774 matches found
Web-Check < 2.0.1 Screenshot API - OS Command Injection
Lissy93/web-check contains a command injection caused by unsanitized user input in the screenshot API, letting attackers execute arbitrary system commands, exploit requires sending crafted url parameters. id: CVE-2025-32778 info: name: Web-Check 2.0.1 Screenshot API - OS Command Injection author:...
CVE-2026-56260
Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. The outputpath parameter accepts arbitrary filesystem paths without validation, allowing an attacker to supply absolute or path-traversal values to write to any location...
EUVD-2026-43227
Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. The outputpath parameter accepts arbitrary filesystem paths without validation, allowing an attacker to supply absolute or path-traversal values to write to any location...
PT-2026-57551
Name of the Vulnerable Software and Affected Versions Crawl4AI versions prior to 0.8.7 Description An arbitrary file write issue exists in the Docker API server. The '/screenshot' and '/pdf' endpoints do not validate the output path parameter, which allows an attacker to use absolute paths or...
MAL-2026-7012 Malicious code in express-mongo-limit (npm)
The npm package express-mongo-limit masquerades as an Express/MongoDB payload sanitization middleware likely typosquatting express-mongo-sanitize but is a credential stealer, remote-code-execution backdoor, crypto clipboard hijacker, and screenshot spyware. It declares a postinstall: node index.j...
CVE-2026-58056
RustDesk is affected by a session-authorization scope bypass in FileTransfer sessions. The root cause is gating incoming control messages on per-capability flags rather than the session’s authorized connection type; a peer with only valid FileTransfer authorization can inject keyboard/mouse input...
PT-2026-53088
Name of the Vulnerable Software and Affected Versions RustDesk affected versions not specified Description An issue exists where incoming control messages are gated based on per-capability flags instead of the session's authorized connection type. Because a file-transfer session fails to clear...
Malicious code in syco1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e43be65a0930b121cf4d610c70b2d07165e4d335dece4344590b471d078fa5b5 Package self-describes as a 'System binary configuration tool' but ships a covert screen and clipboard surveillance overlay. pointer.py captures...
MAL-2026-6405 Malicious code in sypoi1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b22a9450e70ba1095097d2779ad6da01c111c37e940d890fbfc21d1aeb6a0f11 On require, index.js silently bootstraps a full Python runtime on the installer's machine — first via winget install -e --id Python.Python.3.12...
PYSEC-0000-CVE-2026-56258
Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use TOCTOU attacks on the outputpath parameter. Remote attackers can...
CVE-2026-56258
Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use TOCTOU attacks on the outputpath parameter. Remote attackers can...
CVE-2026-56258
Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use TOCTOU attacks on the outputpath parameter. Remote attackers can...
EUVD-2026-38432
Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use TOCTOU attacks on the outputpath parameter. Remote attackers can...
CVE-2026-56258
CVE-2026-56258 affects Crawl4AI prior to 0.8.8. An arbitrary file write exists in the screenshot and PDF endpoints via output_path, exploiting insufficient path validation and symlink following with TOCTOU. Unauthenticated remote attackers can write files outside the intended directory, potential...
CVE-2026-56258 Crawl4AI - Arbitrary File Write via output_path Symlink and TOCTOU
Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use TOCTOU attacks on the outputpath parameter. Remote attackers can...
CVE-2025-32424
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, ScreenshotWebPageBlock will store the captured screenshots in a temporary directory. StepThroughItemsBlock can be used to iterate ScreenshotWebPageBlock...
EUVD-2025-210281
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, ScreenshotWebPageBlock will store the captured screenshots in a temporary directory. StepThroughItemsBlock can be used to iterate ScreenshotWebPageBlock...
CVE-2025-32424 AutoGPT has a DoS vulnerability in ScreenshotWebPageBlock
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, ScreenshotWebPageBlock will store the captured screenshots in a temporary directory. StepThroughItemsBlock can be used to iterate ScreenshotWebPageBlock...
MAL-2026-6081 Malicious code in disksweep (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5a6449a8f35de848928e7f17d88c87db80e5aee40e8b53c375e07fc7d43cc05e On every import disksweep, the package's top-level src/disksweep/init.py lines 18-24 calls ctypes.CDLL on a 2.9 MB Windows binary parser.pyd shipped...
PT-2026-51505
Name of the Vulnerable Software and Affected Versions Crawl4AI versions prior to 0.8.8 Description An arbitrary file write issue exists in the screenshot and PDF endpoints. Unauthenticated remote attackers can write files outside the intended directory by exploiting insufficient path validation a...