CVE-2026-35449 WWBN AVideo has Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

CVE-2026-35021

This CVE ID has been rejected by its CVE Numbering Authority CNA. It was determined that the affected code path cannot be triggered through normal usage of Claude Code...

@slidev-react/cli (>=0.4.6 <=0.4.14), @slidev-react/node (>=0.4.6 <=0.4.14) potentially affected by CVE-2026-39365 via vite-plus (=0.1.11)

vite-plus NPM version =0.1.11 is affected by a known vulnerability. The following packages have a transitive dependency on vite-plus and may be impacted: - @slidev-react/cli =0.4.6, =0.4.6, =0.4.14 Source cves: CVE-2026-39365 Source advisory: SNYK:JS-VITEPLUS-15922214...

@slidev-react/cli (>=0.4.6 <=0.4.14), @slidev-react/node (>=0.4.6 <=0.4.14) potentially affected by CVE-2026-39363 via vite-plus (=0.1.11)

vite-plus NPM version =0.1.11 is affected by a known vulnerability. The following packages have a transitive dependency on vite-plus and may be impacted: - @slidev-react/cli =0.4.6, =0.4.6, =0.4.14 Source cves: CVE-2026-39363 Source advisory: SNYK:JS-VITEPLUS-15922243...

CVE-2026-34841 Axios npm Supply Chain Incident Impacting @usebruno/cli

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran...

CVE-2026-34841 Axios npm Supply Chain Incident Impacting @usebruno/cli

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran...

EUVD-2026-19354

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran...

Claude Code CLI和Claude Agent SDK 操作系统命令注入漏洞

Claude Code CLI and Claude Agent SDK are both open-source products developed by Anthropic. Claude Code CLI is a command-line AI coding assistant tool. Claude Agent SDK is a developer toolkit for AI coding assistants. Both Claude Code CLI and Claude Agent SDK have operating system command injectio...

METATRON AI Penetration Testing

Metatron is a CLI-based AI penetration testing assistant that runs entirely on your local machine - no cloud, no API keys, no subscriptions. You give it a target IP or domain. It runs real recon tools nmap, whois, whatweb, curl, dig, nikto, feeds all results to a locally running AI model, and the...

Claude Code CLI和Claude Agent SDK 操作系统命令注入漏洞

Claude Code CLI and Claude Agent SDK are both open-source products developed by Anthropic. Claude Code CLI is a command-line AI coding assistant tool. Claude Agent SDK is a developer toolkit for AI coding assistants. Both Claude Code CLI and Claude Agent SDK have operating system command injectio...

composio-griptape (>=0.3.13 <=0.7.20), griptape-cli (=0.1.0) +4 more potentially affected by CVE-2026-5596 via griptape (>=1.10.1 <=1.8.13)

griptape PYPI version =1.10.1, =0.3.13, =0.26.4, =0.8.0, =2.0.3, =2.2.9 Source cves: CVE-2026-5596 Source advisory: SNYK:PYTHON-GRIPTAPE-15915642...

composio-griptape (>=0.5.44 <=0.5.52rc2), griptape-cli (=0.1.0) potentially affected by CVE-2026-5595 via griptape (>=1.5.0 <=1.8.13)

griptape PYPI version =1.5.0, =0.5.44, =0.5.52rc2 - griptape-cli =0.1.0 Source cves: CVE-2026-5595 Source advisory: SNYK:PYTHON-GRIPTAPE-15915635...

AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

Summary The install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors...

PT-2026-30334

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description The install/test.php diagnostic script has its CLI-only access guard disabled, allowing access via HTTP after installation. This exposes video viewer statistics, including IP addresses, session IDs, a...

CVE-2026-34935

PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split and forwarded through the call chain to anyio.openprocess with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command...

@budibase/cli (>=3.0.0 <=3.2.26), @budibase/pro (>=3.0.0 <=3.2.26) +2 more potentially affected by CVE-2026-31818 via @budibase/backend-core (>=3.0.0 <=3.2.7)

@budibase/backend-core NPM version =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.2.26 Source cves: CVE-2026-31818 Source advisory: SNYK:JS-BUDIBASEBACKENDCORE-15917492...

@budibase/cli (>=0.0.1 <=3.2.26), @budibase/pro (>=0.0.1 <=3.2.26) +4 more potentially affected by CVE-2026-31818 via @budibase/backend-core (>=0.0.1 <=3.2.7)

@budibase/backend-core NPM version =0.0.1, =0.0.1, =0.0.1, =0.0.999-alpha.30, =0.0.1, =3.2.26 - @devlego/server =1.1.29-alpha.1 - @devlego/worker =1.1.29-alpha.1 Source cves: CVE-2026-31818 Source advisory: OSV:GHSA-7R9J-R86Q-7G45...

CVE-2026-34986 vulnerabilities

Vulnerabilities for packages: witness, gitlab-kas-fips, kargo, trivy-fips, grafana-alloy, crossplane-provider-gcp, grype-fips, sigstore-scaffolding-fips, terraform-provider-acme, step-kms-plugin, consul-fips, vault-csi-provider, bento, crossplane-provider-terraform-fips, harbor-registry, dapr-fip...

CVE-2025-64340 FastMCP has a Command Injection vulnerability - Gemini CLI

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters e.g., & can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run wit...

Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions

Impact A supply chain attack on the axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency [email protected] that deploys a cross-platform remote access trojan RAT on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer's npm...