Lucene search
K

660 matches found

Vulnrichment
Vulnrichment
added 2026/05/28 5:26 p.m.10 views

CVE-2026-45374 CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the taskcreate tool spawns durable sub-agents that inherit two insecure defaults, allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue and autoapprove defaults to true taskmanager.rs:297: autoapprove:...

9.6CVSS5.8AI score0.0026EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.11 views

Portainer 安全漏洞

Portainer is a lightweight user management interface developed by Portainer, open source, for managing Docker environments and Docker hosts. There is a security vulnerability in Portainer. This vulnerability stems from insecure default settings that grant regular users access to the host’s file...

9.4CVSS5.9AI score0.00452EPSS
Exploits0References4
Packet Storm News
Packet Storm News
added 2026/05/28 12:0 a.m.15 views

Minimal Prompt Perturbations Lead to Code Vulnerabilities: Prompt Fragility and Hidden-State Signals in Coding LLMs

LLM-based coding assistants are seeing rapid adoption, offering substantial gains in developer productivity. As organizations increasingly ship code these agents produce, the security of that code becomes critical. Prior work has shown that minor prompt perturbations degrade the functional...

5.8AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/05/27 12:0 a.m.8 views

Oracle Linux 8 : firefox (ELSA-2026-20566)

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2026-20566 advisory. 140.10.2-1.0.1 - Fix firefox-oracle-default-prefs.js for new nss Orabug: 37079789 - diable wasisdk to prevent build failure with newer llvm 140.10.2 -...

9.8CVSS5.9AI score0.00446EPSS
Exploits0References4
Oracle linux
Oracle linux
added 2026/05/26 12:0 a.m.22 views

firefox security update

140.10.2-1.0.1 - Fix firefox-oracle-default-prefs.js for new nss Orabug: 37079789 - diable wasisdk to prevent build failure with newer llvm 140.10.2 - Add debranding patches Mustafa Gezen - Add OpenELA default preferences Louis Abel 140.10.2-1 - Update to 140.10.2 ESR...

9.8CVSS5.8AI score0.00446EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/05/25 12:0 a.m.13 views

Oracle Linux 8 : firefox (ELSA-2026-19588)

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2026-19588 advisory. 140.10.1-1.0.1 - Fix firefox-oracle-default-prefs.js for new nss Orabug: 37079789 - diable wasisdk to prevent build failure with newer llvm 140.10.1 -...

9.6CVSS5.8AI score0.00375EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/22 2:57 a.m.11 views

EUVD-2026-31401

Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element...

8.2CVSS5.8AI score0.00276EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/22 12:0 a.m.10 views

9front 安全漏洞

9front is an open-source class Unix distributed operating system based on Plan 9. 9front has a security vulnerability, which stems from respecting the default values provided by the website for HTML file upload forms. This vulnerability could allow attackers to create websites with malicious...

8.2CVSS5.8AI score0.00276EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/21 8:17 a.m.12 views

Malicious code in oh-langfuse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83b229927c5bc228764ab11651b10bd06c6ff61edffa820a632c343aeec13037 The package configures Langfuse tracing for Claude Code, Codex, and OpenCode. When the operator runs the bundled CLI without explicitly overriding...

5.5AI score
Exploits0References18
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.3 views

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: sysctl: Always initialize iuid/igid. iuid/igid is always initialized within the sysfs core, so setownership can safely skip setting them. The commit 5ec27ec735ba from “fs/proc/procsysctl.c: fix the default values of iuid/igid on...

5.5CVSS6.1AI score0.00216EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Fix for suspend/resume behavior. Disabling the cache in commit 2ff4ba9e3702 “clk: rs9: Fix for I2C accessors” without removing cache synchronization in the resume path results in a kernel panic, as map-cacheops is unset...

5.5CVSS5.2AI score0.00134EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.17 views

PT-2026-42065

Name of the Vulnerable Software and Affected Versions Bottom Bar versions prior to 0.1.8 Description The Bottom Bar plugin for WordPress is susceptible to Cross-Site Request Forgery CSRF, a flaw where an attacker tricks a victim into performing actions they did not intend to do. The issue exists ...

4.3CVSS5.9AI score0.00187EPSS
Exploits0References8
ICS
ICS
added 2026/05/19 1:33 p.m.16 views

Tyler Technologies Tyler Identity Default Administrative Credentials

RISK EVALUATION Tyler Identity provider TID-L uses a documented, default administrative IDP credential. Users are not required to change the credentials before deployment. 2. RECOMMENDED PRACTICES Change default passwords. TID-L has not been distributed since December 2020, and has not been...

9.8CVSS5.8AI score0.00477EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/14 8:29 p.m.11 views

DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

Summary The taskcreate tool spawns durable sub-agents that inherit two insecure defaults: - allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue - autoapprove defaults to true taskmanager.rs:297: autoapprove: Sometrue When a user approves a taskcreate call which requires...

9.6CVSS5.8AI score0.0026EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/05/14 8:29 p.m.5 views

GHSA-72W5-PF8H-XFP4 DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

Summary The taskcreate tool spawns durable sub-agents that inherit two insecure defaults: - allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue - autoapprove defaults to true taskmanager.rs:297: autoapprove: Sometrue When a user approves a taskcreate call which requires...

9.6CVSS5.8AI score0.0026EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.21 views

PT-2026-41186

Name of the Vulnerable Software and Affected Versions CodeWhale versions prior to 0.8.26 Description The task create tool spawns durable sub-agents that inherit insecure default settings. Specifically, the allow shell variable defaults to true and the auto approve variable defaults to true. When ...

9.6CVSS5.9AI score0.0026EPSS
Exploits0References10
NVD
NVD
added 2026/05/12 3:16 p.m.14 views

CVE-2026-6866

CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials...

8.2CVSS0.00291EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/05/12 3:6 p.m.8 views

NPM: protobuf.js: Code injection through bytes field defaults in generated toObject code

NPM: protobuf.js: Code injection through bytes field defaults in generated toObject code vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

8.8CVSS5.9AI score0.00381EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/12 3:6 p.m.5 views

GHSA-66FF-XGX4-VCHM protobuf.js: Code injection through bytes field defaults in generated toObject code

Summary protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generat...

7.7CVSS6.1AI score0.00381EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/12 2:21 a.m.9 views

CVE-2026-40132

Due to missing authorization check in SAP Strategic Enterprise Management Scorecard Wizard in Business Server Pages, an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and...

5.4CVSS5.8AI score0.0019EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder