CVE-2026-40156 PraisonAI Affected by Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code v...

CVE-2026-40156

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code v...

CVE-2026-40156 PraisonAI Affected by Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code v...

CVE-2026-32861 Out-of-Bounds Write Vulnerability in NI LabVIEW when loading lvclass file

There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted...

CVE-2026-0956

There is a memory corruption vulnerability due to an out-of-bounds read when loading a corrupted file in Digilent DASYLab. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted...

NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion

Summary NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and...

Digilent DASYLab 安全漏洞

Digilent DASYLab is a graphical data acquisition and application development platform developed by Digilent, Inc. There is a security vulnerability in Digilent DASYLab, which stems from out-of-bound writing when loading corrupted files. This vulnerability may lead to information leakage or the...

EulerOS 2.0 SP13 : python3 (EulerOS-SA-2026-1256)

According to the versions of the python3 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : If the value passed to os.path.expandvars is user-controlled a performance degradation is possible when expanding environment...

Unsafe Deserialization

Scapy is vulnerable to unsafe deserialization. The vulnerability is due to insecure handling of serialized session files, which allows an attacker to execute arbitrary code by tricking a user into loading a malicious session file via the -s option...

GHSA-W7H5-55JG-CQ2F Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde

Impact This is a remote code execution RCE vulnerability. Node.js automatically imports /.plugin.js,mjs files including those from nodemodules, so any malicious package with a .plugin.js file could execute arbitrary code when installed or required. All projects using this loading behavior are...

CVE-2024-2356 Remote Code Execution due to LFI in '/reinstall_extension' in parisneo/lollms-webui

A Local File Inclusion LFI vulnerability exists in the '/reinstallextension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post"/reinstallextension" route. This vulnerability allows attackers to inject a malicious name parameter, leading ...

EUVD-2020-30931

Quick Player 1.3 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious .m3l file with carefully constructed payload. Attackers can trigger the vulnerability by loading a specially crafted file through the application's file loading...

CVE-2020-37050

Quick Player 1.3 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious .m3l file with carefully constructed payload. Attackers can trigger the vulnerability by loading a specially crafted file through the application's file loading...

CVE-2020-37050 Quick Player 1.3 - '.m3l' Buffer Overflow

Quick Player 1.3 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious .m3l file with carefully constructed payload. Attackers can trigger the vulnerability by loading a specially crafted file through the application's file loading...

CVE-2026-0776 Discord Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Discord Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Discord Client. An attacker must first obtain the ability to execute low-privileged code on the target system in...

Discord code-related vulnerabilities

Discord is a free chat service provided by the Discord company. Discord has code-related vulnerabilities; one of these vulnerabilities stems from the discordrpc module loading files from insecure locations, which may lead to privilege escalation and the execution of arbitrary code...

CVE-2018-1000889

Logisim Evolution version 2.14.3 and earlier contains an XML External Entity XXE vulnerability in Circuit file loading functionality loadXmlFrom in src/com/cburch/logisim/file/XmlReader.java that can result in information leak, possible RCE depending on system configuration. This attack appears t...

CVE-2019-12365

The Newton application through 10.0.23 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READEXTERNALSTORAGE permission...

CVE-2019-12370

The Spark application through 2.0.2 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READEXTERNALSTORAGE permission...

CVE-2019-12369

The TypeApp application through 1.9.5.35 for Android allows XSS via an event attribute and arbitrary file loading via a src attribute, if the application has the READEXTERNALSTORAGE permission...