60 matches found
CVE-2026-60088
PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outsidesecret.txt or absolute paths in project command files to exfiltrate process-readable...
EUVD-2026-43174
PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outsidesecret.txt or absolute paths in project command files to exfiltrate process-readable...
CVE-2026-60088
CVE-2026-60088 affects PraisonAI prior to 4.6.78. The issue is a path traversal flaw in custom command templates, where file paths are not validated, allowing an attacker to read files outside the workspace (e.g., @../outside_secret.txt or absolute paths) and exfiltrate process-readable files int...
CVE-2026-60088 PraisonAI before 4.6.78 Path Traversal via Custom Commands
PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outsidesecret.txt or absolute paths in project command files to exfiltrate process-readable...
CVE-2026-61432
PraisonAI praisonaiagents before 1.6.78 contains a path traversal vulnerability in the FastContext feature praisonaiagents.context.fast. FastContextAgent.executetool prepends the configured workspacepath only for relative paths and neither rejects absolute paths nor canonicalizes joined paths...
CVE-2026-61432
PraisionAI (praisonaiagents) before 1.6.78 has a path traversal flaw in the FastContext feature. FastContextAgent.execute_tool() only prefixes workspace_path for relative paths and does not reject absolute paths or canonicalize joined paths, allowing tool arguments or model-generated calls to gre...
CVE-2026-61432 PraisonAI FastContext before 1.6.78 Path Traversal
PraisonAI praisonaiagents before 1.6.78 contains a path traversal vulnerability in the FastContext feature praisonaiagents.context.fast. FastContextAgent.executetool prepends the configured workspacepath only for relative paths and neither rejects absolute paths nor canonicalizes joined paths...
CVE-2026-50548 Cursor Desktop sandbox escape via agent-controlled working directory
Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the sandbox grants write access to the command's working directory. A flaw was identified in how the agent could modify the workingdirectory parameter, which could...
CVE-2025-66389
GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder without user approval via a file-handler URI parameter to fetchwebpage. Therefore, exfiltration could occur if there is indirect prompt injection...
CVE-2025-66389
GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder without user approval via a file-handler URI parameter to fetchwebpage. Therefore, exfiltration could occur if there is indirect prompt injection...
PT-2026-51461
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.9 Description An issue exists where a workspace-level builder can read any file the server process has access to by uploading a specially crafted PWA zip file. The POST /api/pwa/process-zip endpoint extracts the...
PT-2026-51297
Name of the Vulnerable Software and Affected Versions GitHub Copilot version 1.372.0 Description An issue exists where the software allows filesystem access outside of a workspace folder without user approval. This occurs via a file-handler URI parameter used in the fetch webpage function. This...
CVE-2025-66389
GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder without user approval via a file-handler URI parameter to fetchwebpage. Therefore, exfiltration could occur if there is indirect prompt injection...
EUVD-2026-35706
Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use TOCTOU race condition vulnerability in the gitdiscard function within api/workspacegit.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlin...
CVE-2026-49958 Hermes WebUI < 0.51.303 TOCTOU Race Condition via git_discard
Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use TOCTOU race condition vulnerability in the gitdiscard function within api/workspacegit.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlin...
CVE-2026-11322
Hermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve...
CVE-2026-39861
Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the...
CVE-2026-39305
PraisonAI is a multi-agent teams system. Prior to 1.5.113, the Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the...
PT-2026-44730
Relevant Products/Components: trestle/core/commands/author/jinja.py trestle author jinja --- Detailed Description: The -o/--output argument in trestle author jinja allows writing files outside the intended workspace. The application does not properly validate: ../ .. absolute paths This allows...
CVE-2026-47118
Agent Zero before version 1.15 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by supplying crafted paths to the image file serving endpoint, which relies solely on an extension allowlist while the path containment check is explicitly disabled...