CWE-1385
Missing Origin Validation in WebSockets
The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
CVE-2025-24964 (GCVE-0-2025-24964)
Vulnerability from cvelistv5 – Published: 2025-02-04 19:36 – Updated: 2025-02-12 20:51
VLAI
Title
Remote Code Execution when accessing a malicious website while Vitest API server is listening
Summary
Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
9.7 (Critical)
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/vitest-dev/vitest/security/adv… | x_refsource_CONFIRM |
| https://github.com/vitest-dev/vitest/blob/9a581e1… | x_refsource_MISC |
| https://github.com/vitest-dev/vitest/blob/9a581e1… | x_refsource_MISC |
| https://vitest.dev/config/#api | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| vitest-dev | vitest |
Affected:
<= 0.0.125
Affected: >= 1.0.0, < 1.6.1 Affected: >= 2.0.0, < 2.1.9 Affected: >= 3.0.0, < 3.0.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24964",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:45:47.197801Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:51:28.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vitest",
"vendor": "vitest-dev",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.0.125"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.6.1"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.1.9"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. This vulnerability can result in remote code execution for users that are using Vitest serve API. This issue has been patched in versions 1.6.1, 2.1.9 and 3.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T19:36:50.509Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-9crc-q9x8-hgqq"
},
{
"name": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46"
},
{
"name": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76"
},
{
"name": "https://vitest.dev/config/#api",
"tags": [
"x_refsource_MISC"
],
"url": "https://vitest.dev/config/#api"
}
],
"source": {
"advisory": "GHSA-9crc-q9x8-hgqq",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution when accessing a malicious website while Vitest API server is listening"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24964",
"datePublished": "2025-02-04T19:36:50.509Z",
"dateReserved": "2025-01-29T15:18:03.209Z",
"dateUpdated": "2025-02-12T20:51:28.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36116 (GCVE-0-2025-36116)
Vulnerability from cvelistv5 – Published: 2025-07-23 14:26 – Updated: 2025-08-18 01:30
VLAI
Title
IBM Db2 Mirror for i cross-site websocket hijacking
Summary
IBM Db2 Mirror for i 7.4, 7.5, and 7.6 GUI is affected by cross-site WebSocket hijacking vulnerability. By sending a specially crafted request, an unauthenticated malicious actor could exploit this vulnerability to sniff an existing WebSocket connection to then remotely perform operations that the user is not allowed to perform.
Severity
6.3 (Medium)
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7240351 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Db2 Mirror for i |
Affected:
7.4, 7.5, 7.6
cpe:2.3:a:ibm:db2_mirror_for_i:7.4:*:*:*:*:*:*:* cpe:2.3:a:ibm:db2_mirror_for_i:7.5:*:*:*:*:*:*:* cpe:2.3:a:ibm:db2_mirror_for_i:7.6:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36116",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T14:57:44.059769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T15:13:52.554Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:db2_mirror_for_i:7.4:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:db2_mirror_for_i:7.5:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:db2_mirror_for_i:7.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Db2 Mirror for i",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "7.4, 7.5, 7.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Db2 Mirror for i 7.4, 7.5, and 7.6 GUI is affected by cross-site WebSocket hijacking vulnerability. By sending a specially crafted request, an unauthenticated malicious actor could exploit this vulnerability to sniff an existing WebSocket connection to then remotely perform operations that the user is not allowed to perform."
}
],
"value": "IBM Db2 Mirror for i 7.4, 7.5, and 7.6 GUI is affected by cross-site WebSocket hijacking vulnerability. By sending a specially crafted request, an unauthenticated malicious actor could exploit this vulnerability to sniff an existing WebSocket connection to then remotely perform operations that the user is not allowed to perform."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385 Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T01:30:27.202Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7240351"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The issues can be fixed by applying a PTF to IBM i. IBM Db2 Mirror for i releases 7.6, 7.5, and 7.4 will be fixed. \u003cbr\u003e\u003cbr\u003eThe PTF numbers for 5770-DBM containing the fix for the vulnerabilities are in the following table. \u003cbr\u003e\u003cbr\u003eIBM i Release 5770-DBM PTF Numbers PTF Download Link\u003cbr\u003e7.4 SJ05739 \u0026nbsp; \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/s/fix-information?legacy=SJ05739\"\u003ehttps://www.ibm.com/mysupport/s/fix-information?legacy=SJ05739\u003c/a\u003e\u003cbr\u003e7.5 SJ05742 \u0026nbsp; \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/s/fix-information?legacy=SJ05742\"\u003ehttps://www.ibm.com/mysupport/s/fix-information?legacy=SJ05742\u003c/a\u003e\u003cbr\u003e7.6 SJ05744 \u0026nbsp; \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/mysupport/s/fix-information?legacy=SJ05744\"\u003ehttps://www.ibm.com/mysupport/s/fix-information?legacy=SJ05744\u003c/a\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/fixcentral\"\u003ehttps://www.ibm.com/support/fixcentral\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "The issues can be fixed by applying a PTF to IBM i. IBM Db2 Mirror for i releases 7.6, 7.5, and 7.4 will be fixed. \n\nThe PTF numbers for 5770-DBM containing the fix for the vulnerabilities are in the following table. \n\nIBM i Release 5770-DBM PTF Numbers PTF Download Link\n7.4 SJ05739 \u00a0 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ05739 \n7.5 SJ05742 \u00a0 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ05742 \n7.6 SJ05744 \u00a0 https://www.ibm.com/mysupport/s/fix-information?legacy=SJ05744 \n https://www.ibm.com/support/fixcentral"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Db2 Mirror for i cross-site websocket hijacking",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36116",
"datePublished": "2025-07-23T14:26:06.865Z",
"dateReserved": "2025-04-15T21:16:17.124Z",
"dateUpdated": "2025-08-18T01:30:27.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48068 (GCVE-0-2025-48068)
Vulnerability from cvelistv5 – Published: 2025-05-30 03:37 – Updated: 2025-06-13 14:47
VLAI
Title
Information exposure in Next.js dev server due to lack of origin verification
Summary
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.
Severity
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/vercel/next.js/security/adviso… | x_refsource_CONFIRM |
| https://vercel.com/changelog/cve-2025-48068 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48068",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T12:43:40.721508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T12:43:46.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next.js",
"vendor": "vercel",
"versions": [
{
"status": "affected",
"version": "\u003e= 13.0, \u003c 14.2.30"
},
{
"status": "affected",
"version": "\u003e= 15.0.0, \u003c 15.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T14:47:20.267Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r"
},
{
"name": "https://vercel.com/changelog/cve-2025-48068",
"tags": [
"x_refsource_MISC"
],
"url": "https://vercel.com/changelog/cve-2025-48068"
}
],
"source": {
"advisory": "GHSA-3h52-269p-cp9r",
"discovery": "UNKNOWN"
},
"title": "Information exposure in Next.js dev server due to lack of origin verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48068",
"datePublished": "2025-05-30T03:37:44.849Z",
"dateReserved": "2025-05-15T16:06:40.941Z",
"dateUpdated": "2025-06-13T14:47:20.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52882 (GCVE-0-2025-52882)
Vulnerability from cvelistv5 – Published: 2025-06-24 20:01 – Updated: 2025-06-24 20:43
VLAI
Title
Claude Code IDE extensions allow websocket connections from arbitrary origins
Summary
Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable. In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors. Claude released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when a user launch it and auto-updates the extensions, users should take the following steps, though the exact steps depend on one's integrated development environment (IDE). For VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks, check the extension Claude Code for VSCode. Open the list of Extensions (View->Extensions), look for Claude Code for VSCode among installed extensions, update or uninstall any version prior to 1.0.24, and restart the IDE. For JetBrains IDEs including IntelliJ, PyCharm, and Android Studio, check the plugin Claude Code [Beta]. Open the Plugins list, look for Claude Code [Beta] among installed extensions, update or uninstall any version prior to 0.1.9, and restart the IDE.
