4404 matches found
CVE-2026-61440
PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to...
EUVD-2026-44644
PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to...
VMWare Workspace ONE UEM - Server-Side Request Forgery
VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without...
VMware Workspace ONE Access - Authentication Bypass
VMware Workspace ONE Access has two authentication bypass vulnerabilities CVE-2022-22955 & CVE-2022-22956 in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework. id: CVE-2022-22956...
Dashy <= 4.3.6 - Reflected XSS via Workspace
Dashy versions up to 4.3.6 contain a reflected cross-site scripting vulnerability in the workspace view. The url query parameter is passed directly to an iframe src attribute without scheme validation, allowing an attacker to inject javascript: URIs that execute arbitrary JavaScript in the contex...
CVE-2026-15629
A weakness has been identified in louisho5 picobot up to 0.2.0. Impacted is the function CreateSkill/GetSkill of the file internal/agent/tools/filesystem.go of the component Workspace Handler. Executing a manipulation can lead to link following. It is possible to launch the attack remotely. The...
CVE-2026-15626
A vulnerability was determined in nextlevelbuilder GoClaw 3.13.3-beta.3. This affects the function writeFile of the file internal/providers/acp/toolbridge.go of the component ACP ToolBridge Workspace Handler. This manipulation causes path traversal. The attack is possible to be carried out...
EUVD-2026-43618
A weakness has been identified in louisho5 picobot up to 0.2.0. Impacted is the function CreateSkill/GetSkill of the file internal/agent/tools/filesystem.go of the component Workspace Handler. Executing a manipulation can lead to link following. It is possible to launch the attack remotely. The...
CVE-2026-15629 louisho5 picobot Workspace filesystem.go GetSkill link following
A weakness has been identified in louisho5 picobot up to 0.2.0. Impacted is the function CreateSkill/GetSkill of the file internal/agent/tools/filesystem.go of the component Workspace Handler. Executing a manipulation can lead to link following. It is possible to launch the attack remotely. The...
CVE-2026-15622
A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...
CVE-2026-15626 nextlevelbuilder GoClaw ACP ToolBridge Workspace tool_bridge.go writeFile path traversal
A vulnerability was determined in nextlevelbuilder GoClaw 3.13.3-beta.3. This affects the function writeFile of the file internal/providers/acp/toolbridge.go of the component ACP ToolBridge Workspace Handler. This manipulation causes path traversal. The attack is possible to be carried out...
EUVD-2026-43615
A vulnerability was determined in nextlevelbuilder GoClaw 3.13.3-beta.3. This affects the function writeFile of the file internal/providers/acp/toolbridge.go of the component ACP ToolBridge Workspace Handler. This manipulation causes path traversal. The attack is possible to be carried out...
EUVD-2026-43599
A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...
CVE-2026-15622
The CVE-2026-15622 entry concerns poco-ai poco-claw Workspace API. Affects the function get_workspace_file in executor_manager/app/api/v1/workspace.py; manipulating the user_id parameter can bypass authorization. Impact is an authorization bypass that can be triggered remotely, with a proof-of-co...
CVE-2026-15622 poco-ai poco-claw Workspace API workspace.py get_workspace_file authorization
A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...
CVE-2026-15622 poco-ai poco-claw Workspace API workspace.py get_workspace_file authorization
A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...
CVE-2026-26396
OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter “filename” is user-controllable and is concatenated into the file path to be read without proper validation, leading to a directory...
CVE-2026-26396
OpenBMB XAgent v1.0.0 and earlier are affected by a path traversal in the file() function within XAgent/XAgentServer/application/routers/workspace.py. The input parameter filename is user-controllable and concatenated into the file path without proper validation, enabling potential disclosure of ...
The vulnerability of the Open WebUI web interface, related to the lack of permission checking, allows a violator to gain read access, modify data, and increase their privileges.
The vulnerability of the Open WebUI web interface relates to the lack of permission checking for workspace.models.import. Exploiting this vulnerability can allow an attacker, operating remotely, to gain read access, modify data, and enhance their privileges by sending a specially crafted POST...
CVE-2026-61442
PraisonAI Platform praisonai-platform before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign leadid to their ow...