CVE-2023-26114

CRITICAL Year: 2023
CVSS v3 Score
9.3
Critical
Weakness Type
CWE-1385
View all →

Vulnerability Description

Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.

Related Vulnerabilities

CVE-2024-48849

HIGH
CVSS:9.4(Critical)

Missing Origin Validation in WebSockets vulnerability in FLXEON. Session management was not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON: through <= 9.3.4.

CWE-13852024

CVE-2023-0957

CRITICAL
CVSS:9.6(Critical)

An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Git...

CWE-13852023

CVE-2025-24964

CRITICAL
CVSS:9.6(Critical)

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site We...

CWE-13852025

CVE-2014-125071

CRITICAL
CVSS:9.8(Critical)

A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulatio...

CWE-13852014

CVE-2023-2848

HIGH
CVSS:8.8(High)

Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hijacking vulnerability. This was the result of a missing header validation.

CWE-13852023

CVE-2023-49805

HIGH
CVSS:8.8(High)

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. T...

CWE-13852023