117 matches found
PT-2026-45765
A critical chain of vulnerabilities in the Collibra Platform Agent, including CVE-2026-26847 improper authentication and path traversal, allows remote, unauthenticated attackers to achieve Remote Code Execution RCE. Technical Breakdown: Vulnerability Chain: Attackers can exploit improperly...
GHSA-8444-4FHQ-FXPQ PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
Summary CVE-2026-44338 GHSA-6rmh-7xcm-cpxj documents that PraisonAI ships a code-generator praisonai.deploy.api.generateapiservercode that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart praisonai deploy --type api get a server that: -...
CVE-2026-49197
Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails...
CVE-2026-49197 Predator Connect W6x: Improper Authentication
Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails...
CVE-2026-49197
Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails...
CVE-2026-49197
The CVE affects web endpoints used by the Acer Connect app, where the Authorization header is not properly validated. The underlying issue is improper handling of Base64 decoding failures, allowing requests that should be blocked. CVSS indicates a CRITICAL impact with high consequences for confid...
PT-2026-44767
Name of the Vulnerable Software and Affected Versions Acer Connect affected versions not specified Description Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header. The system fails to block requests when the Base64 decoding process fails, allowing...
CVE-2026-3375
CVE-2026-3375 affects the LiteSpeed Cache plugin for WordPress. A Stored Cross-Site Scripting flaw exists in the REST endpoints /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss, where CSS content from QUIC.cloud callback notifications is stored to disk without sanitization....
Jenkins Job Import Plugin 安全漏洞
The Jenkins Job Import Plugin is an open-source plugin for Jenkins that allows the import and migration of Jenkins tasks. The Jenkins Job Import Plugin versions 143.v044a2e819b27 and earlier contain security vulnerabilities. These vulnerabilities stem from the lack of permission checks at the HTT...
CVE-2026-38587
An Insecure Direct Object Reference IDOR vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions User or Guest to retrieve sensitive information, such as the Owner's unique...
CVE-2026-45401 Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the validateurl function in backend/openwebui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream sync requests, async...
CVE-2026-43884 WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()
WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints plugin/AI/receiveAsync.json.php and objects/EpgParser.php in AVideo call isSSRFSafeURL to validate user-supplied URLs, then fetch them using bare filegetcontents without disabling PHP's automatic...
Command Injection
Overview @profullstack/mcp-server is an A generic, modular server for implementing the Model Context Protocol MCP Affected versions of this package are vulnerable to Command Injection via the domainlookup process. An attacker can execute arbitrary operating system commands with the privileges of...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the SNS HTTP/HTTPS notification endpoints due to missing signature verification. An attacker can cause the application to process arbitrary payloads as legitimate notifications, auto-confi...
EUVD-2026-26279
AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipelinepath parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to...
PT-2026-34778
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized...
CVE-2026-24177
CVE-2026-24177 affects NVIDIA KAI Scheduler. The vulnerability allows an attacker to access API endpoints without authorization, potentially leading to information disclosure. NVIDIA’s security bulletin for April 2026 confirms the issue and recommends updating to KAI Scheduler v0.13.0 or later (L...
WordPress plugin Easy Appointments 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...
CVE-2026-40104 XWiki's REST APIs can list all pages/spaces, leading to unavailability
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as...
CVE-2026-40071
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...