CVE-2026-34936 PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL schem...

CVE-2026-34936 PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL schem...

[SECURITY] Fedora 42 Update: gstreamer1-plugins-base-1.26.11-1.fc42

GStreamer is a streaming media framework, based on graphs of filters which operate on media data. Applications using this library can do anything from real-time sound processing to playing videos, and just about anything else media-related. Its plugin-based architecture means that new data types ...

CVE-2026-23438

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with globaltxfc in buffer switching mvpp2bmswitchbuffers unconditionally calls mvpp2bmpoolupdateprivfc when switching between per-cpu and shared buffer pool modes. This function programs CM3...

CVE-2026-23438

In the Linux kernel mvpp2 driver, CVE-2026-23438 arises from an unconditional access to CM3 flow control via mvpp2_cm3_read()/mvpp2_cm3_write() in mvpp2_bm_switch_buffers(), when priv->cm3_base is NULL (e.g., CM3 SRAM not present in device tree). This can crash the kernel on MTU changes that c...

GHSA-37V6-FXX8-XJMX OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding

Summary Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped v2026.3.28 replay hashing treated equivalent Telnyx Base64/Base64URL signatures as distinct requests, but signature...

PraisonAI 安全漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.90 contained security vulnerabilities. These vulnerabilities stemmed from the passthrough and apassthrough functions accepting an apibase parameter controlled by the caller...

SUSE: Security Advisory (SUSE-SU-2026:20946-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2026-34825 NocoBase Has SQL Injection via template variable substitution in workflow SQL node

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who...

EUVD-2026-18228

Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL HTTP Origin of the application call location. An unauthenticated attacker can craft a website that is able to launch...

CVE-2026-26927

Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL HTTP Origin of the application call location. An unauthenticated attacker can craft a website that is able to launch...

CVE-2026-26927 URL (HTTP Origin) call location spoofing in Szafir SDK Web

Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL HTTP Origin of the application call location. An unauthenticated attacker can craft a website that is able to launch...

EUVD-2026-18098

V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom. Opening a crafted V7 file may lead to arbitrary code execution on the affected product...

Krajowa Izba Rozliczeniowa Szafir SDK Web 安全漏洞

Krajowa Izba Rozliczeniowa Szafir SDK Web is a development toolkit for electronic signatures and identity authentication provided by the Polish company Krajowa Izba Rozliczeniowa. Versions of Krajowa Izba Rozliczeniowa Szafir SDK Web prior to 0.0.17.4 contained security vulnerabilities. These...

PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

Summary passthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is...

Server-side Request Forgery (SSRF)

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

GHSA-X6M9-GXVR-7JPV PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

Summary passthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is...

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the NGAP handover failure message processing. An attacker can cause the service to crash and disrupt connectivity for all users by forcing a gNodeB to send NGAP handover failure messages. Remediation Upgrade...

CVE-2026-32925

CVE-2026-32925 affects FUJI Electric V-SFT: stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom for versions

EUVD-2026-17959

pandas-ai v3.0.0 was discovered to contain a SQL injection vulnerability via the pandasai.agent.base.executesqlquery component...