Lucene search
K

22 matches found

CVE
CVE
added yesterday25 views

CVE-2026-45805

Penpot MCP ReplServer exposes an unauthenticated /execute endpoint and binds to 0.0.0.0 (all interfaces), enabling remote JavaScript execution on the server. The issue is implemented in mcp/packages/server/src/ReplServer.ts by listening without a host (default 0.0.0.0) and posting code to PluginB...

8.8CVSS6.2AI score0.00045EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/30 10:8 p.m.28 views

CVE-2026-56264 Crawl4AI - Arbitrary JavaScript Execution via /execute_js Endpoint

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /executejs endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary...

9.2CVSS0.00334EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:32 p.m.10 views

CVE-2026-45023

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/blockid/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit check that exists in th...

5.4CVSS5.7AI score0.00222EPSS
Exploits0References1
NVD
NVD
added 2026/05/29 3:16 p.m.17 views

CVE-2026-10042

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/methodname and /simpleexecute/methodname endpoints deserialize attacker-controlled HTTP request...

9.8CVSS0.00622EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/29 2:29 p.m.12 views

EUVD-2026-33328

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/methodname and /simpleexecute/methodname endpoints deserialize attacker-controlled HTTP request...

9.8CVSS6.7AI score0.00622EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/29 2:29 p.m.16 views

CVE-2026-10042

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/methodname and /simpleexecute/methodname endpoints deserialize attacker-controlled HTTP request...

9.8CVSS6.7AI score0.00622EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/29 2:29 p.m.42 views

CVE-2026-10042 manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/methodname and /simpleexecute/methodname endpoints deserialize attacker-controlled HTTP request...

9.8CVSS0.00622EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.21 views

PT-2026-44855

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/method name and /simple execute/method name endpoints deserialize attacker-controlled HTTP request...

9.8CVSS6.7AI score0.00622EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.10 views

AutoGPT 安全漏洞

AutoGPT is an open-source tool developed by AutoGPT. It aims to make AI accessible and usable for everyone. Versions of AutoGPT prior to 0.6.59 contained a security vulnerability. This vulnerability stemmed from the POST /api/blocks/blockid/execute endpoint, which allowed unlimited free execution...

5.4CVSS5.9AI score0.00222EPSS
Exploits0References1
Veracode
Veracode
added 2026/05/23 5:0 a.m.15 views

Remote Code Execution (RCE)

@penpot/mcp is vulnerable to Remote Code Execution RCE. The vulnerability is due to an unauthenticated /execute endpoint exposed on all network interfaces, which allows an attacker to remotely execute arbitrary JavaScript code on the server...

8.8CVSS6.2AI score0.00045EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2026/05/19 7:57 p.m.7 views

Exposed Dangerous Method or Function

Overview @penpot/mcp is a MCP server for Penpot integration Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via MCP module's ReplServer that binds to all interfaces 0.0.0.0:4403 and exposes a /execute endpoint that runs arbitrary code with zero...

8.8CVSS6.2AI score0.00045EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/19 7:57 p.m.15 views

PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE

Summary The MCP module's ReplServer binds to all interfaces 0.0.0.0:4403 and exposes a /execute endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main PenpotMcpServer was partially fixed for a similar binding issue...

8.8CVSS6.1AI score0.00045EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.18 views

PT-2026-42034

Summary The MCP module's ReplServer binds to all interfaces 0.0.0.0:4403 and exposes a /execute endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main PenpotMcpServer was partially fixed for a similar binding issue...

8.8CVSS6.1AI score0.00045EPSS
Exploits0References7
NVD
NVD
added 2026/05/15 9:16 p.m.69 views

CVE-2026-45672

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLECODEEXECUTION=false. The feature gate is...

8.8CVSS0.00406EPSS
Exploits2References1
SUSE CVE
SUSE CVE
added 2026/03/28 12:25 a.m.9 views

SUSE CVE-2026-33344

Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE,...

8.1CVSS5.8AI score0.00469EPSS
Exploits1References3
CVE
CVE
added 2026/02/11 10:18 p.m.22 views

CVE-2026-26215

CVE-2026-26215 affects manga-image-translator, beta-0.3 and earlier, in shared API mode. The vulnerability is an unsafe deserialization via Python's pickle.loads() in FastAPI endpoints /simple_execute/{method} and /execute/{method}, processing attacker-controlled request bodies without validation...

9.3CVSS6.6AI score0.00923EPSS
Exploits1References6
OSV
OSV
added 2026/01/29 8:36 a.m.6 views

BIT-APPSMITH-2026-24042 Appsmith public apps can execute unpublished actions (viewMode confusion)

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished edit-mode actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. This bypasses the...

9.8CVSS6.2AI score0.00579EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/01/22 3:52 a.m.3 views

CVE-2026-24042

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished edit-mode actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. This bypasses the...

9.4CVSS5.8AI score0.00579EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2025/12/16 12:0 a.m.6 views

CVE-2025-63414

A Path Traversal vulnerability in the Allsky WebUI version v2024.12.0606 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker can execute...

10CVSS8.8AI score0.01652EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2025/12/16 12:0 a.m.5 views

PT-2025-51740

Name of the Vulnerable Software and Affected Versions Allsky WebUI version v2024.12.06 06 Description A path traversal flaw exists in Allsky WebUI version v2024.12.06 06 that permits an unauthenticated remote attacker to execute commands on the system. This is achieved by submitting a specially...

10CVSS8.4AI score0.01652EPSS
Exploits1References9
Rows per page
Query Builder