Severity
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/anthropics/claude-code/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| anthropics | claude-code |
Affected:
>= 0.2.116 < 1.0.24
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52882",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-24T20:43:30.375886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T20:43:49.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "claude-code",
"vendor": "anthropics",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.2.116 \u003c 1.0.24"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable. In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors. Claude released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when a user launch it and auto-updates the extensions, users should take the following steps, though the exact steps depend on one\u0027s integrated development environment (IDE). For VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks, check the extension Claude Code for VSCode. Open the list of Extensions (View-\u003eExtensions), look for Claude Code for VSCode among installed extensions, update or uninstall any version prior to 1.0.24, and restart the IDE. For JetBrains IDEs including IntelliJ, PyCharm, and Android Studio, check the plugin Claude Code [Beta]. Open the Plugins list, look for Claude Code [Beta] among installed extensions, update or uninstall any version prior to 0.1.9, and restart the IDE."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T20:01:49.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/anthropics/claude-code/security/advisories/GHSA-9f65-56v6-gxw7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-9f65-56v6-gxw7"
}
],
"source": {
"advisory": "GHSA-9f65-56v6-gxw7",
"discovery": "UNKNOWN"
},
"title": "Claude Code IDE extensions allow websocket connections from arbitrary origins"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52882",
"datePublished": "2025-06-24T20:01:49.595Z",
"dateReserved": "2025-06-20T17:42:25.708Z",
"dateUpdated": "2025-06-24T20:43:49.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54289 (GCVE-0-2025-54289)
Vulnerability from cvelistv5 – Published: 2025-10-02 09:23 – Updated: 2026-02-26 17:48
VLAI
Title
Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API
Summary
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
Severity
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
1 reference
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-03T03:55:37.907288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:48:23.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LXD",
"repo": "https://github.com/canonical/lxd",
"vendor": "Canonical",
"versions": [
{
"lessThan": "6.5",
"status": "affected",
"version": "6",
"versionType": "semver"
},
{
"lessThan": "5.21.4",
"status": "affected",
"version": "5.21",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "GMO Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege Escalation in operations API in Canonical LXD \u0026lt;6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format"
}
],
"value": "Privilege Escalation in operations API in Canonical LXD \u003c6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format"
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T13:15:54.374Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://github.com/canonical/lxd/security/advisories/GHSA-3g72-chj4-2228"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Privilege Escalation via WebSocket Connection Hijacking in LXD Operations API"
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2025-54289",
"datePublished": "2025-10-02T09:23:03.238Z",
"dateReserved": "2025-07-18T07:59:07.917Z",
"dateUpdated": "2026-02-26T17:48:23.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61987 (GCVE-0-2025-61987)
Vulnerability from cvelistv5 – Published: 2025-12-12 05:02 – Updated: 2025-12-12 20:22
VLAI
Summary
GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. do not validate origins in WebSockets. If a user accesses a crafted page, Chat information sent to the user may be exposed.
