CVE-2026-11718

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...

Dot-only cookie domains match all hosts

Impact CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the...

The Scripts on Your Checkout Page Are Now a PCI DSS Problem

An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here → When a customer types their card number into your checkout, their browser is running far more than your code. Analytics tags, a tag manager, a support widget, a...

PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints

PraisonAI AgentTeam.launch exposes unauthenticated remote agent invocation endpoints Summary PraisonAI's documented Python AgentTeam.launch / Agents.launch HTTP server starts externally reachable agent invocation endpoints without any authentication enforcement. The current implementation registe...

GHSA-X8CV-XMQ7-P8XP PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints

PraisonAI AgentTeam.launch exposes unauthenticated remote agent invocation endpoints Summary PraisonAI's documented Python AgentTeam.launch / Agents.launch HTTP server starts externally reachable agent invocation endpoints without any authentication enforcement. The current implementation registe...

PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding

Jobs webhook SSRF protection bypass via DNS rebinding Summary PraisonAI's Async Jobs API validates webhookurl when a job request is parsed and again when the internal Job object is constructed. That validation blocks direct loopback/private targets, but it is not bound to the later network reques...

GHSA-RJVW-7VVW-549V PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding

Jobs webhook SSRF protection bypass via DNS rebinding Summary PraisonAI's Async Jobs API validates webhookurl when a job request is parsed and again when the internal Job object is constructed. That validation blocks direct loopback/private targets, but it is not bound to the later network reques...

GHSA-VXGJ-XG5C-P4H7 praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS

praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI Weakness: CWE-918 Server-Side Request Forgery SSRF. --- Summary The SSRF gua...

praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS

praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI Weakness: CWE-918 Server-Side Request Forgery SSRF. --- Summary The SSRF gua...

PraisonAI: execute_code sandbox bypass: str.format C-level attribute access reads every blocklisted dunder

Summary The executecode tool's subprocess sandbox advertises a three-layer defense AST validation, text-pattern blocklist, restricted builtins. In sandbox mode the default only two layers are active — the text-pattern blocklist is skipped — and both remaining layers are bypassed by combining two...

GHSA-PV2J-RGHR-V5R9 PraisonAI: execute_code sandbox bypass: str.format C-level attribute access reads every blocklisted dunder

Summary The executecode tool's subprocess sandbox advertises a three-layer defense AST validation, text-pattern blocklist, restricted builtins. In sandbox mode the default only two layers are active — the text-pattern blocklist is skipped — and both remaining layers are bypassed by combining two...

GHSA-W6H2-FR4Q-XVXV PraisonAI: Compute-bridged file tools allow shell command injection

Compute-bridged file tools allow shell command injection Summary LocalManagedAgent / SandboxedAgent compute bridging wraps readfile, listfiles, and writefile when a compute provider is attached. The bridge converts those file operations into shell command strings using raw path arguments, then...

PraisonAI: Compute-bridged file tools allow shell command injection

Compute-bridged file tools allow shell command injection Summary LocalManagedAgent / SandboxedAgent compute bridging wraps readfile, listfiles, and writefile when a compute provider is attached. The bridge converts those file operations into shell command strings using raw path arguments, then...

PraisonAI: HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools

HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools Summary praisonai.bots.HTTPApproval renders pending tool approval arguments directly into the approval dashboard HTML. An attacker-controlled tool argument can inject JavaScript into...

GHSA-63V4-W882-G4X2 PraisonAI: HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools

HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools Summary praisonai.bots.HTTPApproval renders pending tool approval arguments directly into the approval dashboard HTML. An attacker-controlled tool argument can inject JavaScript into...

PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools

PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools Summary praisonaiagents.mcp.ToolsMCPServer.runsse builds a Starlette MCP HTTP+SSE server around mcp.server.sse.SseServerTransport. The server exposes /sse and /messages/, but it does not valida...

GHSA-VMF9-XX9W-86WX PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools

PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools Summary praisonaiagents.mcp.ToolsMCPServer.runsse builds a Starlette MCP HTTP+SSE server around mcp.server.sse.SseServerTransport. The server exposes /sse and /messages/, but it does not valida...

JLine3 Telnet server: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables

Summary The JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option. An unauthenticated attacker can flood the server with a large number of unique variable pairs before sending the terminating IAC SE byte,...

GHSA-47QP-HQVX-6R3F JLine3 Telnet server: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables

Summary The JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option. An unauthenticated attacker can flood the server with a large number of unique variable pairs before sending the terminating IAC SE byte,...

JLine3 Telnet server: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry

Summary The JLine3 Telnet server remote-telnet module does not apply an upper bound to terminal dimensions received via the Telnet NAWS Negotiate About Window Size option. An unauthenticated remote attacker can send a NAWS subnegotiation advertising a 65535×65535 terminal and repeatedly alternate...