Lucene search
K

2417 matches found

Snyk
Snyk
added 2026/05/22 5:48 p.m.12 views

Always-Incorrect Control Flow Implementation

Overview Flask-Security is a Simple security for Flask apps. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation in the OAuth reauthentication for stale sessions. An attacker can perform unauthorized account actions by completing OAuth verification wit...

7.6CVSS5.8AI score0.00035EPSS
Exploits0References2
OSV
OSV
added 2026/05/22 5:48 p.m.5 views

GHSA-97R5-PG8X-P63P Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance

Summary Flask-Security-Too 5.8.0's OAuth reauthentication flow can mark a session as fresh after verifying an OAuth account that belongs to a different user. If an attacker can operate an already-authenticated but stale victim session, they can complete OAuth verification using their own OAuth...

5.8AI score0.00035EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.12 views

PT-2026-42857

Summary Flask-Security-Too 5.8.0's OAuth reauthentication flow can mark a session as fresh after verifying an OAuth account that belongs to a different user. If an attacker can operate an already-authenticated but stale victim session, they can complete OAuth verification using their own OAuth...

5.8AI score0.00035EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/22 12:0 a.m.8 views

Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance

Flask-Security-Too 5.8.0's OAuth reauthentication flow can mark a session as fresh after verifying an OAuth account that belongs to a different user. If an attacker can operate an already-authenticated but stale victim session, they can complete OAuth verification using their own OAuth identity...

5.8AI score0.00035EPSS
Exploits0References3Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/05/22 12:0 a.m.13 views

Unity Linux 20.1060e / 20.1070e Security Update: python-flask-restx (UTSA-2026-016606)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016606 advisory. Flask-RESTX pypi package flask-restx is a community driven fork of Flask-RESTPlus. Flask-RESTX before version 0.5.1 is vulnerable to ReDoS Regular Expression Denial ...

7.5CVSS7.1AI score0.01804EPSS
Exploits0References4
Broadcom
Broadcom
added 2026/05/19 12:0 a.m.12 views

Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection (CVE-2026-27641)

Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection SSTI. Flask-Reuploaded has been patche...

9.8CVSS6.5AI score0.01046EPSS
Exploits1
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.11 views

MLflow 安全漏洞

MLflow is an open-source platform that simplifies machine learning development. It includes features like tracking experiments, packaging code for reproducible runs, and sharing and deploying models. Versions of mlflow prior to 3.9.0 contain security vulnerabilities. These vulnerabilities stem fr...

8.6CVSS7.5AI score0.01502EPSS
Exploits1References1
OSV
OSV
added 2026/05/14 8:17 p.m.7 views

GHSA-W727-595X-PC3R pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad

Summary The fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to the session directory and download session files of other users via /files/get/, leadi...

6.5CVSS5.8AI score0.00234EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/14 8:17 p.m.17 views

pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad

Summary The fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to the session directory and download session files of other users via /files/get/, leadi...

8.8CVSS5.8AI score0.00529EPSS
Exploits1References4Affected Software1
The Hacker News
The Hacker News
added 2026/05/14 11:40 a.m.15 views

PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure

Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI , an open-source multi-agent orchestration framework, within four hours of its public disclosure. The vulnerability in question is CVE-2026-44338 CVSS score: 7.3, a case of missing...

7.3CVSS5.8AI score0.26799EPSS
Exploits3
Vulnrichment
Vulnrichment
added 2026/05/13 6:57 p.m.7 views

CVE-2026-41255 CKAN: CSRF exemption primed by anonymous requests

CKAN is an open-source DMS data management system for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect,...

6.1CVSS5.8AI score0.00124EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/12 12:0 a.m.25 views

VulnCheck KEV: CVE-2026-44338

PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...

7.3CVSS5.7AI score0.26799EPSS
In wildExploits3References3
GithubExploit
GithubExploit
added 2026/05/09 10:38 a.m.90 views

CoreExploit-Final

CoreExploit 🔐 Ethical Penetration Testing Learning Platfor...

5.8AI score
Exploits0
NVD
NVD
added 2026/05/08 2:16 p.m.19 views

CVE-2026-44338

PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...

7.3CVSS0.26799EPSS
Exploits3References1
EUVD
EUVD
added 2026/05/08 1:35 p.m.11 views

EUVD-2026-28641

PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow throug...

7.3CVSS5.8AI score0.26799EPSS
Exploits3References1
GithubExploit
GithubExploit
added 2026/05/08 6:5 a.m.80 views

vulnerability-lab

🔐 Vulnerability Lab Buffer Overflow + SQLi ⚠️ FOR EDUCATI...

5.9AI score
Exploits0
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.9 views

PraisonAI 访问控制错误漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI from 2.5.6 to 4.6.34 contained an access control vulnerability. This vulnerability stemmed from the Flask API server, which disabled authentication by default, allowing callers without a...

7.3CVSS6AI score0.26799EPSS
Exploits3References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/07 2:0 p.m.7 views

Security Bulletin: IBM Maximo Scheduler Optimizer uses flask-3.1.2-py3-none-any.whl which is vulnerable to CVE-2026-27205

Summary IBM Maximo Scheduler Optimizer uses flask-3.1.2-py3-none-any.whl which is vulnerable to CVE-2026-27205. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-27205 DESCRIPTION: Flask is a web server gateway interface WSGI web...

4.3CVSS5.8AI score0.00374EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/05 12:13 p.m.5 views

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses flask-3.1.2-py3-none-any.whl which is vulnerable to CVE-2026-27205

Summary IBM Maximo Application Suite - Visual Inspection component uses flask-3.1.2-py3-none-any.whl which is vulnerable to CVE-2026-27205, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2026-27205 DESCRIPTION: Flask is a web...

4.3CVSS5.7AI score0.00374EPSS
Exploits0Affected Software1
GithubExploit
GithubExploit
added 2026/05/04 5:25 p.m.97 views

Blind_SQLI_FlaskProject

No d...

5.8AI score
Exploits0
Rows per page
Query Builder