PT-2026-30464

🚨 LIVE HIJACK ALERT — CVE-2026-77777. CVSS 8.9. attacker feeds poisoned task output to CrewAI agent memory. future tasks execute attacker instructions as if they were original goals. investigating. 🧵...

PT-2026-30452

Name of the Vulnerable Software and Affected Versions Tencent AI-Infra-Guard version 4.0 Description A vulnerability exists in Tencent AI-Infra-Guard version 4.0, specifically within the Task Detail Endpoint component. The issue resides in an unknown function of the task manager.go file located i...

UBUNTU-CVE-2026-23446

In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpmresume" This is caused by aqc111suspend calling the PM variant of its writecmd routine. The simplified call trace looks like this:...

OpenClaw 安全漏洞

OpenClaw is a command line tool for rights management. A security vulnerability exists in versions of OpenClaw prior to 2026.3.11 that stems from insufficient authorization checking of subagent control requests, resulting in a leaf child agent being able to access the subagent control plane and...

SUSE CVE-2026-30886

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

SUSE CVE-2026-33313

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...

SUSE CVE-2026-33619

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

SUSE CVE-2026-33678

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...

EUVD-2026-16656

A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected element is an unknown function of the file /DevicePrint.do?Action=ReadTask of the component Parameter Handler. The manipulation of the argument State results in sql injection. The attack can be launch...

CVE-2026-4956

A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected element is an unknown function of the file /DevicePrint.do?Action=ReadTask of the component Parameter Handler. The manipulation of the argument State results in sql injection. The attack can be launch...

PT-2026-28682

A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected element is an unknown function of the file /DevicePrint.do?Action=ReadTask of the component Parameter Handler. The manipulation of the argument State results in sql injection. The attack can be launch...

CVE-2026-27496

n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data fro...

CVE-2026-33619

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

CVE-2026-33619 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

CVE-2026-33619

PinchTab v0.8.3 exposes an unauthenticated blind SSRF via the scheduler’s webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the scheduler issues an outbound POST to that URL at terminal state. The webhook path only validated the URL scheme, failing...

GO-2026-4853 Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api

Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports fr...

GO-2026-4847 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the callbackUrl parameter in the Task Scheduler process. An attacker can cause the server to make arbitrary HTTP requests to external or internal systems by supplying a crafted URL. Remediation Upgra...

GO-2026-4825 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl in github.com/pinchtab/pinchtab

PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl in github.com/pinchtab/pinchtab...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the improper enforcement of access controls in the ReadAll and GetTaskAttachment processes. An attacker can gain unauthorized access to and delete file attachments across all...