Lucene search
+L

34 matches found

RedhatCVE
RedhatCVE
added 3 days ago4 views

CVE-2026-47429

A flaw was found in Vitest, a testing framework. On Windows, the Vitest UI/API server incorrectly handled file serving, which could allow an attacker to read sensitive files outside the project directory. Additionally, exposed API features could be exploited to execute arbitrary scripts, leading ...

9.8CVSS6.2AI score0.01024EPSS
Exploits0References10
NVD
NVD
added 3 days ago7 views

CVE-2026-61427

PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an operator runs 'praisonai mcp serve --transport http-stream'...

7.3CVSS0.00338EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago28 views

CVE-2026-61435 PraisonAI before 4.6.78 Authentication Bypass via Host Header Spoofing

PraisonAI before 4.6.78 contains an authentication bypass in the Call API agent invocation endpoints src/praisonai/praisonai/api/agentinvoke.py when PRAISONAICALLAUTH=disabled is configured. The safeguard intended to restrict the disabled-auth opt-out to localhost binding derives the bind host fr...

8.8CVSS0.00384EPSS
Exploits0References4
OSV
OSV
added 3 days ago4 views

CVE-2026-61435 PraisonAI before 4.6.78 Authentication Bypass via Host Header Spoofing

PraisonAI before 4.6.78 contains an authentication bypass in the Call API agent invocation endpoints src/praisonai/praisonai/api/agentinvoke.py when PRAISONAICALLAUTH=disabled is configured. The safeguard intended to restrict the disabled-auth opt-out to localhost binding derives the bind host fr...

8.8CVSS6.1AI score0.00384EPSS
Exploits0References6
CVE
CVE
added 3 days ago8 views

CVE-2026-61435

PraisionAI before 4.6.78 contains an authentication bypass in the Call API agent invocation endpoints (src/praisonai/praisonai/api/agent_invoke.py) when PRAISONAI_CALL_AUTH=disabled is configured. The localhost-only restriction is derived from request.url.hostname via the client-controlled Host h...

8.8CVSS6.1AI score0.00384EPSS
Exploits0References4
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-44641

PraisonAI before 4.6.78 contains an authentication bypass in the Call API agent invocation endpoints src/praisonai/praisonai/api/agentinvoke.py when PRAISONAICALLAUTH=disabled is configured. The safeguard intended to restrict the disabled-auth opt-out to localhost binding derives the bind host fr...

8.8CVSS6.1AI score0.00384EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago33 views

CVE-2026-61427 PraisonAI before 4.6.78 Authentication Bypass via HTTP-stream

PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an operator runs 'praisonai mcp serve --transport http-stream'...

7.3CVSS0.00338EPSS
Exploits0References2
CVE
CVE
added 3 days ago6 views

CVE-2026-61427

PraisonAI before 4.6.78 has an authentication bypass in the MCP HTTP-stream transport: running with --transport http-stream and no API key allows unauthenticated clients to initialize sessions, enumerate tools (tools/list), and invoke tools (tools/call). The dispatcher forwards tool-call argument...

7.3CVSS6.1AI score0.00338EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-44638

PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an operator runs 'praisonai mcp serve --transport http-stream'...

7.3CVSS6.1AI score0.00338EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/07/06 10:47 a.m.12 views

CVE-2026-14631

A flaw was found in webpack-dev-server. An unauthenticated remote attacker could send a specially crafted HTTP request with a malformed Host header or a WebSocket upgrade with a malformed Origin header. This malformed input causes an uncaught exception, leading to the termination of the Node.js...

5.3CVSS5.9AI score0.00308EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/03 5:23 p.m.42 views

CVE-2026-14631 webpack-dev-server vulnerable to denial of service via a malformed Host or Origin header

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught...

5.3CVSS0.00308EPSS
Exploits0References2
OSV
OSV
added 2026/07/03 5:23 p.m.4 views

CVE-2026-14631 webpack-dev-server vulnerable to denial of service via a malformed Host or Origin header

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught...

5.3CVSS6.1AI score0.00308EPSS
Exploits0References4
CVE
CVE
added 2026/07/03 5:23 p.m.33 views

CVE-2026-14631

Vulnerability overview: CVE-2026-14631 affects webpack-dev-server up to version 5.2.5. An unauthenticated peer sending a normal HTTP request with a malformed Host header or a WebSocket upgrade to /ws with a malformed Origin header triggers an uncaught exception in the host-validation path, crashi...

5.3CVSS6AI score0.00308EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-410 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind

Resolution Fixed in v3.1.0, released 2026-05-25. The fix was merged in PR 95 at commit 1c7d3f9. The fix changes the default HTTP bind host to 127.0.0.1, refuses non-loopback HTTP/HTTPS exposure unless OAuth is enabled, makes Helm exposure opt-in and OAuth-gated, and adds parser-backed...

10CVSS6.1AI score0.00498EPSS
Exploits0References8
OSV
OSV
added 2026/06/26 9:5 p.m.4 views

GHSA-73CV-556C-W3G6 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind

Resolution Fixed in v3.1.0, released 2026-05-25. The fix was merged in PR 95 at commit 1c7d3f9. The fix changes the default HTTP bind host to 127.0.0.1, refuses non-loopback HTTP/HTTPS exposure unless OAuth is enabled, makes Helm exposure opt-in and OAuth-gated, and adds parser-backed...

10CVSS6.1AI score0.00498EPSS
Exploits0References6
OSV
OSV
added 2026/06/26 4:32 p.m.3 views

GHSA-PR7J-96CJ-549H Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API

Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API. It was discovered that the API response /api/plugins.json and related endpoints unintentionally includes internal instance variables of loaded plugins. If any plugins store sensitive...

7.5CVSS5.8AI score0.00474EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/26 4:32 p.m.8 views

Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API

Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API. It was discovered that the API response /api/plugins.json and related endpoints unintentionally includes internal instance variables of loaded plugins. If any plugins store sensitive...

7.5CVSS5.8AI score0.00474EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.16 views

PT-2026-53003

Name of the Vulnerable Software and Affected Versions Fluentd versions prior to 1.19.3 Description The Monitor Agent plugin in monitor agent exposes internal metrics and plugin information through a REST API. The responses from the /api/plugins.json endpoint and related endpoints unintentionally...

7.5CVSS7.1AI score0.00474EPSS
Exploits0References12
RedhatCVE
RedhatCVE
added 2026/06/25 6:38 p.m.9 views

CVE-2026-49980

A flaw was found in Rclone, a command-line program for cloud storage synchronization. When the rcd --rc-serve option is enabled, an unauthenticated remote attacker can send specially crafted GET or HEAD requests to execute arbitrary commands as the Rclone process user. This vulnerability allows f...

9.8CVSS6.5AI score0.00701EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/19 9:33 a.m.12 views

CVE-2026-49121

A flaw was found in AI Tensor Engine for ROCm AITER. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by sending a specially crafted data package, known as a pickle payload, to a ZeroMQ ZMQ subscriber socket. This exploitation is possible due to a lack of...

9.8CVSS6.6AI score0.01104EPSS
Exploits1References6
Rows per page
Query Builder