CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Github Security Blog•added 3 days ago•10 views

praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR

OSV•added 3 days ago•2 views

GHSA-CP4F-5M9R-5JC2 praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR

Summary Type: Insecure Direct Object Reference. The comment endpoints POST /workspaces/workspaceid/issues/issueid/comments and GET .../comments gate access on requireworkspacememberworkspaceid only, then call CommentService.createissueid=issueid, ... and CommentService.listforissueissueid without...

8.1CVSS5.9AI score

Github Security Blog•added 3 days ago•9 views

praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR

5.9AI score

Github Security Blog•added 3 days ago•8 views

praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR

Summary Type: Insecure Direct Object Reference. The project CRUD endpoints GET / PATCH / DELETE /workspaces/workspaceid/projects/projectid and GET .../projectid/stats gate access on requireworkspacememberworkspaceid only, then resolve projectid through ProjectService.getprojectid / updateprojecti...

OSV•added 3 days ago•4 views

GHSA-943M-6WX2-RC2J praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR

8.1CVSS5.8AI score

Positive Technologies•added 3 days ago•8 views

PT-2026-45489

Summary Type: Insecure Direct Object Reference. The project CRUD endpoints GET / PATCH / DELETE /workspaces/workspace id/projects/project id and GET .../project id/stats gate access on require workspace memberworkspace id only, then resolve project id through ProjectService.getproject id /...

8.1CVSS5.8AI score

Positive Technologies•added 3 days ago•4 views

PT-2026-45487

Summary Type: Insecure Direct Object Reference. The issue CRUD endpoints GET / PATCH / DELETE /workspaces/workspace id/issues/issue id gate access on require workspace memberworkspace id only, then resolve issue id through IssueService.getissue id which is a primary-key lookup with no workspace...

8.3CVSS5.8AI score

Positive Technologies•added 3 days ago•6 views

PT-2026-45488

Summary Type: Insecure Direct Object Reference. The comment endpoints POST /workspaces/workspace id/issues/issue id/comments and GET .../comments gate access on require workspace memberworkspace id only, then call CommentService.createissue id=issue id, ... and CommentService.list for issueissue ...

8.1CVSS5.9AI score

OSV•added 6 days ago•2 views

GHSA-4X6R-9V57-3GQW praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks

Summary Type: Insecure Direct Object Reference. The dependency endpoints POST/GET /workspaces/workspaceid/issues/issueid/dependencies and DELETE .../dependencies/depid gate access on requireworkspacememberworkspaceid only, then dispatch to DependencyService calls that take URL/body-supplied issue...

8.1CVSS5.9AI score

Github Security Blog•added 6 days ago•18 views

praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks

5.9AI score

OSV•added 6 days ago•6 views

GHSA-6H6V-6M7W-7VXX PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID

Summary PraisonAI Platform's workspace-scoped REST routes contain a systemic object-level authorization flaw that allows an authenticated user from one workspace to access, modify, and delete objects belonging to another workspace by supplying the victim object's global UUID. The affected pattern...

8.8CVSS5.8AI score

Github Security Blog•added 6 days ago•20 views

PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID

Github Security Blog•added 6 days ago•17 views

PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation

Summary The Platform server exposes resources under /api/v1/workspaces/workspaceid/... and protects them with a requireworkspacememberworkspaceid FastAPI dependency. The dependency only checks that the caller is a member of the workspaceid in the URL prefix. The route handlers then look up the...

OSV•added 6 days ago•2 views

GHSA-H8Q5-CP56-RR65 PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation

9.4CVSS5.8AI score

Github Security Blog•added 6 days ago•16 views

praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership

Summary Type: Insecure Direct Object Reference. The GET /workspaces/workspaceid/issues/issueid/activity endpoint is gated by requireworkspacememberworkspaceid and dispatches to ActivityService.listforissueissueid, which executes SELECT FROM activity WHERE issueid = :issueid with no workspace...

OSV•added 6 days ago•4 views

GHSA-27P4-PJQV-WHGJ praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership

6.5CVSS5.8AI score

OSV•added 6 days ago•4 views

GHSA-GV23-XRM3-8C62 PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API

Summary The PraisonAI Platform API has two authorization failures that together break workspace isolation. The service layer for issues and projects performs global primary-key lookups without checking workspace ownership, so any authenticated user can read, modify, and delete resources in any...

8.8CVSS5.8AI score

Github Security Blog•added 6 days ago•17 views

PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API

Positive Technologies•added 6 days ago•4 views

PT-2026-45068

8.8CVSS5.8AI score