602437 matches found
CVE-2026-61439 PraisonAI before 4.6.78 Prompt Injection Defense Bypass
PraisonAI versions before 4.6.78 contain a prompt injection defense misconfiguration where the block threshold defaults to CRITICAL severity, allowing HIGH-level threats to pass through unblocked. Attackers can submit single-vector prompt injection attacks such as instruction overrides or financi...
CVE-2026-61439 PraisonAI before 4.6.78 Prompt Injection Defense Bypass
PraisonAI versions before 4.6.78 contain a prompt injection defense misconfiguration where the block threshold defaults to CRITICAL severity, allowing HIGH-level threats to pass through unblocked. Attackers can submit single-vector prompt injection attacks such as instruction overrides or financi...
CVE-2026-61428 PraisonAI AgentMail before 4.6.78 Message Injection via Webhook
PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and...
CVE-2026-61428 PraisonAI AgentMail before 4.6.78 Message Injection via Webhook
PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and...
CVE-2026-56763 Hono - Prototype Pollution via __proto__ Key in parseBody with dot Option
Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve...
CVE-2026-56763 Hono - Prototype Pollution via __proto__ Key in parseBody with dot Option
Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve...
tetragon-lab
How it works This poc use copyfail exploit to overwrite page-...
Exploit for Unrestricted Upload of File with Dangerous Type in Balbooa Forms
CVE-2026-56291 — Balbooa Forms Joomla Mass RCE Exploit Pre-Auth...
CVE-2026-10865
The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...
Exploit for CVE-2024-13985
CVE-2024-13985 — Dahua EIMS capturehandle.action Remote Cod...
Exploit for CVE-2026-29114
CVE-2026-29114 — Dahua Exposed Device CA Root Certificate !...
Exploit for CVE-2026-29115
CVE-2026-29115 — Dahua Authenticated Remote Denial of Service...
Exploit for CVE-2026-29116
CVE-2026-29116 — Dahua Unauthenticated Remote Denial of Servic...
CVE-2026-10865 Cost Calculator Builder <= 4.0.11 - Unauthenticated Sensitive Information Exposure of Payment Gateway Secret Keys
The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...
CVE-2026-10865
CVE-2026-10865 affects the Cost Calculator Builder plugin for WordPress. The vulnerability exists in all versions up to 4.0.11 and arises from exposure in the template body, allowing unauthenticated attackers to read plaintext payment gateway secrets (Stripe secret key, Razorpay secret key, and P...
EUVD-2026-43152
The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...
CVE-2026-5743
The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2. This is due to insufficient input sanitization and output escaping on the sliderMaxHeight block attribute in the...
CVE-2026-10628
The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...
Vite Dev Server - Directory Traversal
Vite is a modern frontend build tool. In Vite prior to versions 6.4.3, 6.3.4, and 5.4.23, a directory traversal vulnerability affects the Vite development server. When the Vite dev server is launched with the --host or server.host option, an unauthenticated attacker can craft a request with a pat...
Vite Dev Server - Information Exposure
Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network using...