CVE-2026-5625

A weakness has been identified in assafelovic gpt-researcher up to 3.4.3. This issue affects some unknown processing of the file gptresearcher/skills/researcher.py of the component WebSocket Interface. Executing a manipulation of the argument task can lead to cross site scripting. The attack may ...

CVE-2026-5631

A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extractcommanddata of the file backend/server/serverutils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. T...

Strawberry GraphQL 安全漏洞

Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions of Strawberry GraphQL prior to 0.312.3 contained a security vulnerability. This vulnerability stemmed from the WebSocket subscription handler not limiting the number of active subscriptions per...

Strawberry GraphQL 访问控制错误漏洞

Strawberry GraphQL is an open-source Python GraphQL library that utilizes type annotations. Versions of Strawberry GraphQL prior to 0.312.3 contained a security vulnerability related to access control. This vulnerability stemmed from an WebSocket subscription endpoints’ authentication process,...

Vite 访问控制错误漏洞

Vite is a new type of front-end build tool developed by Vite itself. Versions of Vite from 6.0.0 to 6.4.2, before 7.3.2, and before 8.0.5 have a security vulnerability related to access control. This vulnerability stems from the lack of access control in WebSocket paths, which could allow attacke...

Missing Authentication for Critical Function

Overview vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the fetchModule method exposed through the WebSocket interface when the server is explicitly exposed to the network and WebSocket is enable...

Missing Authentication for Critical Function

Overview vite-plus is a The Unified Toolchain for the Web Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the fetchModule method exposed through the WebSocket interface when the server is explicitly exposed to the network and WebSocket is...

Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

Summary server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - WebSocket is no...

GHSA-P9FF-H696-F583 Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

Summary server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - WebSocket is no...

Missing Authentication for Critical Function

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the fetchModule method exposed through the WebSocket interface when the server is explicitly exposed to the network and...

GHSA-HV3W-M4G2-5X77 strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions

Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An...

strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions

Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection. An...

Allocation of Resources Without Limits or Throttling

Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebSocket subscription handling process. An attacker can exhaust server resources by sending a large number of...

strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before processing start subscription messages. This allows a remote...

Missing Authentication for Critical Function

Overview strawberry-graphql is an A library for creating GraphQL APIs Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the onwsconnect process. An attacker can gain unauthorized access to WebSocket subscription endpoints by connecting with the...

GHSA-VPWC-V33Q-MQ89 strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol

Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connectioninit handshake has been completed before processing start subscription messages. This allows a remote...

CVE-2026-34824

Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession o...

CVE-2026-34952

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...

EUVD-2026-19186

A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extractcommanddata of the file backend/server/serverutils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. T...

CVE-2026-5633

A vulnerability was determined in assafelovic gpt-researcher up to 3.4.3. Affected is an unknown function of the component ws Endpoint. Executing a manipulation of the argument sourceurls can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been...