Vendor
An attacker can exploit CVE-2026-55883, a Cross-site WebSocket Hijacking vulnerability in Tilt versions 0.24.0 through 0.37.3, by acquiring an unauthenticated CSRF token or bypassing Origin header checks, to establish a WebSocket connection to a network-exposed Tilt HUD and exfiltrate sensitive developer session state, Tiltfile contents, and resource statuses.