OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting

Summary Fake DeviceToken Bypasses Shared Auth Rate Limiting Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable...

PT-2026-30269

Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession o...

Mesop 安全漏洞

Mesop is a fast-building Python web application UI framework developed by Mesop OpenSource. Versions of Mesop from 1.2.3 to 1.2.5 contained security vulnerabilities. These vulnerabilities were due to uncontrolled resource consumption issues in the WebSocket implementation. This could allow...

PraisonAI 安全漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.97 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authentication for WebSocket connections and information endpoints on the PraisonAI...

Tornado 安全漏洞

Tornado is a Python web framework and asynchronous networking library from Tornado China. This library can scale to thousands of open connections by using non-blocking network I/O, making it ideal for applications that require long-term polling, WebSocket, and other scenarios where long-term...

GHSA-CFH6-VR3J-QC3G PraisonAI Has Missing Authentication in WebSocket Gateway

Summary The PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. Details gateway/server.py:242 source -...

PraisonAI Has Missing Authentication in WebSocket Gateway

Summary The PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. Details gateway/server.py:242 source -...

Missing Authentication for Critical Function

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

CVE-2026-34716

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the way the server’s middleware processes "Share Tokens." While these tokens are intended to grant temporary, restricted access to a single file, the BasicAuthMiddleware...

GHSA-JGFX-74G2-9R6G goshs has Auth Bypass via Share Token

Summary When using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. Details The BasicAuthMiddleware checks for a ?token= parameter before checking credentials. If the token exists in SharedLinks, the request passes...

goshs has Auth Bypass via Share Token

Summary When using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. Details The BasicAuthMiddleware checks for a ?token= parameter before checking credentials. If the token exists in SharedLinks, the request passes...

EUVD-2026-17646

AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification...

GHSA-W4HP-W536-JG64 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

Summary The AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML '' + heading + '' and inserts it into the DOM via jQuery...

AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

Summary The AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML '' + heading + '' and inserts it into the DOM via jQuery...

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of incoming WebSocket call notifications, where user-supplied data is inserted into the DOM without proper sanitization. A...

CVE-2026-34503

OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...

PT-2026-29664

Name of the Vulnerable Software and Affected Versions goshs versions 1.1.0 through 2.0.0-beta.2 Description goshs, a SimpleHTTPServer written in Go, has a flaw where the Share Token mechanism can be bypassed. This bypass allows unauthorized access to all goshs functionalities, including code...

Important: nodejs20

Issue Overview: Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names e.g., Content-Length and content-length. This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted:...

PT-2026-29828

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.87 Description The PraisonAI Gateway server lacks authentication for WebSocket connections at the /ws endpoint and exposes agent topology at the /info endpoint without authentication. This allows any network...