Lucene search
K

64 matches found

OSV
OSV
added 3 days ago3 views

PYSEC-2026-1808 Pulp incorrectly assigns RBAC permissions in tasks that create objects

A flaw was found in the Pulp package. When a role-based access control RBAC object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin typically the addrolesforobjectcreator method. This method finds the object creator by checking the current authenticated user...

8.6CVSS6.6AI score0.0061EPSS
Exploits0References9
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-559 Upsonic: remote code execution vulnerability in its MCP server/task creation functionality

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

9.8CVSS6.8AI score0.00974EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.11 views

CVE-2026-3199

A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control...

9.4CVSS5.8AI score0.00359EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 6:16 p.m.23 views

CVE-2026-45374

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the taskcreate tool spawns durable sub-agents that inherit two insecure defaults, allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue and autoapprove defaults to true taskmanager.rs:297: autoapprove:...

9.6CVSS0.0026EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/28 5:26 p.m.9 views

EUVD-2026-32962

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the taskcreate tool spawns durable sub-agents that inherit two insecure defaults, allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue and autoapprove defaults to true taskmanager.rs:297: autoapprove:...

9.6CVSS5.8AI score0.0026EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/14 8:29 p.m.11 views

DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

Summary The taskcreate tool spawns durable sub-agents that inherit two insecure defaults: - allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue - autoapprove defaults to true taskmanager.rs:297: autoapprove: Sometrue When a user approves a taskcreate call which requires...

9.6CVSS5.8AI score0.0026EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.24 views

PT-2026-41186

Name of the Vulnerable Software and Affected Versions CodeWhale versions prior to 0.8.26 Description The task create tool spawns durable sub-agents that inherit insecure default settings. Specifically, the allow shell variable defaults to true and the auto approve variable defaults to true. When ...

9.6CVSS5.9AI score0.0026EPSS
Exploits0References10
Veracode
Veracode
added 2026/05/08 6:18 a.m.14 views

Remote Code Execution

Sonatype Nexus Repository is vulnerable to Remote Code Execution. The vulnerability is due to a flaw in the task management component, where an authenticated attacker with task creation permissions can bypass the nexus.scripts.allowCreation security control and execute arbitrary code...

9.4CVSS6.1AI score0.00359EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/16 7:22 p.m.6 views

CVE-2026-30625

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

9.8CVSS6.6AI score0.00974EPSS
Exploits0References1
OSV
OSV
added 2026/04/15 6:31 p.m.7 views

GHSA-CW73-5F7H-M4GV Upsonic: remote code execution vulnerability in its MCP server/task creation functionality

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

9.8CVSS6.6AI score0.00974EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/15 6:31 p.m.14 views

Upsonic: remote code execution vulnerability in its MCP server/task creation functionality

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

9.8CVSS6.6AI score0.00974EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/04/15 4:16 p.m.5 views

CVE-2026-30625

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

9.8CVSS0.00974EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/15 12:0 a.m.3 views

CVE-2026-30625

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

6.6AI score0.00974EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.15 views

Upsonic 安全漏洞

Upsonic is an open-source AI proxy framework developed by Upsonic. Version 0.71.6 of Upsonic contains a security vulnerability. This vulnerability stems from defects in the MCP server or the task creation functionality, which may lead to remote code execution...

9.8CVSS6.3AI score0.00974EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.7 views

PT-2026-33073

Name of the Vulnerable Software and Affected Versions Upsonic version 0.71.6 Description An issue exists in the MCP server/task creation functionality where users can define MCP tasks with arbitrary command and args values. While an allowlist is implemented, specific permitted commands such as np...

9.8CVSS6.8AI score0.00974EPSS
Exploits0References14
NVD
NVD
added 2026/04/08 11:16 p.m.4 views

CVE-2026-3199

A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control...

9.4CVSS0.00359EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 11:8 p.m.14 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data involving task management that allows authenticated users with task creation permissions to execute arbitrary code by injecting malicious properties into a serialized object. A user can bypass...

9.9CVSS6.1AI score0.00359EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/08 10:17 p.m.29 views

CVE-2026-3199 Nexus Repository 3 - Authenticated Remote Code Execution via Task Property Injection

A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control...

9.4CVSS0.00359EPSS
Exploits0References2
CVE
CVE
added 2026/04/08 10:17 p.m.19 views

CVE-2026-3199

CVE-2026-3199 is an authenticated remote code execution flaw in Sonatype Nexus Repository’s task management component, affecting versions 3.22.1 through 3.90.2. An attacker with task creation permissions can bypass nexus.scripts.allowCreation and execute arbitrary code. The connected CVE records ...

9.4CVSS6.1AI score0.00359EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.14 views

Sonatype Nexus Repository 安全漏洞

Sonatype Nexus Repository is a repository manager developed by Sonatype, Inc. in the United States. It is primarily used for managing, storing, and distributing software. Versions of Sonatype Nexus Repository 3.90.2 and earlier contain security vulnerabilities. These vulnerabilities stem from...

9.4CVSS6AI score0.00359EPSS
Exploits0References2
Rows per page
Query Builder