5270 matches found
[SECURITY] Fedora 44 Update: qt6-qtwebsockets-6.10.3-1.fc44
The QtWebSockets module implements the WebSocket protocol as specified in RFC 6455. It solely depends on Qt no external dependencies...
EUVD-2026-25340
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation...
Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rfqg-qgf8-xr9x. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with...
GHSA-WWC3-C577-533M Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rfqg-qgf8-xr9x. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with...
EUVD-2026-25317
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute...
GHSA-W9F5-8Q83-QWPX Duplicate Advisory: OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6p8r-6m93-557f. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to...
Duplicate Advisory: OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6p8r-6m93-557f. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to...
Python Library marimo < 0.23.0 Pre-Auth RCE (CVE-2026-39987)
The detected version of the marimo Python package is prior to 0.23.0. It is, therefore, affected by a remote code execution vulnerability: - The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute...
CVE-2026-41356
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation...
CVE-2026-41333
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute...
CVE-2026-41356
OpenClaw is affected prior to version 2026.3.31 by an issue where active WebSocket sessions are not terminated during device token rotation. The underlying cause is incomplete termination of WebSocket sessions when rotating tokens. This allows attackers who already have credentials to retain unau...
CVE-2026-41356 OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation...
CVE-2026-41356 OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation...
CVE-2026-41356
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation...
CVE-2026-41333
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute...
CVE-2026-41333 OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute...
CVE-2026-41333
OpenClaw (pre-2026.3.31) contains an authentication rate-limiting bypass vulnerability that lets attackers bypass shared authentication protections using fake device tokens. According to the record, attackers can exploit a mixed WebSocket authentication flow to bypass rate limiting and perform br...
Deserialization of Untrusted Data
Overview pipecat-ai is an An open source framework for voice and multimodal assistants Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialize function of the LivekitFrameSerializer class, which uses pickle.loads on untrusted data received from...
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer
Remote Code Execution via Unsafe Deserialization in Pipecat's LivekitFrameSerializer Summary A critical vulnerability exists in Pipecat's LivekitFrameSerializer – an optional, non-default, undocumented frame serializer class now deprecated intended for LiveKit integration. The class's deserialize...
GHSA-C2JG-5CP7-6WC7 Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer
Remote Code Execution via Unsafe Deserialization in Pipecat's LivekitFrameSerializer Summary A critical vulnerability exists in Pipecat's LivekitFrameSerializer – an optional, non-default, undocumented frame serializer class now deprecated intended for LiveKit integration. The class's deserialize...