8.7
CVE-2026-25114 - CloudCharge cloudcharge.se Improper Restriction of Excessive Authentication Attempts
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gaiβ¦
9.3
CVE-2026-20781 - CloudCharge cloudcharge.se Missing Authentication for Critical Function
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, thβ¦
6.9
CVE-2026-20791 - Chargemap chargemap.com Insufficiently Protected Credentials
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
6.9
CVE-2026-25711 - Chargemap chargemap.com Insufficient Session Expiration
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent conβ¦
8.7
CVE-2026-20792 - Chargemap chargemap.com Improper Restriction of Excessive Authentication Attempts
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or misrouting legitimate charger telemetry, or conduct brute-force attacks to gainβ¦
9.3
CVE-2026-25851 - Chargemap chargemap.com Missing Authentication for Critical Function
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, thβ¦
5.3
CVE-2026-3268 - psi-probe PSI Probe Session Attribute RemoveSessAttributeController.java access control
A vulnerability was detected in psi-probe PSI Probe up to 5.3.0. The affected element is an unknown function of the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/RemoveSessAttributeController.java of the component Session Attribute Handler. Performing a manipulation results in impβ¦
6.1
CVE-2026-28280 - `osctrl-admin` has Stored Cross-Site Scripting (XSS) in On-Demand Query List
osctrl is an osquery management solution. Prior to version 0.5.0, a stored cross-site scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payβ¦
7.4
CVE-2026-28279 - `osctrl-admin` Vulnerable to OS Command Injection via Environment Configuration
osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These β¦
7.5
CVE-2026-28276 - Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be acceβ¦