Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-hqwm-7x7x-8379 | DevSpace UI Server WebSocket CheckOrigin does not validate source |
Thu, 21 May 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:2.3:a:devspace:devspace:6.3.20:*:*:*:*:*:*:* |
Sun, 17 May 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Devspace
Devspace devspace |
|
| Vendors & Products |
Devspace
Devspace devspace |
Sat, 16 May 2026 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 14 May 2026 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use their browser to establish a cross-origin WebSocket connection to ws://127.0.0.1:8090. This vulnerability is fixed in 6.3.21. | |
| Title | DevSpace UI Server WebSocket CheckOrigin does not validate source | |
| Weaknesses | CWE-200 CWE-306 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-16T00:36:17.542Z
Reserved: 2026-04-26T12:13:55.551Z
Link: CVE-2026-42283
Updated: 2026-05-16T00:36:13.103Z
Status : Analyzed
Published: 2026-05-14T16:16:21.347
Modified: 2026-06-17T10:47:37.850
Link: CVE-2026-42283
No data.
OpenCVE Enrichment
Updated: 2026-05-17T19:30:08Z
Github GHSA