5460 matches found
CVE-2026-35526 Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...
CVE-2026-35526
CVE-2026-35526 concerns the Strawberry GraphQL library. Before version 0.312.3, the WebSocket subscription handlers for both graphql-transport-ws and legacy graphql-ws allocate an asyncio.Task and an associated Operation for every incoming subscribe message without enforcing a limit on active sub...
CVE-2026-5625
A weakness has been identified in assafelovic gpt-researcher up to 3.4.3. This issue affects some unknown processing of the file gptresearcher/skills/researcher.py of the component WebSocket Interface. Executing a manipulation of the argument task can lead to cross site scripting. The attack may ...
CVE-2026-5631
A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extractcommanddata of the file backend/server/serverutils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. T...
Strawberry GraphQL 访问控制错误漏洞
Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions of Strawberry GraphQL prior to 0.312.3 contained a security vulnerability related to access control. This vulnerability stemmed from an WebSocket subscription endpoints’ authentication process,...
Vite 访问控制错误漏洞
Vite is a new type of front-end build tool developed by Vite itself. Versions of Vite from 6.0.0 to 6.4.2, before 7.3.2, and before 8.0.5 have a security vulnerability related to access control. This vulnerability stems from the lack of access control in WebSocket paths, which could allow attacke...
Strawberry GraphQL 安全漏洞
Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions of Strawberry GraphQL prior to 0.312.3 contained a security vulnerability. This vulnerability stemmed from the WebSocket subscription handler not limiting the number of active subscriptions per...
Missing Authentication for Critical Function
Overview vite-plus is a The Unified Toolchain for the Web Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the fetchModule method exposed through the WebSocket interface when the server is explicitly exposed to the network and WebSocket is...
Missing Authentication for Critical Function
Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the fetchModule method exposed through the WebSocket interface when the server is explicitly exposed to the network and WebSocket is enable...
GHSA-P9FF-H696-F583 Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
Summary server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - WebSocket is no...
Missing Authentication for Critical Function
Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the fetchModule method exposed through the WebSocket interface when the server is explicitly exposed to the network and...
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
Summary server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - WebSocket is no...
Allocation of Resources Without Limits or Throttling
Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebSocket subscription handling process. An attacker can exhaust server resources by sending a large number of...
GHSA-HV3W-M4G2-5X77 strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions
Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An...
strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions
Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An...
Missing Authentication for Critical Function
Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the onwsconnect process. An attacker can gain unauthorized access to WebSocket subscription endpoints by connecting with the...
strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol
Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before processing start subscription messages. This allows a remote...
GHSA-VPWC-V33Q-MQ89 strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol
Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before processing start subscription messages. This allows a remote...
CVE-2026-34824
Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession o...
CVE-2026-34952
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...