn’s WebSocketServerFactory. Autobahn defaults these values to 0 (unlimited), enabling an unauthenticated remote attacker to send arbitrarily large WebSocket ...

Linux Distros Unpatched Vulnerability : CVE-2026-44545

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0...

PT-2026-44889

XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket receive worker routine of simple http server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of...

CVE-2026-42437

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing th...

CVE-2026-5740

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users v...

CVE-2026-5740

Mattermost CVE-2026-5740 is an unauthenticated denial-of-service issue affecting Mattermost Server versions 11.6.x up to 11.6.0, 11.5.x up to 11.5.3, 11.4.x up to 11.4.4, and 10.11.x up to 10.11.14. The root cause is improper validation of msgpack-encoded WebSocket frames before memory allocation...