CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

2406 matches found

PraisonAI AgentOS - Information Disclosure

PraisonAI's AgentOS FastAPI application server exposes an unauthenticated GET /api/agents endpoint that lists every registered agent's name, role and the opening of its instructions system prompt. No authentication is enforced on the route, allowing a remote attacker to enumerate agent...

7.3CVSS6.2AI score0.19037EPSS

Exploits4

Nuclei•added yesterday•63 views

Vanna - SQL injection

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents . This can lead to...

9.8CVSS7.6AI score0.03452EPSS

Exploits0References4

Nuclei•added yesterday•38 views

Python Flask-Security - Open Redirect

Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. A...

6.1CVSS6.7AI score0.03289EPSS

Exploits0References5

Nuclei•added yesterday•5 views

Python Flask-Security-Too <=5.3.2 - Open Redirect

An open redirect vulnerability exists in the python package Flask-Security-Too prior to version 5.3.3. Attackers can abuse the 'next' parameter on the /login and /register routes to redirect unsuspecting users to malicious sites via crafted URLs, which could lead to phishing or other attacks NVD...

6.1CVSS6.3AI score0.01079EPSS

Exploits1References4

Nuclei•added 2 days ago•42 views

pyLoad Flask Config - Access Control

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRETKEY variable. This issue has been patched in version 0.5.0b3.dev77. id: CVE-2024-21644 info: name: pyLoad Flask Config ...

7.5CVSS7AI score0.42173EPSS

Exploits1References5

Nuclei•added 2 days ago•8 views

PraisonAI - Authentication Bypass

PraisonAI 2.5.6 to 4.6.34 contains a broken authentication caused by disabled default authentication in legacy Flask API server, letting remote attackers access /agents and trigger workflows without token, exploit requires network access to API server. id: CVE-2026-44338 info: name: PraisonAI -...

7.3CVSS6.2AI score0.19037EPSS

Exploits3References2

NVD•added 3 days ago•6 views

CVE-2026-42489

This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE. To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these...

5.3CVSS

Exploits0References1

NVD•added 3 days ago•6 views

CVE-2026-42490

6.5CVSS

Exploits0References1

EUVD•added 3 days ago•6 views

EUVD-2026-37890

6.5CVSS5.3AI score

Exploits0References1

EUVD•added 3 days ago•5 views

EUVD-2026-37889

6.5CVSS5.3AI score

Exploits0References1

Cvelist•added 3 days ago•16 views

CVE-2026-42490 domctl lock open to abuse

Exploits0References1

Cvelist•added 3 days ago•14 views

CVE-2026-42489 domctl lock open to abuse

Exploits0References1

ATTACKERKB•added 3 days ago•3 views

CVE-2026-42489

6.5CVSS5.2AI score

Exploits0References2

ATTACKERKB•added 3 days ago•4 views

CVE-2026-42490

6.5CVSS5.2AI score

Exploits0References2

CVE•added 3 days ago•14 views

CVE-2026-42490

CVE-2026-42490 : The supplied documents describe a vulnerability in Xen domctl lock handling. When XSM/Flask is in use, certain domctl operations acquire the system-wide lock before performing permission checks, meaning lock acquisition may occur ahead of authorization. The root cause is a non-fa...

6.5CVSS5.2AI score

Exploits0References1

CVE•added 3 days ago•16 views

CVE-2026-42489

CVE-2026-42489 / 42490 (Xen) : The Xen domctl mechanism used to create/manage guests relies on a system-wide lock whose acquisition lacks fairness. In environments using XSM/Flask, some operations may acquire this lock before permission checks, creating a potential abuse window. Documents do not ...

5.3CVSS5.2AI score

Exploits0References1

Debian CVE•added 3 days ago•8 views

CVE-2026-42489

5.3CVSS5.3AI score

Exploits0

NVD•added 2026/06/10 3:16 p.m.•11 views

CVE-2026-45561

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/version,uptime,status,checks/ family of routes takes the URL path component verbatim into requests.getf'http://serverip:agentport/...'. The path component is...

6.5CVSS0.00218EPSS

Exploits0References1

GithubExploit•added 2026/06/09 3:41 a.m.•40 views

secure-banking-app

secure-banking-app...

5.6AI score

Exploits0

RedhatCVE•added 2026/06/05 7:32 p.m.•6 views

CVE-2026-45306

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to...

6.5CVSS5.5AI score0.00234EPSS

Exploits1References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by