71 matches found
Linux Distros Unpatched Vulnerability : CVE-2026-41176
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without...
PT-2026-34253
Vulnerability in Spring Spring Security. If an application is using securityMatchersString and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the...
CVE-2026-40115
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server server.py reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default no token...
EUVD-2026-21160
PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS...
GHSA-2XGV-5CV2-47VV PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS
Summary The WSGI-based recipe registry server server.py reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default no token configured, any local process can send arbitrarily large...
PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS
Summary The WSGI-based recipe registry server server.py reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default no token configured, any local process can send arbitrarily large...
CVE-2026-40115
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server server.py reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default no token...
CVE-2026-40115
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server server.py reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default no token...
CVE-2026-40115 PraisonAI has an Unrestricted Upload Size in WSGI Recipe Registry Server Enables Memory Exhaustion DoS
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server server.py reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default no token...
CVE-2026-40115 PraisonAI has an Unrestricted Upload Size in WSGI Recipe Registry Server Enables Memory Exhaustion DoS
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server server.py reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default no token...
PraisonAI 安全漏洞
PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.128 contained security vulnerabilities. These vulnerabilities stemmed from the WSGI server not setting an upper limit when reading HTTP request bodies and disabling...
GHSA-7P93-6934-F4Q7 Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
Summary The Glances XML-RPC server activated with glances -s or glances --server sends Access-Control-Allow-Origin: on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" POST with Content-Typ...
CVE-2026-30975 Sonarr Authentication Bypass vulnerability
Sonarr is a PVR for Usenet and BitTorrent users. Versions prior to 4.0.16.2942 have an authentication bypass that affected users that had disabled authentication for local addresses Authentication Required set to: Disabled for Local Addresses without a reverse proxy running in front of Sonarr tha...
CVE-2026-3611 Honeywell IQ4x BMS Controller Missing authentication for critical function
The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest level 100 context, granting read/write...
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data
Summary The generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an attacker who can reach POST /webhook can spoo...
ZeptoClaw 数据伪造问题漏洞
ZeptoClaw is a lightweight personal AI assistant developed by qhkm’s individual developer. Versions of ZeptoClaw prior to 0.7.6 had a data manipulation vulnerability. This vulnerability stems from the use of identity fields provided by trusted callers, with authentication being disabled by defaul...
EUVD-2026-11172
In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled...
CVE-2026-25715
The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the POST /api/v2/dag-runs endpoint, which accepts and executes inline YAML specifications without authentication in the default configuration. An attacker can execute arbitrary commands o...
CVE-2025-13864
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint /wp-json/breeze/v1/clear-all-cache being registered with permissioncallback = 'returntrue' and authentication...