9 matches found
GHSA-MX8G-39Q3-5C79 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Impact When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...
CVE-2026-9595 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...
CVE-2025-41705
An unauthenticated remote attacker MITM can intercept the websocket messages to gain access to the login credentials for the Webfrontend...
CVE-2025-41705 Phoenix Contact: WebSocket Message Interception Leaks Webfrontend Credentials
An unauthenticated remote attacker MITM can intercept the websocket messages to gain access to the login credentials for the Webfrontend...
CVE-2025-41705 Phoenix Contact: WebSocket Message Interception Leaks Webfrontend Credentials
An unauthenticated remote attacker MITM can intercept the websocket messages to gain access to the login credentials for the Webfrontend...
EUVD-2025-7070
Malicious code in bioql PyPI...
Uptime Kuma Authenticated remote code execution via TailscalePing
Summary The runTailscalePing method of the TailscalePing class injects the hostname parameter inside a shell command, leading to a command injection and the possibility to run arbitrary commands on the server. Details When adding a new monitor on Uptime Kuma, we can select the "Tailscale Ping"...
Mattermost 信任管理问题漏洞
Mattermost is an open source collaboration platform from US-based Mattermost. A security vulnerability exists in Mattermost iOS that stems from a failure to properly validate server certificates when initializing a TLS connection, allowing an attacker to intercept WebSockets connections...
Authorization Bypass
socket.io-file is vulnerable to authorization bypass. The validation for valid file types happens on the client-side and allows an attacker to intercept the Websocket request post-validation and alter the name value to upload any file types...