CVE-2026-49138 Nanobot < 0.2.1 SSRF via web_fetch Tool Redirect Following

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the webfetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the...

CVE-2026-49138 Nanobot < 0.2.1 SSRF via web_fetch Tool Redirect Following

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the webfetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the...

EUVD-2026-33757

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the webfetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the...

Malicious code in pycalendar-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f pyproject.toml line 8 declares httpxyz as a runtime dependency dependencies = 'httpxyz',..., and pycalendarapi/utils/httpclient.py imports httpxyz an...

MAL-2026-4764 Malicious code in pycalendar-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bda873c38a1eee9ecea320371b0473466144f2bd41bc778dff8510cb5dcf4b5f pyproject.toml line 8 declares httpxyz as a runtime dependency dependencies = 'httpxyz',..., and pycalendarapi/utils/httpclient.py imports httpxyz an...

Malicious code in httpx-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5d3d6ca7ec9867abcf3fb8a0170ca44801107a64fb1ff7f9aa437dd7b1f59845 During installation, package downloads downloads and executes next-stage script that then downloads a Sliver beacon and establishes persistence via a systemd...

MAL-2026-3216 Malicious code in httpx-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5d3d6ca7ec9867abcf3fb8a0170ca44801107a64fb1ff7f9aa437dd7b1f59845 During installation, package downloads downloads and executes next-stage script that then downloads a Sliver beacon and establishes persistence via a systemd...

CVE-2026-40160

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, webcrawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get with followredirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints...

GHSA-QQ9R-63F6-V542 PraisonAIAgents: SSRF via unvalidated URL in `web_crawl` httpx fallback

| Field | Value | |---|---| | Severity | High | | Type | SSRF -- unvalidated URL in webcrawl httpx fallback allows internal network access | | Affected | src/praisonai-agents/praisonaiagents/tools/webcrawltools.py:133-180 | Summary webcrawl's httpx fallback path passes user-supplied URLs directly...

CVE-2026-40160

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, webcrawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get with followredirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints...

CVE-2026-40160 PraisonAIAgents has SSRF via unvalidated URL in `web_crawl` httpx fallback

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, webcrawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get with followredirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints...

CVE-2026-40160

Prais onAIAgents’ web_crawl has an SSRF in the httpx fallback prior to version 1.5.128. The fallback passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation, enabling an LLM agent to crawl internal endpoints (including 169.254.169.254), inte...

CVE-2026-40160 PraisonAIAgents has SSRF via unvalidated URL in `web_crawl` httpx fallback

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, webcrawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get with followredirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints...

CVE-2026-40160

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, webcrawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get with followredirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints...

CVE-2026-34954

PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.downloadfile in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream with followredirects=True. An attacker who controls the URL can reach any...

CVE-2026-34936

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL schem...

Malicious code in request-httpx-9 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d8547656202b4eac0d914d466c2fe1d3bf17210c63af75ac2d8e020f5d0ef28c The package contains a Telegram bot running allowing for remote access. This functionality is disclosed in the readme, but the package name clearly indicates...

Exploit for CVE-2024-25600

🧱 BrickBreaker !Pythonhttps://img.shields.io/badge/Pytho...

EUVD-2022-0122

Malicious code in bioql PyPI...

Malicious Package

Overview fast-httpx is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...