Severity
5.3 (Medium)
CWE
- CWE-1385 - Missing origin validation in WebSockets
Assigner
References
2 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Japan Total System Co.,Ltd. | GroupSession Free edition |
Affected:
prior to ver5.3.0
|
|
| Japan Total System Co.,Ltd. | GroupSession byCloud |
Affected:
prior to ver5.3.3
|
|
| Japan Total System Co.,Ltd. | GroupSession ZION |
Affected:
prior to ver5.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T20:22:00.604879Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T20:22:14.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GroupSession Free edition",
"vendor": "Japan Total System Co.,Ltd.",
"versions": [
{
"status": "affected",
"version": "prior to ver5.3.0"
}
]
},
{
"product": "GroupSession byCloud",
"vendor": "Japan Total System Co.,Ltd.",
"versions": [
{
"status": "affected",
"version": "prior to ver5.3.3"
}
]
},
{
"product": "GroupSession ZION",
"vendor": "Japan Total System Co.,Ltd.",
"versions": [
{
"status": "affected",
"version": "prior to ver5.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. do not validate origins in WebSockets. If a user accesses a crafted page, Chat information sent to the user may be exposed."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "Missing origin validation in WebSockets",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T05:02:22.443Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://groupsession.jp/info/info-news/security20251208"
},
{
"url": "https://jvn.jp/en/jp/JVN19940619/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-61987",
"datePublished": "2025-12-12T05:02:22.443Z",
"dateReserved": "2025-11-27T05:42:08.569Z",
"dateUpdated": "2025-12-12T20:22:14.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68930 (GCVE-0-2025-68930)
Vulnerability from cvelistv5 – Published: 2026-02-23 20:44 – Updated: 2026-02-25 15:13
VLAI
Title
Traccar Missing Origin Validation in WebSockets
Summary
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available.
Severity
7.1 (High)
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/traccar/traccar/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68930",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T15:13:12.789363Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T15:13:30.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "traccar",
"vendor": "traccar",
"versions": [
{
"status": "affected",
"version": "\u003c= 6.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user\u0027s credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T20:44:29.939Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/traccar/traccar/security/advisories/GHSA-69x6-wcx2-vghp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/traccar/traccar/security/advisories/GHSA-69x6-wcx2-vghp"
}
],
"source": {
"advisory": "GHSA-69x6-wcx2-vghp",
"discovery": "UNKNOWN"
},
"title": "Traccar Missing Origin Validation in WebSockets"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68930",
"datePublished": "2026-02-23T20:44:29.939Z",
"dateReserved": "2025-12-24T23:59:23.391Z",
"dateUpdated": "2026-02-25T15:13:30.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1692 (GCVE-0-2026-1692)
Vulnerability from cvelistv5 – Published: 2026-02-26 07:55 – Updated: 2026-03-26 08:21
VLAI
Title
Missing origin validation in GraphicalData web service requests
Summary
A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website.
This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.
Severity
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.pcvue.com/security/#SB2026-2 | vendor-advisory |
Impacted products
Date Public
2026-02-25 23:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1692",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T14:23:10.635765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T14:23:20.892Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"WebVue",
"WebScheduler",
"TouchVue",
"SnapVue",
"Web services"
],
"product": "PcVue",
"vendor": "arcinfo",
"versions": [
{
"lessThanOrEqual": "16.3.3",
"status": "affected",
"version": "16.0.0",
"versionType": "cpe"
},
{
"lessThanOrEqual": "15.2.13",
"status": "affected",
"version": "15.0.0",
"versionType": "cpe"
},
{
"status": "affected",
"version": "12.0.0",
"versionType": "cpe"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*",
"versionEndIncluding": "16.3.3",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*",
"versionEndIncluding": "15.2.13",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:arcinfo:pcvue:12.0.0:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2026-02-25T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website.\u003cbr\u003e\u003cbr\u003eThis vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.\u003cbr\u003e"
}
],
"value": "A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website.\n\nThis vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No POC available."
