Lucene search
K

866 matches found

Github Security Blog
Github Security Blog
added 2026/04/10 7:21 p.m.8 views

PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)

Summary The memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py lines 303 to 305. No sanitization, no shlex.quote, no character filter, and no allowlist check exists...

9.3CVSS6.4AI score0.00229EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/10 7:16 p.m.6 views

UBUNTU-CVE-2026-3446

When calling base64.b64decode or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use...

6CVSS5.7AI score0.00188EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/10 6:17 p.m.4 views

CVE-2026-3446

When calling base64.b64decode or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use...

6CVSS5.7AI score0.00188EPSS
Exploits0References7Affected Software1
EUVD
EUVD
added 2026/04/10 3:31 p.m.5 views

EUVD-2026-21372

Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM macOS before build 42571, Acronis True Image macOS before build 42902...

7.8CVSS7.1AI score0.00181EPSS
Exploits0References2
NVD
NVD
added 2026/04/10 2:16 p.m.7 views

CVE-2026-33092

Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM macOS before build 42571, Acronis True Image macOS before build 42902...

7.8CVSS0.00181EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/10 1:17 p.m.9 views

CVE-2026-33092

Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM macOS before build 42571, Acronis True Image macOS before build 42902...

7.8CVSS7.1AI score0.00181EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/10 1:17 p.m.27 views

CVE-2026-33092

Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM macOS before build 42571, Acronis True Image macOS before build 42902...

7.8CVSS0.00181EPSS
Exploits0References1
CVE
CVE
added 2026/04/10 1:17 p.m.8 views

CVE-2026-33092

CVE-2026-33092 affects Acronis True Image OEM (macOS) before build 42571 and Acronis True Image (macOS) before build 42902. It is a local privilege escalation caused by improper handling of environment variables, with CVSSv3.0 vector LOCAL/LOW/PR:L/UI:N and impact on confidentiality, integrity, a...

7.8CVSS7.1AI score0.00181EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.8 views

Acronis True Image 安全漏洞

Acronis True Image is a renowned data backup and restoration software developed by the Swiss company Acronis. This software can be used to create drive and disk images, and to restore those images when a clean system is required. Acronis True Image OEM versions prior to 42571 and macOS 42902...

7.8CVSS7.1AI score0.00181EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.6 views

PT-2026-31916

Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM macOS before build 42571, Acronis True Image macOS before build 42902...

7.8CVSS5.8AI score0.00181EPSS
Exploits0References2
NVD
NVD
added 2026/04/09 9:16 p.m.5 views

CVE-2026-40107

SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, tags with src attributes survive Mermaid's internal DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary...

8.7CVSS0.00306EPSS
Exploits1References1
OSV
OSV
added 2026/04/08 9:52 p.m.16 views

GHSA-2763-CJ5R-C79M PraisonAI Vulnerable to OS Command Injection

The executecommand function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. --- Description PraisonAI's workflow system and...

9.6CVSS6.4AI score0.00419EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.9 views

CVE-2026-35022

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell...

9.8CVSS6.2AI score0.00596EPSS
Exploits0References1
OSV
OSV
added 2026/04/07 9:18 p.m.5 views

CVE-2026-34765 Electron named window.open targets not scoped to the opener's browsing context

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing...

6CVSS6.2AI score0.003EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/04/06 10:57 a.m.5 views

CVE-2026-34955

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes BASIC, STRICT, NETWORKISOLATED calls subprocess.run with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone...

10CVSS5.8AI score0.00383EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.23 views

Claude Code CLI和Claude Agent SDK 操作系统命令注入漏洞

Claude Code CLI and Claude Agent SDK are both open-source products developed by Anthropic. Claude Code CLI is a command-line AI coding assistant tool. Claude Agent SDK is a developer toolkit for AI coding assistants. Both Claude Code CLI and Claude Agent SDK have operating system command injectio...

6.2AI score0.00596EPSS
Exploits0References3
NVD
NVD
added 2026/04/04 12:16 a.m.15 views

CVE-2026-34955

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes BASIC, STRICT, NETWORKISOLATED calls subprocess.run with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone...

10CVSS0.00383EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/03 11:4 p.m.25 views

CVE-2026-34955 PraisonAI: Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes BASIC, STRICT, NETWORKISOLATED calls subprocess.run with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone...

8.8CVSS0.00383EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/03 11:2 p.m.3 views

CVE-2026-28728

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis True Image Windows before build 42902...

6.7CVSS6.7AI score0.00096EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/03 11:2 p.m.4 views

CVE-2026-33271

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis True Image Windows before build 42902...

6.7CVSS6.7AI score0.00086EPSS
Exploits0References1
Rows per page
Query Builder