PT-2026-40798

The locally served web site on the Garmin WDU v1 1.4.6 and v2 5.0 allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An...

GHSA-VMFM-CH9H-5C7G Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)

Summary The HTTP login endpoints POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS. The WebSocket login path — sending login: username, password messages over an established WebSocket...

Deserialization of Untrusted Data

Overview pipecat-ai is an An open source framework for voice and multimodal assistants Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialize function of the LivekitFrameSerializer class, which uses pickle.loads on untrusted data received from...

CVE-2026-5919

Insufficient validation of untrusted input in WebSockets in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Low...

GHSA-PFV7-RR5M-QMV6 OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint

Summary When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/ and /cdp required auth. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.17 - Latest published npm version at triage time: 2026.2.17 Impact Thi...

CVE-2026-24772

OpenProject CVE-2026-24772 affects OpenProject 17.0.0 to 17.0.1 where a synchronization server token is decrypted and misused due to the synchronization server not validating the backend URL. The backend generates a 24-hour authentication token, encrypted with a shared secret, which the frontend ...

EUVD-2018-18398

Malware in sbrugna...

EUVD-2019-0183

Malware in sbrugna...

EUVD-2018-0484

Malware in sbrugna...

EUVD-2018-2681

Malware in sbrugna...

EUVD-2015-7129

Malware in sbrugna...

EUVD-2014-0022

Malware in sbrugna...

EUVD-2020-17268

Malware in sbrugna...

EUVD-2018-16939

Malware in sbrugna...

EUVD-2023-46375

Malicious code in bioql PyPI...

EUVD-2024-2646

Malicious code in bioql PyPI...

EUVD-2023-27702

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2018-11713

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit, as used in WebKitGTK+ prior to version 2.20.0 or without...

CVE-2024-23657

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the getTextAssetContent RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attack...

CVE-2025-24964

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking CSWSH attacks. When api option is enabled Vitest UI enables it, Vitest starts a...