20 matches found
CVE-2026-8081 router-for-me CLIProxyAPI api_tools.go server-side request forgery
A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/apitools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote...
PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)
TL;DR CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAIALLOWLOCALTOOLS=true in two files toolresolver.py, api/call.py. A third import sink in praisonai/templates/tooloverride.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is...
PT-2026-35969
A security flaw has been discovered in NousResearch hermes-agent 0.8.0. This affects the function check sensitive path of the file tools/file tools.py. The manipulation results in symlink following. Attacking locally is a requirement. The exploit has been released to the public and may be used fo...
CVE-2026-6604 modelscope agentscope Cloud Metadata Endpoint _openai_tools.py openai_audio_to_text server-side request forgery
A vulnerability was identified in modelscope agentscope up to 1.0.18. Affected by this issue is the function parseurl/prepareimage/openaiaudiototext of the file src/agentscope/tool/multimodality/openaitools.py of the component Cloud Metadata Endpoint. Such manipulation of the argument...
PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code via spec.loader.execmodule without explicit user consent,...
GHSA-2G3W-CPC4-CHR4 PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code via spec.loader.execmodule without explicit user consent,...
CVE-2026-40156
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code v...
CVE-2026-40156
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code v...
CVE-2026-40156 PraisonAI Affected by Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code v...
CVE-2026-40156
PraisonAI before 4.5.128 loads a file named tools.py from the CWD using importlib, executing module-level code without explicit consent, validation, or sandboxing. Merely having tools.py in the working directory triggers code execution, bypassing configuration references. This creates a local, im...
CVE-2026-40156 PraisonAI Affected by Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code v...
PraisonAI 安全漏洞
PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.128 contained a security vulnerability. This vulnerability stemmed from the automatic loading and execution of the tools.py file located in the working directory, which coul...
BIT-PRESTASHOP-2024-36626
In prestashop 8.1.4, a NULL pointer dereference was identified in the mathround function within Tools.php...
DeepResearchAgent 命令注入漏洞
DeepResearchAgent is an open source application from Skywork. DeepResearchAgent has a command injection vulnerability that stems from the incorrect manipulation of parameters in the fromcode/fromdict/frommcp functions in the src/tools/tools.py file, which could lead to os command injection...
CVE-2025-22247
CVE-2025-22247 affects open-vm-tools ( VMware Tools open-source components) and can be triggered by a non-administrative guest-VM user due to insecure file handling that may tamper local files, potentially enabling partial integrity impact within the guest. Several advisories confirm affected pac...
PT-2024-22790 · Freescout · Freescout
Name of the Vulnerable Software and Affected Versions: FreeScout versions prior to 1.8.128 Description: FreeScout is a self-hosted help desk and shared mailbox. The issue concerns OS Command Injection in the /public/tools.php source file. The value of the php path parameter is being executed as a...
DEBIAN-CVE-2023-48090
GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks in extractattributes mediatools/m3u8.c:329...
PT-2021-22582 · Seo Panel · Seo Panel
Name of the Vulnerable Software and Affected Versions: SEO Panel version 4.8.0 Description: Multiple Cross Site Scripting XSS vulnerabilities exist in SEO Panel via several parameters in various PHP files. The affected parameters include to time in files such as backlinks.php, analytics.php, and...
Odoo Directory Traversal Vulnerability
Odoo formerly known as OpenERP is an enterprise resource planning ERP and customer relationship management CRM system. The system is developed using Python language , PostgreSQL as the database , and includes modules such as sales management , inventory management , financial management , and...
tmp-advisory.txt
L0pht Security Tool and miniAdvisory Advisory released Jan 8 1999 Application: A tool designed to monitor directory activity, copy transient files based upon regular expression matching, syslog upon seeing links created, etc. etc. Severity: Just about every OS out there is replete with programs...