126 matches found
CVE-2026-41496 PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase,...
Malicious code in centralogger (npm)
dom-utils-lite and centralogger, with identical payloads. On npm install, a postinstall hook fetches the attacker’s SSH public key from a Supabase storage bucket, appends it to /.ssh/authorizedkeys, harvests the victim’s IP, username, and hostname, then uploads that metadata to the same Supabase...
MAL-2026-2825 Malicious code in centralogger (npm)
dom-utils-lite and centralogger, with identical payloads. On npm install, a postinstall hook fetches the attacker’s SSH public key from a Supabase storage bucket, appends it to /.ssh/authorizedkeys, harvests the victim’s IP, username, and hostname, then uploads that metadata to the same Supabase...
Malicious code in dom-utils-lite (npm)
dom-utils-lite and centralogger, with identical payloads. On npm install, a postinstall hook fetches the attacker’s SSH public key from a Supabase storage bucket, appends it to /.ssh/authorizedkeys, harvests the victim’s IP, username, and hostname, then uploads that metadata to the same Supabase...
MAL-2026-2826 Malicious code in dom-utils-lite (npm)
dom-utils-lite and centralogger, with identical payloads. On npm install, a postinstall hook fetches the attacker’s SSH public key from a Supabase storage bucket, appends it to /.ssh/authorizedkeys, harvests the victim’s IP, username, and hostname, then uploads that metadata to the same Supabase...
CVE-2026-31813
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...
Exploit for CVE-2025-48757
🛡️ Supabase Sentinel A Claude Skill that audits your Supaba...
CVE-2026-31813
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...
CVE-2026-31813 Supabase Auth has insecure Apple and Azure authentication with ID tokens
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...
CVE-2026-31813
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...
CVE-2026-31813
CVE-2026-31813 affects Supabase Auth. Before version 2.185.0, if Apple or Azure as OIDC providers are enabled, an attacker can create a valid, asymmetrically signed ID token from their issuer for each victim email and send it to the token endpoint using the ID token flow. If the ID token is OIDC ...
CVE-2026-31813 Supabase Auth has insecure Apple and Azure authentication with ID tokens
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...
CVE-2026-31813 Supabase Auth has insecure Apple and Azure authentication with ID tokens
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...
编号撤回
“ring”(Brian Smith)。“ring”。 “The R Foundation”“R”(The R Foundation)。“R”。“Supabase Auth”(Supabase)。“Auth”。CVE。...
PT-2026-24743
Supabase Auth is a JWT based API for managing users and issuing JWT tokens. Prior to 2.185.0, a vulnerability has been identified that allows an attacker to issue sessions for arbitrary users using specially crafted ID tokens when the Apple or Azure providers are enabled. The attacker issues a...
编号撤回
“ring”(Brian Smith)。“ring”。 “The R Foundation”“R”(The R Foundation)。“R”。“Supabase Auth”(Supabase)。“Auth”。CVE。...
编号撤回
“ring”(Brian Smith)。“ring”。 “The R Foundation”“R”(The R Foundation)。“R”。“Supabase Auth”(Supabase)。“Auth”。CVE。...
Auth 安全漏洞
Auth is a user authentication and management system developed by Supabase. Previous versions of Supabase Auth, such as 2.185.0, had security vulnerabilities. These vulnerabilities occurred when Apple or Azure providers were enabled, allowing attackers to issue session tokens for arbitrary users...
编号撤回
“ring”(Brian Smith)。“ring”。 “The R Foundation”“R”(The R Foundation)。“R”。“Supabase Auth”(Supabase)。“Auth”。CVE。...
CVE-2026-24780 AutoGPT is Vulnerable to RCE via Disabled Block Execution
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints both main web API and external API allow executing blocks by UUID...