VYPR

CWE-1385

Missing Origin Validation in WebSockets

VariantIncomplete

Description

The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (22)

page 1 of 2
  • CVE-2024-48849CriJan 29, 2025
    risk 0.64cvss 9.4epss 0.01

    Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON: through <= 9.3.4.

  • CVE-2024-23168CriAug 15, 2024
    risk 0.64cvss 9.8epss 0.00

    Vulnerability in Xiexe XSOverlay before build 647 allows non-local websites to send the malicious commands to the WebSocket API, resulting in the arbitrary code execution.

  • CVE-2026-44211CriJun 1, 2026
    risk 0.62cvss 9.6epss 0.00

    Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. In versions 2.13.0 and prior, there is a cross-origin WebSocket hijack vulnerability in Cline Kanban servers. At time of publication, there are no publicly available patches.

  • CVE-2025-52882HigJun 24, 2025
    risk 0.57cvss epss 0.00

    Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting…

  • CVE-2026-34403HigApr 20, 2026
    risk 0.46cvss 8.1epss 0.00

    Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that…

  • CVE-2026-35589HigApr 14, 2026
    risk 0.45cvss 8.0epss 0.00

    nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the…

  • CVE-2023-32264MedMar 8, 2024
    risk 0.38cvss 5.8epss 0.00

    CWE-1385 vulnerability in OpenText Documentum D2 affecting versions16.5.1 to CE 23.2. The vulnerability could allow upload arbitrary code and execute it on the client's computer.

  • CVE-2026-44514MedMay 14, 2026
    risk 0.35cvss 6.5epss 0.00

    Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open…

  • CVE-2025-56647MedFeb 12, 2026
    risk 0.35cvss 6.5epss 0.00

    npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal…

  • CVE-2024-8201MedMay 16, 2025
    risk 0.35cvss 5.4epss 0.00

    Cross-Site WebSocket Hijacking vulnerability in Hitachi Ops Center Analyzer (RAID Agent component).This issue affects Hitachi Ops Center Analyzer: from 10.8.0-00 before 11.0.4-00; Hitachi Ops Center Analyzer: from 10.9.0-00 before 11.0.4-00.

  • CVE-2023-2886MedMay 25, 2023
    risk 0.28cvss 4.3epss 0.00

    Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation. This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7.

  • CVE-2026-27977Mar 17, 2026
    risk 0.00cvss epss 0.00

    Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is…

  • CVE-2026-27148Feb 25, 2026
    risk 0.00cvss epss 0.01

    Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking.…

  • CVE-2026-22689Jan 10, 2026
    risk 0.00cvss epss 0.00

    Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An…

  • CVE-2026-21883Jan 8, 2026
    risk 0.00cvss epss 0.00

    Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a…

  • CVE-2025-54289Oct 2, 2025
    risk 0.00cvss epss 0.00

    Privilege Escalation in operations API in Canonical LXD <6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format

  • CVE-2024-51775Aug 3, 2025
    risk 0.00cvss epss 0.00

    Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.  This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. …

  • CVE-2025-48068May 30, 2025
    risk 0.00cvss epss 0.00

    Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The…

  • CVE-2025-24964Feb 4, 2025
    risk 0.00cvss epss 0.01

    Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. When `api` option is enabled (Vitest UI…

  • CVE-2025-24010Jan 20, 2025
    risk 0.00cvss epss 0.00

    Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in…