Lucene search
+L

316 matches found

cve
cve
added 6 days ago22 views

CVE-2026-44795

CVE-2026-44795 affects Spinnaker (Cloud deployments/baking paths) where unsafe YAML processing bypasses safe deserialization via a non-safe constructor, enabling arbitrary Java class loading and remote code execution. Affected versions precede fixed releases and include 2026.1.0, 2026.0.3, 2025.4...

8.8CVSS6.3AI score0.01001EPSS
Exploits0References4
osv
osv
added 6 days ago3 views

CVE-2026-44795 Spinnaker: Non-safe yaml deserialization allowing RCE when using specific types

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. The use of a non-safe constructor allows arbitrary loading...

8.8CVSS6.3AI score0.01001EPSS
Exploits0References6
osv
osv
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-462 PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading

Summary The AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can...

9.8CVSS6.8AI score0.0058EPSS
Exploits0References6
osv
osv
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-393 Unsafe yaml deserialization in llama-hub

The OpenAPI and ChatGPT plugin loaders in LlamaHub aka llama-hub before 0.0.67 allow attackers to execute arbitrary code because safeload is not used for YAML...

9.8CVSS7.7AI score0.01192EPSS
Exploits0References8
snyk
snyk
added 2026/06/22 8:43 p.m.2 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the YAML processing. An attacker can execute arbitrary code by supplying crafted YAML input that triggers unsafe class loading during operations such as CloudFormation deployments or CloudFoundry...

8.8CVSS6.2AI score0.01001EPSS
Exploits0References2
github
github
added 2026/06/19 9:15 p.m.13 views

VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files

Summary vcrpy deserializes YAML cassette files with PyYAML's object-constructing loader yaml.CLoader / yaml.Loader instead of the safe loader yaml.CSafeLoader / yaml.SafeLoader. A cassette containing a !!python/object/apply: or similar tag therefore executes arbitrary Python code the moment the...

6.5AI score
Exploits0References2Affected Software1
redhatcve
redhatcve
added 2026/06/09 9:36 a.m.19 views

CVE-2026-52903

A deserialization of untrusted data vulnerability was found in ManageIQ. The YamlLoadAliases module overrides YAML.safeload to silently fall back to YAML.unsafeload in production when a Psych::DisallowedClass error occurs. An authenticated attacker with dialog import access can exploit this to...

8.8CVSS6.4AI score
Exploits0References3
github
github
added 2026/04/24 4:37 p.m.10 views

k8sGPT has Prompt Injection through its k8sGPT-Operator

Summary In the auto-remediation pipeline, objecttoexecution.go was deserializing the AI-generated YAML directly into a Deployment object, but there was lack of validation from the original Deployment object. Details This issue was fixed after coordination with Alex Jones. PoC To minimize the...

5.3AI score
Exploits0References2Affected Software1
vulnrichment
vulnrichment
added 2026/04/08 8:45 p.m.3 views

CVE-2026-39890 PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading

PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed,...

9.8CVSS6.6AI score0.0058EPSS
Exploits0References1
osv
osv
added 2026/04/08 8:45 p.m.3 views

CVE-2026-39890 PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading

PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed,...

9.8CVSS6.8AI score0.0058EPSS
Exploits0References3
cve
cve
added 2026/04/08 8:45 p.m.17 views

CVE-2026-39890

Prais onAI’s AgentService.loadAgentFromFile parses YAML with js-yaml without disabling dangerous tags (e.g., !!js/function, !!js/undefined), enabling attacker to upload a malicious agent definition and achieve remote code execution on the server. Affected software: PraisonAI (before 4.5.115). Roo...

9.8CVSS6.6AI score0.0058EPSS
Exploits0References1Affected Software1
osv
osv
added 2026/04/08 7:17 p.m.6 views

GHSA-32VR-5GCF-3PW2 PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading

Summary The AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can...

9.8CVSS6.7AI score0.0058EPSS
Exploits0References4
snyk
snyk
added 2026/04/08 7:17 p.m.3 views

Deserialization of Untrusted Data

Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the YAML deserialization in the loadAgentFromFile function. An attacker can execute arbitrary code...

9.8CVSS6.2AI score0.0058EPSS
Exploits0References2
euvd
euvd
added 2026/04/08 7:17 p.m.5 views

EUVD-2026-20638

PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading...

9.8CVSS6AI score0.0058EPSS
Exploits0References2
snyk
snyk
added 2026/04/08 7:17 p.m.2 views

Deserialization of Untrusted Data

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

9.8CVSS6.2AI score0.0058EPSS
Exploits0References2
snyk
snyk
added 2026/04/08 7:17 p.m.10 views

Deserialization of Untrusted Data

Overview praisonai is a PraisonAI TypeScript AI Agents Framework - Node.js, npm, and Javascript AI Agents Framework Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the YAML deserialization in the loadAgentFromFile function. An attacker can execute...

9.8CVSS6.2AI score0.0058EPSS
Exploits0References2
github
github
added 2026/04/08 7:17 p.m.5 views

PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading

Summary The AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can...

9.8CVSS6.7AI score0.0058EPSS
Exploits0References4Affected Software1
snyk
snyk
added 2026/03/27 6:18 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the serialize function when handling specially...

8.2CVSS5.9AI score0.00472EPSS
Exploits0References2
github
github
added 2026/03/27 6:18 p.m.37 views

Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

Impact What kind of vulnerability is it? It is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but has a very large length property, the process enters an intensive loop that...

7.5CVSS5.8AI score0.00472EPSS
Exploits0References6Affected Software1
ptsecurity
ptsecurity
added 2026/03/27 12:0 a.m.6 views

PT-2026-28596

Name of the Vulnerable Software and Affected Versions serialize-javascript versions prior to 7.0.5 Description This issue involves a Denial of Service DoS caused by CPU exhaustion. When serializing a specially crafted "array-like" object – an object inheriting from Array.prototype with a very lar...

7.5CVSS5.9AI score0.00472EPSS
Exploits0References197
Rows per page
Query Builder