PT-2026-49342

Summary The "Shareable Playground" or "Public Flows" in code contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used. By making a flow public, public execution of the flow is allowed. The execution request can contain a list of files that gets read b...

@activepieces/piece-vapi (>=0.0.1 <=0.0.2), @keyman500/voice-ai-sdk (>=0.1.0 <=1.1.0) +2 more potentially affected by unknown CVE via @vapi-ai/server-sdk (>=0.10.2 <=0.11.0)

@vapi-ai/server-sdk NPM version =0.10.2, =0.0.1, =0.1.0, =1.0.0, =1.1.0 Source cves: unknown CVE Source advisory: SNYK:JS-VAPIAISERVERSDK-17146457...

@activepieces/piece-amazon-textract (>=0.2.0 <=0.3.0), @activepieces/piece-salesforce (=0.7.2) +4 more potentially affected by CVE-2026-44665 via fast-xml-builder (>=1.1.1 <=1.1.4)

fast-xml-builder NPM version =1.1.1, =0.2.0, =0.2.1, =0.0.4, =10.4.0, =10.5.0 Source cves: CVE-2026-44665 Source advisory: SNYK:JS-FASTXMLBUILDER-16540558...

@activepieces/piece-amazon-textract (>=0.2.0 <=0.3.0), @activepieces/piece-salesforce (=0.7.2) +4 more potentially affected by CVE-2026-41650 +1 more via fast-xml-builder (>=1.1.1 <=1.1.4)

fast-xml-builder NPM version =1.1.1, =0.2.0, =0.2.1, =0.0.4, =10.4.0, =10.5.0 Source cves: CVE-2026-41650, CVE-2026-44664 Source advisory: SNYK:JS-FASTXMLBUILDER-16133760...