⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More

Rough Monday. Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One...

Fixed in Apache Tomcat 10.1.55

Moderate: Security constraints not correctly applied CVE-2026-43515 When multiple security constraints defined an HTTP method constraint for the same extension pattern, only the first method constraint was applied. This was fixed with commit c6213173. This issue was reported to the Tomcat securit...

PT-2026-39679

Name of the Vulnerable Software and Affected Versions Dozzle versions prior to 10.5.2 Description The WebSocket upgrader for the '/exec' and '/attach' endpoints accepts upgrade requests from any origin because it uses a custom CheckOrigin function that always returns true. When combined with the...

WWBN AVideo 代码注入漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained a code injection vulnerability. This vulnerability stemmed from incomplete mitigation measures for the autoEvalCodeOnHTML evaluation function in YPTSocket, allowin...

Unity Linux 20.1060e / 20.1070e Security Update: tomcat (UTSA-2026-017430)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017430 advisory. The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The obje...

Linux Distros Unpatched Vulnerability : CVE-2025-51495

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can...

Fixed in Apache Tomcat 9.0.118

Moderate: Security constraints not correctly applied CVE-2026-43515 When multiple security constraints defined an HTTP method constraint for the same extension pattern, only the first method constraint was applied. This was fixed with commit db919ff9. This issue was reported to the Tomcat securit...

CVE-2026-41893

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS. The WebSocke...

CVE-2026-41893 Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS. The WebSocke...

CVE-2026-41893

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS. The WebSocke...

EUVD-2026-28922

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS. The WebSocke...

CVE-2026-41893 Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS. The WebSocke...

CVE-2026-41893

Signal K Server’s WebSocket login path (via ws signalk/v1/stream) processes login attempts without rate limiting, enabling credential brute‑forcing at ~20 attempts/sec per WebSocket connection and bypassing HTTP rate limiting. Affected cve: CVE-2026-41893 concerns pre‑2.25.0 behavior. Technical d...

Signal K Server 安全漏洞

The Signal K Server is an open-source marine central server developed by Signal K. Versions of the Signal K Server prior to 2.25.0 contained a security vulnerability. This vulnerability stemmed from the lack of rate limiting on the WebSocket login path, allowing attackers to bypass the HTTP rate...

CVE-2026-42454

Termix (web-based server management platform) prior to version 2.1.0 is vulnerable. Docker container management endpoints interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec(), without sanitization. An authenticated...

NPM: Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability

NPM: Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability discovered by ? in WordPress Npm cline versions = 2.13.0...

GHSA-5C57-RQJX-35G2 Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability

Summary The kanban npm package used by the cline CLI starts a WebSocket server on 127.0.0.1:3484 with no Origin header validation. Any website a developer visits can silently connect to the kanban server via WebSocket and: 1. Leak sensitive data in real-time: workspace filesystem paths, task...

Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability

Summary The kanban npm package used by the cline CLI starts a WebSocket server on 127.0.0.1:3484 with no Origin header validation. Any website a developer visits can silently connect to the kanban server via WebSocket and: 1. Leak sensitive data in real-time: workspace filesystem paths, task...

SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE

Summary The kernel stores Attribute View AV / database names without any HTML escape, then a render template uses raw strings.ReplaceAlltpl, "$avName", nodeAvName to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths render.ts:120 → outerHTML,...

Improper Authentication

github.com/mattermost/mattermost-server is vulnerable to improper authentication. The vulnerability is due to the failure to enforce multi-factor authentication on WebSocket connections, which allows an unauthenticated attacker to access sensitive information through WebSocket events...