}
],
"value": "No POC available."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Not known to be exploited"
}
],
"value": "Not known to be exploited"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:Y/R:U/RE:M/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CNA",
"version": "2.0.3"
},
"type": "ssvc"
},
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385 Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T08:21:34.229Z",
"orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"shortName": "arcinfo"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.pcvue.com/security/#SB2026-2"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eHarden the configuration\u003c/b\u003e\u003cbr\u003e\u003cu\u003eWho should apply this recommendation:\u003c/u\u003e All users\u003cbr\u003e\n\nTo reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures:\n\n\u003cul\u003e\u003cli\u003eMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks.\u003c/li\u003e\u003cli\u003eLocate control system networks and remote devices behind firewalls and isolate them from business networks.\u003c/li\u003e\u003cli\u003eWhen remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cb\u003eUninstall the Web Server\u003c/b\u003e \u003cbr\u003e\u003cu\u003eWho should apply this recommendation:\u003c/u\u003e All users \u003cb\u003enot \u003c/b\u003eusing the affected component \u003cbr\u003e\u003cbr\u003eIf your system does not require the use of the Web \u0026amp; Mobile features, you should make sure not to install them. If your system requires the use of the Web \u0026amp; Mobile features, they should be installed only on the Web Server.\u003cbr\u003eSee the product help related to the installation for more information.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cb\u003eUpdate the Web Deployment Console (WDC) and re deploy the Web Server\u003c/b\u003e\u003cbr\u003e\u003cu\u003eWho should apply this recommendation:\u003c/u\u003e \n\nAll users running affected components.\n\n\u003cbr\u003e\u003cbr\u003eInstall a patched release of the Web Deployment Console (WDC) on the IIS Web server and use it to re-deploy the Web Site. Some settings might need to be updated if third-party web apps or services depend on the OAuth ROPC flow.\u003cbr\u003e\u003cbr\u003eIn a patched release of the WDC, new settings are available for each authorized Client to enable or disable:\u003cbr\u003e\u003cul\u003e\u003cli\u003eThe Authorization Code flow\u003c/li\u003e\u003cli\u003eThe Authorization Code flow with PKCE\u003c/li\u003e\u003cli\u003eThe Resource Owner Password Credentials (ROPC) flow\u003c/li\u003e\u003c/ul\u003eBy default, all the OAuth flows are now disabled for third-party web apps and need to be manually enabled before deployment if required.\u003cbr\u003e\u003cbr\u003eTo verify that the patch is applied correctly, you must check that:\u003cbr\u003e\u003cul\u003e\u003cli\u003eThe \u003ci\u003eFile version\u003c/i\u003e property of the file \u003ci\u003e./bin/Modules/WebDeployment/WebDeploymentConsole.exe\u003c/i\u003e matches the deployed release or later, and ensure that any earlier release is no longer used;\u003c/li\u003e\u003cli\u003eWeb Sites have been redeployed;\u003c/li\u003e\u003cli\u003eOAuth flow are correctly set for each authorized Client.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\n\n\u003cb\u003eAvailable patches:\u003c/b\u003e\u003cbr\u003ePatch provided in:\u003cbr\u003e\u003cul\u003e\u003cli\u003ePcVue 16.3.4 (16.3.4902.3112)\u003c/li\u003e\u003cli\u003ePcVue 15.2.14 (15.2.14900.37147)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Harden the configuration\nWho should apply this recommendation: All users\n\n\nTo reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks.\n * Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\n\n\nUninstall the Web Server \nWho should apply this recommendation: All users not using the affected component \n\nIf your system does not require the use of the Web \u0026 Mobile features, you should make sure not to install them. If your system requires the use of the Web \u0026 Mobile features, they should be installed only on the Web Server.\nSee the product help related to the installation for more information.\n\n\nUpdate the Web Deployment Console (WDC) and re deploy the Web Server\nWho should apply this recommendation: \n\nAll users running affected components.\n\n\n\nInstall a patched release of the Web Deployment Console (WDC) on the IIS Web server and use it to re-deploy the Web Site. Some settings might need to be updated if third-party web apps or services depend on the OAuth ROPC flow.\n\nIn a patched release of the WDC, new settings are available for each authorized Client to enable or disable:\n * The Authorization Code flow\n * The Authorization Code flow with PKCE\n * The Resource Owner Password Credentials (ROPC) flow\n\n\nBy default, all the OAuth flows are now disabled for third-party web apps and need to be manually enabled before deployment if required.\n\nTo verify that the patch is applied correctly, you must check that:\n * The File version property of the file ./bin/Modules/WebDeployment/WebDeploymentConsole.exe matches the deployed release or later, and ensure that any earlier release is no longer used;\n * Web Sites have been redeployed;\n * OAuth flow are correctly set for each authorized Client.\n\n\n\n\n\nAvailable patches:\nPatch provided in:\n * PcVue 16.3.4 (16.3.4902.3112)\n * PcVue 15.2.14 (15.2.14900.37147)"
