3 matches found
PT-2026-43401
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPathfullPath call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation...
GHSA-9QHQ-V63V-FV3J PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection
Summary The fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parsemcpcommand, allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. Affected Package - Ecosystem: PyP...
PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection
Summary The fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parsemcpcommand, allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. Affected Package - Ecosystem: PyP...