Lucene search
K

60 matches found

OSV
OSV
added 6 days ago5 views

PYSEC-2026-465 PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default

Summary CVE-2026-44338 GHSA-6rmh-7xcm-cpxj documents that PraisonAI ships a code-generator praisonai.deploy.api.generateapiservercode that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart praisonai deploy --type api get a server that: -...

9.8CVSS6AI score0.0008EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 6 days ago8 views

CVE-2025-71379

A flaw was found in vLLM. Multiple regular expression denial of service ReDoS vulnerabilities exist in versions greater than or equal to 0.6.3 and less than 0.9.0. An attacker can exploit this by submitting crafted input with nested or repeated structures to specific regex patterns within vLLM,...

7.5CVSS5.8AI score0.00321EPSS
Exploits1References5
NVD
NVD
added 2026/06/20 7:16 p.m.12 views

CVE-2025-71379

vLLM versions = 0.6.3 and 0.9.0 contain multiple regular expression denial of service ReDoS vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker...

7.5CVSS0.00321EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/06/20 6:27 p.m.7 views

CVE-2025-71379

vLLM versions = 0.6.3 and 0.9.0 contain multiple regular expression denial of service ReDoS vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker...

5.3CVSS5.9AI score0.00321EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/06/20 6:27 p.m.10 views

EUVD-2025-210290

vLLM versions = 0.6.3 and 0.9.0 contain multiple regular expression denial of service ReDoS vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker...

5.3CVSS5.9AI score0.00321EPSS
Exploits1References2
CVE
CVE
added 2026/06/20 6:27 p.m.15 views

CVE-2025-71379

CVE-2025-71379 affects vLLM versions 0.6.3 through 0.8.x (before 0.9.0). The vulnerability is a set of regular expression denial of service (ReDoS) flaws in multiple components: (1) regex patterns in vllm/lora/utils.py, (2) the phi4mini tool parser, and (3) the OpenAI-compatible serving chat endp...

7.5CVSS5.9AI score0.00321EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 10:29 p.m.28 views

PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default

Summary CVE-2026-44338 GHSA-6rmh-7xcm-cpxj documents that PraisonAI ships a code-generator praisonai.deploy.api.generateapiservercode that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart praisonai deploy --type api get a server that: -...

7.3CVSS6.2AI score0.26799EPSS
Exploits3References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.12 views

PT-2026-45052

Name of the Vulnerable Software and Affected Versions PraisonAI version 4.6.33 Description The code-generator praisonai.deploy.api.generate api server code creates a Flask API server with authentication disabled by default. When users deploy the server using the command praisonai deploy --type ap...

9.8CVSS5.9AI score0.0008EPSS
Exploits0References8
EUVD
EUVD
added 2026/05/26 8:9 p.m.12 views

EUVD-2026-31983

MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...

6.3CVSS5.8AI score0.00232EPSS
Exploits0References1
NVD
NVD
added 2026/05/22 7:17 p.m.10 views

CVE-2026-39968

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 "Credential Theft via Client-Side Script Execution and API Authorization Bypass" is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the...

7.1CVSS0.00271EPSS
Exploits0References3
CVE
CVE
added 2026/05/22 6:36 p.m.27 views

CVE-2026-39967

TypeBot (versions ≤ 3.15.2) suffers a missing typebotId filter in its findResult query, allowing an authenticated user to load result data (answers, variable values, hasStarted flag) from another typebot by supplying a foreign resultId to the startChat endpoint. Exploitation is limited by cryptog...

3.1CVSS5.7AI score0.00186EPSS
Exploits0References3
CVE
CVE
added 2026/05/22 4:50 p.m.40 views

CVE-2026-33712

Technical details (affected version, root cause, exploit, or patch specifics) are not publicly available in the provided documents. Monitor for updates.

10CVSS5.8AI score0.00347EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/22 4:50 p.m.7 views

CVE-2026-33712 TypeBot: Unauthenticated SSRF via isolated-vm fetch in preview chat endpoint bypasses SSRF controls

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint POST /api/v1/typebots/typebotId/preview/startChat allows unauthenticated users to achieve Server-Side Request Forgery SSRF by supplying a custom typebot definition with server-side code blocks. The fetch...

10CVSS5.8AI score0.00347EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/05/22 12:0 a.m.10 views

Typebot 安全漏洞

Typebot is an open-source chat bot builder developed by Baptiste Arnaud. Versions of Typebot 3.15.2 and earlier contain security vulnerabilities. These vulnerabilities stem from the fact that the bot-engine still allows any authenticated user to use credentials from any workspace through the...

7.1CVSS5.8AI score0.00271EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.18 views

PT-2026-42821

Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.15.3 Description An incomplete fix in the bot-engine runtime allows authenticated users to use credentials from any workspace via the preview chat endpoint. The getCredentials utility function employs a falsy check...

7.1CVSS5.8AI score0.00271EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/22 12:0 a.m.11 views

Typebot 安全漏洞

Typebot is an open-source chat bot builder developed by Baptiste Arnaud. Versions of Typebot 3.15.2 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the preview chat endpoint, which allowed unverified users to forge server-side requests by providing custom bot...

10CVSS5.8AI score0.00347EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.9 views

Open WebUI 授权问题漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under the open source Open WebUI project. Versions of Open WebUI prior to 0.8.11 had an authorization issue vulnerability. This vulnerability stemmed from the internal bypassfilter parameter being exposed through FastA...

5.4CVSS5.8AI score0.00193EPSS
Exploits1References2
OSV
OSV
added 2026/05/11 1:56 p.m.6 views

GHSA-6RMH-7XCM-CPXJ PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution

Summary PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. Details The vulnerable server is the shippe...

7.3CVSS6AI score0.26799EPSS
Exploits3References3
NVD
NVD
added 2026/05/08 2:16 p.m.19 views

CVE-2026-44338

PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...

7.3CVSS0.26799EPSS
Exploits3References1
EUVD
EUVD
added 2026/05/08 1:35 p.m.11 views

EUVD-2026-28641

PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...

7.3CVSS5.8AI score0.26799EPSS
Exploits3References1
Rows per page
Query Builder