Monthly
Kubetail Dashboard prior to version 0.14.0 fails to validate the Origin header on WebSocket connection upgrades, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks. An authenticated user visiting a malicious web page can be exploited to stream their Kubernetes container logs-including credentials, tokens, and PII often present in logs-to an attacker-controlled server. The vulnerability affects both desktop deployments at localhost:7500 and cluster deployments behind HTTP basic auth, with browser ambient credentials automatically attached to the WebSocket handshake.
nginx-ui before version 2.3.5 allows Cross-Site WebSocket Hijacking (CSWSH) attacks due to improper WebSocket origin validation and insecurely configured authentication cookies. An attacker can trick a logged-in administrator into visiting a malicious webpage that establishes authenticated WebSocket connections to the target nginx-ui instance, enabling information disclosure and administrative actions without explicit user consent. Version 2.3.5 patches the issue; no public exploit code or active exploitation confirmed at time of analysis.
Cross-Site WebSocket Hijacking in nanobot personal AI assistant (versions before 0.1.5) allows remote websites to establish unauthorized WebSocket connections to the local bridge server (ws://127.0.0.1:3001/), enabling WhatsApp session hijacking, message interception, QR code theft, and unauthorized message transmission. This vulnerability stems from incomplete remediation of CVE-2026-2577, where the added BRIDGE_TOKEN authentication is disabled by default and the server fails to validate the Origin header during WebSocket handshakes. Attack complexity is high (AC:H) but requires no authentication (PR:N), only user interaction (UI:R) such as visiting a malicious website while the bridge is running. No public exploit identified at time of analysis, though the technical details are fully disclosed in GitHub security advisory GHSA-v5j3-4q66-58cf.
CVE-2026-27977 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
PcVue versions 12.0.0 through 16.3.3 lack origin validation on WebSocket connections in the GraphicalData service, enabling cross-site WebSocket hijacking attacks against authenticated users. An attacker can trick a logged-in user into visiting a malicious site to compromise the confidentiality and integrity of their PcVue session. No patch is currently available for this medium-severity vulnerability.
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. [CVSS 7.1 HIGH]
farmfe/core versions up to 1.7.6 contains a vulnerability that allows attackers to surveil developers running Farm who visit their webpage and steal source code th (CVSS 6.5).
Mailpit versions up to 1.28.2 contains a vulnerability that allows attackers to intercept sensitive data such as email contents, headers, and server statistics (CVSS 6.5).
Bokeh versions 3.8.1 and below allow attackers to bypass Origin validation in WebSocket connections by registering domains that suffix-match allowlisted domains (e.g., dashboard.corp.attacker.com for allowlist entry dashboard.corp), enabling unauthorized server interaction. Public exploit code exists for this vulnerability, which could allow attackers to access sensitive data or modify visualizations on behalf of victims. The issue is resolved in Bokeh 3.8.2.
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
Kubetail Dashboard prior to version 0.14.0 fails to validate the Origin header on WebSocket connection upgrades, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks. An authenticated user visiting a malicious web page can be exploited to stream their Kubernetes container logs-including credentials, tokens, and PII often present in logs-to an attacker-controlled server. The vulnerability affects both desktop deployments at localhost:7500 and cluster deployments behind HTTP basic auth, with browser ambient credentials automatically attached to the WebSocket handshake.
nginx-ui before version 2.3.5 allows Cross-Site WebSocket Hijacking (CSWSH) attacks due to improper WebSocket origin validation and insecurely configured authentication cookies. An attacker can trick a logged-in administrator into visiting a malicious webpage that establishes authenticated WebSocket connections to the target nginx-ui instance, enabling information disclosure and administrative actions without explicit user consent. Version 2.3.5 patches the issue; no public exploit code or active exploitation confirmed at time of analysis.
Cross-Site WebSocket Hijacking in nanobot personal AI assistant (versions before 0.1.5) allows remote websites to establish unauthorized WebSocket connections to the local bridge server (ws://127.0.0.1:3001/), enabling WhatsApp session hijacking, message interception, QR code theft, and unauthorized message transmission. This vulnerability stems from incomplete remediation of CVE-2026-2577, where the added BRIDGE_TOKEN authentication is disabled by default and the server fails to validate the Origin header during WebSocket handshakes. Attack complexity is high (AC:H) but requires no authentication (PR:N), only user interaction (UI:R) such as visiting a malicious website while the bridge is running. No public exploit identified at time of analysis, though the technical details are fully disclosed in GitHub security advisory GHSA-v5j3-4q66-58cf.
CVE-2026-27977 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
PcVue versions 12.0.0 through 16.3.3 lack origin validation on WebSocket connections in the GraphicalData service, enabling cross-site WebSocket hijacking attacks against authenticated users. An attacker can trick a logged-in user into visiting a malicious site to compromise the confidentiality and integrity of their PcVue session. No patch is currently available for this medium-severity vulnerability.
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. [CVSS 7.1 HIGH]
farmfe/core versions up to 1.7.6 contains a vulnerability that allows attackers to surveil developers running Farm who visit their webpage and steal source code th (CVSS 6.5).
Mailpit versions up to 1.28.2 contains a vulnerability that allows attackers to intercept sensitive data such as email contents, headers, and server statistics (CVSS 6.5).
Bokeh versions 3.8.1 and below allow attackers to bypass Origin validation in WebSocket connections by registering domains that suffix-match allowlisted domains (e.g., dashboard.corp.attacker.com for allowlist entry dashboard.corp), enabling unauthorized server interaction. Public exploit code exists for this vulnerability, which could allow attackers to access sensitive data or modify visualizations on behalf of victims. The issue is resolved in Bokeh 3.8.2.
Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format