Lucene search
K

129 matches found

CNNVD
CNNVD
added 2026/04/09 12:0 a.m.5 views

marimo 访问控制错误漏洞

Marimo is an open-source interactive Python notebook that supports reactive programming and SQL queries. Versions of Marimo prior to 0.23.0 contained a access control vulnerability. This vulnerability stemmed from the lack of authentication for the terminal WebSocket endpoint, allowing...

9.8CVSS7.6AI score0.95645EPSS
Exploits11References4
Snyk
Snyk
added 2026/04/08 9:50 p.m.3 views

Missing Authentication for Critical Function

Overview marimo is an A library for making reactive notebooks and apps Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the terminal/ws WebSocket endpoint, which lacks authentication validation. An unauthenticated attacker can gain unauthorized...

9.8CVSS7.6AI score0.95645EPSS
Exploits11References2
Github Security Blog
Github Security Blog
added 2026/04/08 9:50 p.m.15 views

Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass

Summary Marimo 19.6k stars has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints e.g., /ws that correct...

9.8CVSS6.2AI score0.95645EPSS
Exploits11References8Affected Software1
OSV
OSV
added 2026/04/08 9:50 p.m.3 views

GHSA-2679-6MX9-H9XC Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass

Summary Marimo 19.6k stars has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints e.g., /ws that correct...

9.8CVSS6.1AI score0.95645EPSS
Exploits11References8
RedhatCVE
RedhatCVE
added 2026/04/07 10:51 a.m.14 views

CVE-2026-5631

A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extractcommanddata of the file backend/server/serverutils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. T...

7.5CVSS5.5AI score0.00311EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/06 9:31 a.m.3 views

EUVD-2026-19186

A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extractcommanddata of the file backend/server/serverutils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. T...

7.5CVSS6.7AI score0.00311EPSS
Exploits0References6
NVD
NVD
added 2026/04/06 8:16 a.m.4 views

CVE-2026-5633

A vulnerability was determined in assafelovic gpt-researcher up to 3.4.3. Affected is an unknown function of the component ws Endpoint. Executing a manipulation of the argument sourceurls can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been...

7.5CVSS0.00284EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/06 8:9 a.m.1 views

Server-side Request Forgery (SSRF)

Overview gpt-researcher is a GPT Researcher is an autonomous agent designed for comprehensive web research on any task Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the ws Endpoint component when processing the sourceurls argument. An attacker can access...

7.5CVSS5.9AI score0.00284EPSS
Exploits0References2
NVD
NVD
added 2026/04/06 7:16 a.m.3 views

CVE-2026-5631

A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extractcommanddata of the file backend/server/serverutils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. T...

7.5CVSS0.00311EPSS
Exploits0References5
CVE
CVE
added 2026/04/06 6:30 a.m.25 views

CVE-2026-5631

The CVE-2026-5631 entry affects assafelovic gpt-researcher up to version 3.4.3. The vulnerability resides in the function extract_command_data in backend/server/server_utils.py of the ws Endpoint, where manipulation of the args parameter enables code injection. This can be exploited remotely; the...

7.5CVSS6.7AI score0.00311EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.8 views

PT-2026-30570

A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extract command data of the file backend/server/server utils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote...

7.5CVSS6.7AI score0.00311EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.8 views

GPT Researcher 代码问题漏洞

GPT Researcher is an AI-based deep research agent tool developed by Assaf Elovic as a personal development tool. Versions of GPT Researcher 3.4.3 and earlier have code vulnerabilities related to improper handling of parameters in the ws Endpoint component, which may lead to server-side request...

7.5CVSS7.2AI score0.00284EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.2 views

PT-2026-30572

A vulnerability was determined in assafelovic gpt-researcher up to 3.4.3. Affected is an unknown function of the component ws Endpoint. Executing a manipulation of the argument source urls can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been...

7.5CVSS6.7AI score0.00284EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/03 10:53 p.m.1 views

CVE-2026-34952

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and the...

9.1CVSS5.9AI score0.00444EPSS
Exploits1References2Affected Software1
Snyk
Snyk
added 2026/04/01 11:28 p.m.3 views

Missing Authentication for Critical Function

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

9.3CVSS6AI score0.00444EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/01 11:28 p.m.6 views

PraisonAI Has Missing Authentication in WebSocket Gateway

Summary The PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. Details gateway/server.py:242 source -...

9.1CVSS6AI score0.00444EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/28 4:59 p.m.4 views

CVE-2026-4958

A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.onconnect/ReplayServer.senddata of the file XAgentServer/application/websockets/replayer.py of the component WebSocket Endpoint. Such manipulation of the argument interactionid leads to authorization...

3.1CVSS5.4AI score0.00383EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/27 6:31 p.m.6 views

EUVD-2026-16692

A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function checkuser of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interactionid results in missing authentication. Remote...

7.5CVSS6.6AI score0.0043EPSS
Exploits1References5
CVE
CVE
added 2026/03/27 3:31 p.m.18 views

CVE-2026-4959

OpenBMB XAgent 1.0.0 contains a vulnerability in the ShareServer WebSocket Endpoint (XAgentServer/application/websockets/share.py, function check_user). Manipulating the argument interaction_id results in missing authentication, enabling remote exploitation. The exploit has been publicized, and t...

7.5CVSS6.6AI score0.0043EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/03/27 3:31 p.m.29 views

CVE-2026-4958 OpenBMB XAgent WebSocket Endpoint replayer.py ReplayServer.send_data authorization

A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.onconnect/ReplayServer.senddata of the file XAgentServer/application/websockets/replayer.py of the component WebSocket Endpoint. Such manipulation of the argument interactionid leads to authorization...

3.1CVSS0.00383EPSS
Exploits1References4
Rows per page
Query Builder