12 matches found
Malicious code in @amswf/huoke (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...
MAL-2026-4361 Malicious code in @amswf/huoke (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4 On npm install, this package's postinstall runs node bin/huoke.js install-skill, which enumerates /home/ for every system user, finds each user's...
MAL-2026-4472 Malicious code in @zhengshuo888/huoke (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab On npm install, the package's postinstall hook runs node bin/huoke.js install-skill, which uses execSync to invoke curl -fsSL against...
CVE-2026-40117 PraisonAIAgents Affected by Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, readskillfile in skilltools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skillpath parameter. Unlike filetools.readfile which enforces workspace boundary confinement, and unlike runskillscript...
CVE-2026-40117 PraisonAIAgents Affected by Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, readskillfile in skilltools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skillpath parameter. Unlike filetools.readfile which enforces workspace boundary confinement, and unlike runskillscript...
PraisonAI 安全漏洞
PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 1.5.128 contained security vulnerabilities. These vulnerabilities stemmed from the readskillfile function accepting an unlimited skillpath parameter, which could allow agents to...
EUVD-2026-18821
prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path traversal sequences. Attackers can exploit missing...
CVE-2026-22661
prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path traversal sequences. Attackers can exploit missing...
CVE-2026-22661
Prompts.chat is affected by a path-traversal vulnerability in skill file handling prior to commit 0f8d4c3. Attackers can craft ZIP archives with unsanitized filenames that include ../ path sequences, bypassing server-side filename validation, causing extraction to write files outside the intended...
CVE-2026-22661 prompts.chat Path Traversal via Skill File Handling
prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path traversal sequences. Attackers can exploit missing...
CVE-2026-22661 prompts.chat Path Traversal via Skill File Handling
prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path traversal sequences. Attackers can exploit missing...
PT-2026-30225
prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path traversal sequences. Attackers can exploit missing...