EUVD-2026-39011

Warp is an agentic development environment. From 0.2025.04.09.08.11.stable00 until 0.2026.05.06.15.42.stable01, Warp contains a command execution policy bypass in Agent code search tools. The affected Grep and FileGlob actions are authorized as read/search operations, but their implementations...

CVE-2026-57282

Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent...

Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent

Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client...

Jolokia Agent - JNDI Code Injection

Jolokia agent is vulnerable to a JNDI injection vulnerability that allows a remote attacker to run arbitrary Java code on the server when the agent is in proxy mode. id: CVE-2018-1000130 info: name: Jolokia Agent - JNDI Code Injection author: milo2012 severity: high description: | Jolokia agent i...

Piwigo 13.7.0 - SQL Injection

Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header User-Agent is vulnerable at the endpoint that records user information when logging in to the...

PraisonAI AgentOS - Information Disclosure

PraisonAI's AgentOS FastAPI application server exposes an unauthenticated GET /api/agents endpoint that lists every registered agent's name, role and the opening of its instructions system prompt. No authentication is enforced on the route, allowing a remote attacker to enumerate agent...

GHSA-7CQP-7CFV-6C3Q AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel

Summary The Meet plugin stores the raw HTTP User-Agent header of every meeting participant and later renders it without output encoding in the meeting-management "Participants" panel that the meeting host and site administrators open. An anonymous, unauthenticated attacker can join any public...

AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel

Summary The Meet plugin stores the raw HTTP User-Agent header of every meeting participant and later renders it without output encoding in the meeting-management "Participants" panel that the meeting host and site administrators open. An anonymous, unauthenticated attacker can join any public...

CVE-2026-56694

NanoClaw before 2.1.0 contains a privilege escalation vulnerability in the channel-registration approval flow where handleChannelApprovalResponse fails to validate admin privileges over target agent groups. Scoped admins can submit forged or stale connect callback values to wire messaging channel...

CVE-2026-56693

NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the createagent delivery-action handler that performs privileged central-database writes without host-side authorization checks. Confined agent containers can invoke createagent to create arbitrary agent groups, container...

CVE-2026-54308 n8n: Missing Token Validation on Microsoft Agent 365 Trigger Node

n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, the MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to...

CVE-2026-54308

Summary (CVE-2026-54308) : In n8n, the MicrosoftAgent365Trigger and StripeTrigger nodes failed to validate inbound requests prior to versions 2.25.7 and 2.26.2. An unauthenticated attacker who knows the webhook URL could submit a forged payload and cause a workflow to execute with attacker-contro...

CVE-2026-56694

NanoClaw

CVE-2026-56694 NanoClaw < 2.1.0 - Privilege Escalation via Forged Channel Approval Callback

NanoClaw before 2.1.0 contains a privilege escalation vulnerability in the channel-registration approval flow where handleChannelApprovalResponse fails to validate admin privileges over target agent groups. Scoped admins can submit forged or stale connect callback values to wire messaging channel...

CVE-2026-56693

NanoClaw prior to version 2.1.17 contains a privilege-escalation flaw in the create_agent delivery-action handler. It performs privileged central-database writes without host-side authorization checks, enabling confined agent containers to invoke create_agent to create arbitrary agent groups, con...

EUVD-2026-38465

NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the createagent delivery-action handler that performs privileged central-database writes without host-side authorization checks. Confined agent containers can invoke createagent to create arbitrary agent groups, container...

GHSA-5WRP-CWCJ-Q835 vulnerabilities

Vulnerabilities for packages: argo-cd, fleet-server-fips, gitlab-rails-ce-fips, cadvisor-fips, kgateway-fips, docker-compose-fips, beats, argo-workflows-fips, kubescape-operator, tw, grafana-image-renderer, boring-registry-fips, crossplane-provider-aws-mediapackage-fips, gitlab-operator-fips,...

CVE-2026-41178 vulnerabilities

Vulnerabilities for packages: argo-cd, fleet-server-fips, gitlab-rails-ce-fips, cadvisor-fips, kgateway-fips, docker-compose-fips, beats, argo-workflows-fips, kubescape-operator, tw, grafana-image-renderer, boring-registry-fips, crossplane-provider-aws-mediapackage-fips, gitlab-operator-fips,...

GHSA-JPCC-P29G-P8MQ vulnerabilities

Vulnerabilities for packages: wolfictl, chaos-mesh-fips, steampipe, kube-arangodb-fips, chartmuseum, kgateway-fips, kube-mgmt, docker-compose-fips, neuvector-scanner-fips, helm, gatekeeper, helmfile, kubescape-operator, jfrog-cli, spegel-fips, tw, grype-db, buildkitd, skaffold-fips, xeol-fips,...

GHSA-XHF5-7WJV-PQXP vulnerabilities

Vulnerabilities for packages: wolfictl, chaos-mesh-fips, steampipe, kube-arangodb-fips, chartmuseum, kgateway-fips, kube-mgmt, docker-compose-fips, neuvector-scanner-fips, helm, gatekeeper, helmfile, kubescape-operator, jfrog-cli, spegel-fips, tw, grype-db, buildkitd, skaffold-fips, xeol-fips,...