57000 matches found
CVE-2026-41487
CVE-2026-41487 affects Langfuse (open source LLM engineering platform). From version 3.68.0 up to before 3.167.0, a role-based access control flaw in the LLM connection update flow allowed an authenticated, low-privilege user with the role “member” in a project to request updating an LLM connecti...
CVE-2026-41487 Langfuse: Improper role-based-access control in Langfuse LLM connection management allowed users of role “member” to retrieve stored LLM provider API keys
Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an...
CVE-2026-44338
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...
EUVD-2026-28641
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...
CVE-2026-44338 PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...
CVE-2026-44338
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...
CVE-2026-41161 Username Enumeration via Timing Attack
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time...
EUVD-2026-28543
The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...
CVE-2026-7475
The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...
MAL-2026-3394 Malicious code in @gaia-codesearch/gaia-api-typescript (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59cc0f371f067ea9c6f0bbe7076f9f33181d8e1ae55c43ff05ae2b854de41549 The package @gaia-codesearch/gaia-api-typescript was found to contain malicious code. Source: ossf-package-analysis...
EUVD-2025-209736
An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...
CVE-2026-7475
The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...
Malicious code in @gaia-codesearch/gaia-api-python (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bffb43bbb30e1d5c01c4c389983726a49a5489ddebcfef91353d03f7a767d01f The package @gaia-codesearch/gaia-api-python was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-3387 Malicious code in @gaia-codesearch/gaia-api-python (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bffb43bbb30e1d5c01c4c389983726a49a5489ddebcfef91353d03f7a767d01f The package @gaia-codesearch/gaia-api-python was found to contain malicious code. Source: ossf-package-analysis...
Improper Authorization
github.com/mattermost/mattermost-server is vulnerable to improper authorization. The vulnerability is due to insufficient validation of team membership permissions in the Add Channel Member API, which allows an attacker to exploit the API endpoint to access user metadata and channel membership...
CVE-2025-67888
An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...
BIT-JRE-2025-61748
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Libraries. Supported versions that are affected are Oracle Java SE: 21.0.8 and 25; Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15...
BIT-JRE-2024-21211
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Compiler. Supported versions that are affected are Oracle Java SE: 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and...
BIT-JRE-2024-21145
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: 2D. Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1;...
BIT-JRE-2024-21068
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22; Oracle...