2728 matches found
CVE-2026-48238
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobilemain.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft requests that alter...
CVE-2026-48238 Open ISES Tickets < 3.44.2 SQL Injection via ajax/mobile_main.php id Parameter
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobilemain.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft requests that alter...
CVE-2026-48238
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobilemain.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft requests that alter...
EUVD-2026-31319
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobilemain.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft requests that alter...
Malicious code in @amswf/huoke (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...
MAL-2026-4549 Malicious code in dot-utils-plus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3091b9bb8cbf714d9391a59f7303a3748e183bbdf0fba2264b7496a2072e717f On every import, dist/index.js base64-decodes a hardcoded AES-256-CBC ciphertext, derives a key from environment variable VITEDOTUTILSAESSECRET,...
tickets SQL注入漏洞
Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from the direct concatenation of the id GET parameter in the ajax/mobilemain.php file into th...
Malicious code in @tailwind-core/oxide-linux-x64-gnu (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a107a0746f2f5159d661e4d332eac53f871b9d22f80caf5863bdd713e252ae00 The package name '@tailwind-core/oxide-linux-x64-gnu' impersonates the legitimate Tailwind CSS v4 oxide engine package...
Astra Linux - уязвимость в linux-5.10, linux-5.15, linux-6.1, linux
In the Linux kernel, the following vulnerability has been resolved: nfsd: return -EINVAL when namelen is 0 When we have a corrupted main.sqlite file in /var/lib/nfs/nfsdcld/, it may result in namelen being 0, which will cause memdupuser to return ZEROSIZEPTR. When we access the name.data that has...
Astra Linux - уязвимость в tiff
A vulnerability has been identified in LibTIFF 4.7.0. This affects the function main of the tiffcrop.c file in the tiffcrop component. Performing certain manipulations may lead to memory corruption. This attack can only be executed locally. The exploit has been made available to the public, and i...
Astra Linux - уязвимость в ffmpeg
A null pointer dereferencing issue was discovered in ‘FFmpeg’ within the decodemainheader function of the libavformat/nutdec.c file. The flaw occurs because the function does not check the return value of avformatnewstream, leading to a null pointer dereferencing error, which can cause the...
tornado-python: Tornado: Denial of Service via large multipart bodies
A flaw was found in tornado-python. A remote attacker can exploit this vulnerability by sending a specially crafted, very large multipart body with numerous parts. Because the parsing of these large bodies occurs synchronously on the main thread, it can consume excessive resources, leading to a...
tornado-python: Tornado: Denial of Service via large multipart bodies
A flaw was found in tornado-python. A remote attacker can exploit this vulnerability by sending a specially crafted, very large multipart body with numerous parts. Because the parsing of these large bodies occurs synchronously on the main thread, it can consume excessive resources, leading to a...
CVE-2026-42045
CVE-2026-42045 affects LobeHub/LobeChat prior to version 2.1.48. The issue combines a client‑side XSS in the Render path (Renderer defaulting to HTMLRenderer for unknown tags) with an insecure IPC interface runCommand in the Electron main process. An attacker who can induce the LLM to emit malici...
PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
Summary praisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration, permallow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An...
GHSA-GMJG-HV98-QGGQ PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
Summary praisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration, permallow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An...
CVE-2026-44339 PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration,...
CVE-2026-44339 PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and main after it fails to match the declared tool list and the registry. With the default agent configuration,...
CVE-2026-44339
Summary: A vulnerability in PraisonAI’s tool resolution allows undeclared main callables to be invoked through tool-call name manipulation. Prior to versions 4.6.37 (PraisonAI) and 1.6.37 (PraisonAIagents), unresolved tool names were resolved against module globals and main when the declared tool...
Improperly Implemented Security Check for Standard
Overview Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to missing concurrent procedure validation in the SecurityMode and handleHandoverRequiredMain functions. An attacker can cause mismatches between security contexts, potentially...