CVE-2026-59804

Source
https://cve.org/CVERecord?id=CVE-2026-59804
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59804.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59804
Published
2026-07-08T19:42:52.336Z
Modified
2026-07-15T01:48:50.771819538Z
Severity
  • 7.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Midscene Bridge Server - Session Hijack via Unauthenticated WebSocket
Details

Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, which performs no Origin header validation and requires no authentication token. Attackers can connect from any web page visited by the victim to seize the single-client slot, intercept and inject automation commands, exfiltrate command-payload data, or unconditionally terminate the server by supplying the MIDSCENEBRIDGESIGNAL_KILL query parameter.

Database specific
{
    "cwe_ids": [
        "CWE-1385",
        "CWE-306"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59804.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/web-infra-dev/midscene

Affected ranges

Type
GIT
Repo
https://github.com/web-infra-dev/midscene
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.10.3"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.0.1
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.12.5
v0.12.6
v0.12.7
v0.12.8
v0.13.0
v0.13.1
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.15.4
v0.15.5
v0.16.0
v0.16.1
v0.16.10
v0.16.2
v0.16.3
v0.16.4
v0.16.5
v0.16.6
v0.16.7
v0.16.8
v0.16.9
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.17.5
v0.18.0
v0.19.0
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.21.2
v0.21.3
v0.22.0
v0.22.1
v0.23.0
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.25.3
v0.26.0
v0.26.1
v0.26.2
v0.26.3
v0.26.4
v0.26.5
v0.26.6
v0.27.0
v0.27.1
v0.27.2
v0.27.3
v0.27.4
v0.27.5
v0.27.6
v0.28.0
v0.28.1
v0.28.10
v0.28.11
v0.28.2
v0.28.3
v0.28.4
v0.28.5
v0.28.6
v0.28.7
v0.28.8
v0.28.9
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.29.6
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.30.0
v0.30.1
v0.30.10
v0.30.2
v0.30.3
v0.30.4
v0.30.5
v0.30.6
v0.30.7
v0.30.8
v0.30.9
v0.4.0
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.6.1
v0.6.2
v0.7.0
v0.7.1
v0.7.2
v0.8.0
v0.8.1
v0.8.10
v0.8.11
v0.8.12
v0.8.13
v0.8.14
v0.8.15
v0.8.16
v0.8.17
v0.8.18
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.2
v1.*
v1.0.0
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.10.0
v1.10.1
v1.10.2
v1.10.3
v1.2.0
v1.2.1
v1.2.2
v1.3.1
v1.3.10
v1.3.11
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.7.1
v1.7.10
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.8.0
v1.8.1
v1.8.10
v1.8.11
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59804.json"