1059 matches found
CVE-2026-44338
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...
web-app-pentest-playbook
Web Application Pentest Playbook A structured methodology and...
CVE-2026-41889 vulnerabilities
Vulnerabilities for packages: teleport, openbao, steampipe, falcosidekick-fips, amass, falcosidekick, openfga-fips, spicedb-fips, temporal-server, argo-workflows, bento, caddy-fips, cloudprober, pgtimetable-fips, rke2-runtime, juicefs, seaweedfs-fips, timescaledb-parallel-copy, kube-bench,...
CVE-2026-41907 vulnerabilities
Vulnerabilities for packages: redisinsight, dbgate-fips, opensearch-dashboards, opensearch-dashboards-fips, dbgate, sqlpad, saf, kubeflow-centraldashboard, kubeflow-pipelines, actions-runner, librechat, argo-workflows, kibana, npm, gemini-cli, langfuse-fips, wazuh-dashboard-fips, code-server,...
CVE-2026-41506 vulnerabilities
Vulnerabilities for packages: pulumi-language-yaml, teleport, google-osconfig-agent, steampipe, trivy, bom, argocd-image-updater, argo-cd, kargo, grafana-alloy, kubevela, flux-image-automation-controller-fips, osv-scanner, tfsec, commercial-chainloop-cli, pulumi-language-java, guac, argo-workflow...
[SECURITY] Fedora 43 Update: forgejo-runner-12.7.3-2.fc43
The Forgejo Runner is a daemon that fetches workflows to run from a Forgejo i nstance, executes them, sends back with the logs and ultimately reports its success or failure...
CVE-2026-41907 vulnerabilities
Vulnerabilities for packages: argo-workflows, prism, kubeflow-centraldashboard, opensearch-dashboards, code-server, saf, langfuse, kubeflow-pipelines, renovate, jitsucom-jitsu, npm, sqlpad...
Argo vulnerable to exposure of artifact repository credentials
Summary The workflow executor logs all artifact repository credentials S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc. in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. Note: This is an...
GHSA-7VF8-2CR6-54MF Argo vulnerable to exposure of artifact repository credentials
Summary The workflow executor logs all artifact repository credentials S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc. in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. Note: This is an...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the JoinWorkflowSpec process. An attacker can gain unauthorized access to host networking, override service account assignments, modify pod security contexts, add tolerations, or enable service account token...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the addWebhookAuthorization function. An attacker can cause excessive memory allocation by sending a large request body to the publicly accessible /api/v1/events/ endpoint,...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the addWebhookAuthorization function. An attacker can cause excessive memory allocation by sending a large request body to the publicly accessible /api/v1/events/ endpoint,...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the configMapSyncProvider process. An attacker can create, read, update, or delete Kubernetes ConfigMaps containing synchronization limits by sending crafted requests with any Bearer token, including fake tokens...
CVE-2026-42226
The CVE concerns n8n, an open source workflow automation platform. Before versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workfl...
Evaluating Retrieval-Augmented Generation for Explainable Malware Analysis
Large Language Models LLMs are increasingly being used as security engineering tools to summarize and explain malware behavior to analysts. A common assumption is that Retrieval-Augmented Generation RAG improves explanation quality by injecting external security knowledge. In this work, we...
n8n 安全漏洞
n8n is an open-source, scalable workflow automation tool developed by n8n. Versions of n8n prior to 1.123.32, 2.17.4, and 2.18.1 contained security vulnerabilities. These vulnerabilities stemmed from the /chatWebSocket endpoint in the Chat Trigger node’s Hosted Chat feature, which did not verify...
CVE-2026-40886
A flaw was found in Argo Workflows, an open-source system for managing tasks in Kubernetes. An attacker with appropriate permissions can trigger a system-wide crash by submitting a specially crafted workflow pod with a malformed annotation. This vulnerability leads to a persistent Denial of Servi...
Integrating Log-Based Security Analytics in Agile Workflows: A Real-World Experience Report
Modern organizations increasingly rely on log data and monitoring signals to protect products against account takeovers and abuse, yet integrating security analytics into fast-moving Agile workflows remains challenging. While it is important to understand how security practices are developed and...
Alignment Contracts for Agentic Security Systems
Agentic security systems increasingly combine LLM planners with tools that can discover, validate, and report vulnerabilities. This creates an asymmetric control problem: the system should retain strong offensive capability inside an authorized engagement, while the same capabilities must be deni...
GHSA-HQR4-H3XV-9M3R n8n has XML Node Prototype Pollution that to RCE
Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. Patches The issue has been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1. Use...