PraisonAI - Authentication Bypass

PraisonAI 2.5.6 to 4.6.34 contains a broken authentication caused by disabled default authentication in legacy Flask API server, letting remote attackers access /agents and trigger workflows without token, exploit requires network access to API server. id: CVE-2026-44338 info: name: PraisonAI -...

PraisonAI AgentOS - Information Disclosure

PraisonAI's AgentOS FastAPI application server exposes an unauthenticated GET /api/agents endpoint that lists every registered agent's name, role and the opening of its instructions system prompt. No authentication is enforced on the route, allowing a remote attacker to enumerate agent...

Python Flask-Security-Too <=5.3.2 - Open Redirect

An open redirect vulnerability exists in the python package Flask-Security-Too prior to version 5.3.3. Attackers can abuse the 'next' parameter on the /login and /register routes to redirect unsuspecting users to malicious sites via crafted URLs, which could lead to phishing or other attacks NVD...

Python Flask-Security - Open Redirect

Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. A...

Vanna - SQL injection

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents . This can lead to...

pyLoad Flask Config - Access Control

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRETKEY variable. This issue has been patched in version 0.5.0b3.dev77. id: CVE-2024-21644 info: name: pyLoad Flask Config ...

CVE-2026-45561

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/version,uptime,status,checks/ family of routes takes the URL path component verbatim into requests.getf'http://serverip:agentport/...'. The path component is...

secure-banking-app

secure-banking-app...

CVE-2026-45306

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to...

CVE-2026-44338

PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...

CVE-2026-35464

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the...

ROOT-APP-PYPI-CVE-2024-25128 CVE-2024-25128 in rootio-Flask-AppBuilder - Patched by Root

Root has patched CVE-2024-25128 in the rootio-Flask-AppBuilder package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2025-58065 CVE-2025-58065 in rootio-Flask-AppBuilder - Patched by Root

Root has patched CVE-2025-58065 in the rootio-Flask-AppBuilder package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2023-34110 CVE-2023-34110 in rootio-Flask-AppBuilder - Patched by Root

Root has patched CVE-2023-34110 in the rootio-Flask-AppBuilder package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2023-30861 CVE-2023-30861 in rootio-Flask - Patched by Root

Root has patched CVE-2023-30861 in the rootio-Flask package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2025-32962 CVE-2025-32962 in rootio-Flask-AppBuilder - Patched by Root

Root has patched CVE-2025-32962 in the rootio-Flask-AppBuilder package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2026-27205 CVE-2026-27205 in rootio-Flask - Patched by Root

Root has patched CVE-2026-27205 in the rootio-Flask package for Root:PyPI. Multiple fixed versions available...

Security update for python-Flask (moderate)

openSUSE security update: security update for python-flask ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20885-1 Rating: moderate References: bsc1258700 Cross-References: CVE-2026-27205 CVSS scores: CVE-2026-27205 SUSE : 6.5...

SUSE-SU-2026:22023-1 Security update for python-Flask

This update for python-Flask fixes the following issue: - CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700...

OPENSUSE-SU-2026:20885-1 Security update for python-Flask

This update for python-Flask fixes the following issue: - CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700...