}
],
"source": {
"advisory": "SB2026-2",
"discovery": "EXTERNAL"
},
"title": "Missing origin validation in GraphicalData web service requests",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
"assignerShortName": "arcinfo",
"cveId": "CVE-2026-1692",
"datePublished": "2026-02-26T07:55:18.433Z",
"dateReserved": "2026-01-30T08:37:33.143Z",
"dateUpdated": "2026-03-26T08:21:34.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21883 (GCVE-0-2026-21883)
Vulnerability from cvelistv5 – Published: 2026-01-08 01:20 – Updated: 2026-01-23 15:09
VLAI
Title
Bokeh server applications have Incomplete Origin Validation in WebSockets
Summary
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.
Severity
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/bokeh/bokeh/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/bokeh/bokeh/commit/cedd113b0e2… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21883",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T16:41:08.716654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T16:41:19.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-01-23T15:09:19.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://aydinnyunus.github.io/2026/01/24/bokeh-websocket-hijacking-cve-2026-21883/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "bokeh",
"vendor": "bokeh",
"versions": [
{
"status": "affected",
"version": "\u003c 3.8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T01:20:53.479Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bokeh/bokeh/security/advisories/GHSA-793v-589g-574v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bokeh/bokeh/security/advisories/GHSA-793v-589g-574v"
},
{
"name": "https://github.com/bokeh/bokeh/commit/cedd113b0e271b439dce768671685cf5f861812e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bokeh/bokeh/commit/cedd113b0e271b439dce768671685cf5f861812e"
}
],
"source": {
"advisory": "GHSA-793v-589g-574v",
"discovery": "UNKNOWN"
},
"title": "Bokeh server applications have Incomplete Origin Validation in WebSockets"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21883",
"datePublished": "2026-01-08T01:20:53.479Z",
"dateReserved": "2026-01-05T17:24:36.928Z",
"dateUpdated": "2026-01-23T15:09:19.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22689 (GCVE-0-2026-22689)
Vulnerability from cvelistv5 – Published: 2026-01-10 05:46 – Updated: 2026-01-12 16:47
VLAI
Title
Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails
Summary
Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2.
Severity
6.5 (Medium)
CWE
- CWE-1385 - Missing Origin Validation in WebSockets
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/6f1f4f3… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T16:47:26.726768Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T16:47:34.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim\u0027s Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1385",
"description": "CWE-1385: Missing Origin Validation in WebSockets",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T05:46:13.771Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm"
},
{
"name": "https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f"
}
],
"source": {
"advisory": "GHSA-524m-q5m7-79mm",
"discovery": "UNKNOWN"
},
"title": "Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22689",
"datePublished": "2026-01-10T05:46:13.771Z",
"dateReserved": "2026-01-08T19:23:09.854Z",
"dateUpdated": "2026-01-12T16:47:34.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.
Mitigation
Phase: Implementation
Description:
- Use a randomized CSRF token to verify requests.
Mitigation
Phase: Implementation
Description:
- Use TLS to securely communicate using 'wss' (WebSocket Secure) instead of 'ws'.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a 'verifyClient' function.
Mitigation
Phase: Implementation
Description:
- Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.
Mitigation
Phase: Implementation
Description:
- Use a library that provides restriction of the payload size. For example, WS library for Node includes 'maxPayloadoption' that can be set.
Mitigation
Phase: Implementation
Description:
- Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc.
No CAPEC attack patterns related to this CWE.