PT-2026-40105

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch on agent-supplied URLs without validating scheme, port, or resolved IP, resulting in an SSRF vulnerability. This vulnerability is fixed in 0.x.y-security-1...

CVE-2026-41692

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute key interpolation tokens inside src and href attribute values with the raw string returned by i18next.t. The substitution logic in...

PraisonAI 安全漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.90 contained security vulnerabilities. These vulnerabilities stemmed from the passthrough and apassthrough functions accepting an apibase parameter controlled by the caller...

CVE-2026-32008

OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the assertBrowserNavigationAllowed function that allows authenticated users with browser-tool access to navigate to file:// URLs. Attackers can exploit this by accessing local files readable by the...

EUVD-2016-2722

Malware in sbrugna...

EUVD-2023-28533

Malicious code in bioql PyPI...

EUVD-2024-3104

Malicious code in bioql PyPI...

CVE-2025-7780 Ai Engine <= 2.9.4 - Missing URL Scheme Validation to Authenticated (Subscriber+) Arbitrary File Read via simpleTranscribeAudio and get_audio Functions

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4. The simpleTranscribeAudio endpoint fails to restrict URL schemes before calling getaudio. This makes it possible for authenticated attackers, with Subscriber-level acces...

CVE-2025-7780 AI Engine <= 2.9.4 - Missing URL Scheme Validation to Authenticated (Subscriber+) Arbitrary File Read via simpleTranscribeAudio and get_audio Functions

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4. The simpleTranscribeAudio endpoint fails to restrict URL schemes before calling getaudio. This makes it possible for authenticated attackers, with Subscriber-level acces...

CVE-2025-7780

CVE-2025-7780 (AI Engine WordPress Plugin) is a vulnerability affecting versions up to 2.9.4 where the simpleTranscribeAudio endpoint does not validate URL schemes before invoking get_audio(), allowing authenticated users with Subscriber-level access or higher to read arbitrary files on the web s...

CVE-2024-21533

All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone API, which allows specifying the remote URL to clone and the file on disk to clone to. The library does not sanitize for user input or validate a given URL scheme, nor does it properly pass command-line...

Arbitrary Argument Injection

ggit is vulnerable to Arbitrary Argument Injection. The vulnerability is due to the failure to sanitize user input and improper handling of command-line flags and doesn't validate the URL scheme or properly pass arguments to the git binary using the necessary -- POSIX characters, allowing attacke...

GHSA-4882-HXPR-HRVM @udecode/plate-link does not sanitize URLs to prevent use of the `javascript:` scheme

Impact Affected versions of the link plugin and link UI component do not sanitize URLs to prevent use of the javascript: scheme. As a result, links with JavaScript URLs can be inserted into the Plate editor through various means, including opening or pasting malicious content. Patches...

UBUNTU-CVE-2016-1627

The Developer Tools aka DevTools subsystem in Google Chrome before 48.0.2564.109 does not validate URL schemes and ensure that the remoteBase parameter is associated with a chrome-devtools-frontend.appspot.com URL, which allows remote attackers to bypass intended access restrictions via a crafted...

Google Chrome Security Bypass Vulnerability (CNVD-2015-04100)

Google Chrome is a web browser developed by the American company Google Google. A security vulnerability exists in the content/browser/webui/contentwebuicontrollerfactory.cc file in Google Chrome 43.0.2357.81 and earlier versions, which stems from the program's failure to properly validate a URL...