Lucene search
K

65 matches found

Cvelist
Cvelist
added 3 days ago29 views

CVE-2026-14534 Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS0.00328EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago37 views

CVE-2025-71369 picklescan - Unsafe Deserialization via torch.utils.data.datapipes.utils.decoder.basichandlers

picklescan before 0.0.28 fails to detect malicious pickle files that use torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods, allowing attackers to bypass safety checks. Remote attackers can embed undetected malicious code in pickle files that executes during deserialization,...

8.1CVSS0.00445EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 3 days ago6 views

CVE-2025-71369

picklescan before 0.0.28 fails to detect malicious pickle files that use torch.utils.data.datapipes.utils.decoder.basichandlers in reduce methods, allowing attackers to bypass safety checks. Remote attackers can embed undetected malicious code in pickle files that executes during deserialization,...

8.1CVSS6.3AI score0.00445EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-55676

Name of the Vulnerable Software and Affected Versions picklescan versions prior to 0.0.28 Description The software fails to detect malicious function calls to torch.utils.bottleneck. main .run cprofile within pickle files. This flaw allows remote attackers to bypass safety checks by embedding...

8.1CVSS6.6AI score0.00445EPSS
Exploits0References5
Veracode
Veracode
added 2026/05/15 4:36 a.m.20 views

OS Command Injection

OliveTin is vulnerable to Command Injection. The vulnerability is due to insufficient input validation in Shell mode, where password-typed arguments and webhook-extracted JSON values bypass checkShellArgumentSafety before being passed to sh -c, allowing authenticated or unauthenticated attackers ...

9.9CVSS6.1AI score0.00448EPSS
Exploits2References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/01 7:48 p.m.5 views

CVE-2026-31700

A flaw was found in the Linux kernel. A Time-of-check to Time-of-use TOCTOU race condition exists in the tpacketsnd function when PACKETVNETHDR is enabled. A local user can exploit this by modifying the vnethdr fields in the mmap'd TX ring buffer between validation and use, thereby bypassing safe...

7.8CVSS5.9AI score0.00103EPSS
Exploits0References4
Packet Storm News
Packet Storm News
added 2026/04/30 12:0 a.m.7 views

Attention Is Where You Attack

Safety-aligned large language models rely on RLHF and instruction tuning to refuse harmful requests, yet the internal mechanisms implementing safety behavior remain poorly understood. We introduce the Attention Redistribution Attack ARA, a white-box adversarial attack that identifies...

5.8AI score
Exploits0
CVE
CVE
added 2026/04/21 10:44 p.m.28 views

CVE-2026-41060

Summary: CVE-2026-41060 affects WWBN AVideo (versions 29.0 and below). The function isSSRFSafeURL() in objects/functions.php contains a same-domain shortcircuit (lines 4290-4296) that compares only hostname to webSiteRootURL and ignores the port, allowing an attacker to reach arbitrary ports on t...

7.7CVSS5.9AI score0.003EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/13 7:23 p.m.4 views

CVE-2026-40149

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no authtoken is configured the default. By adding dangerous tool names e.g., shellexec, filewrite to the allowlist, a...

7.9CVSS5.8AI score0.00227EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/10 7:24 p.m.4 views

EUVD-2026-21168

PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls...

7.9CVSS5.8AI score0.00227EPSS
Exploits1References3
OSV
OSV
added 2026/04/10 7:24 p.m.2 views

GHSA-4WR3-F4P3-5WJH PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls

Summary The gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no authtoken is configured the default. By adding dangerous tool names e.g., shellexec, filewrite to the allowlist, an attacker can cause the ExecApprovalManager to...

7.9CVSS6AI score0.00227EPSS
Exploits1References4
NVD
NVD
added 2026/04/09 10:16 p.m.10 views

CVE-2026-40149

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no authtoken is configured the default. By adding dangerous tool names e.g., shellexec, filewrite to the allowlist, a...

7.9CVSS0.00227EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/09 9:23 p.m.20 views

CVE-2026-40149 PraisonAI has an Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no authtoken is configured the default. By adding dangerous tool names e.g., shellexec, filewrite to the allowlist, a...

7.9CVSS0.00227EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:23 p.m.4 views

CVE-2026-40149

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no authtoken is configured the default. By adding dangerous tool names e.g., shellexec, filewrite to the allowlist, a...

7.9CVSS5.9AI score0.00227EPSS
Exploits1References2Affected Software1
HackRead
HackRead
added 2026/04/09 1:50 p.m.6 views

Claude Code Can Be Manipulated via CLAUDE.md to Run SQL Injection Attacks

LayerX researchers have discovered how to bypass Claude Code’s safety rules using the CLAUDE.md file. This exploit allows…...

5.9AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.2 views

PT-2026-31788

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth token is configured the default. By adding dangerous tool names e.g., shell exec, file write to the allowlist...

7.9CVSS5.9AI score0.00227EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/27 5:9 p.m.3 views

CVE-2026-33015

EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS performs a RemoteStop StopTransaction, the EVSE can return to PrepareCharging via the EV's BCB toggle, allowing session restart. This breaks the irreversibility of remote stop and can bypass...

5.2CVSS5.9AI score0.00214EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/21 12:42 a.m.31 views

CVE-2026-32044 OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing...

6.7CVSS0.00132EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.7 views

PT-2026-26727

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing...

6.7CVSS5.8AI score0.00132EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/10 9:32 p.m.3 views

EUVD-2026-10754

PX4 Autopilot versions 1.12.x through 1.15.x contain a protection mechanism failure in the "Re-arm Grace Period" logic. The system incorrectly applies the in-air emergency re-arm logic to ground scenarios. If a pilot switches to Manual mode and re-arms within 5 seconds default configuration of an...

5.8AI score0.00265EPSS
Exploits1References2
Rows per page
Query Builder