PraisonAI 代码注入漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI from 4.5.139 to 4.6.32 had a code injection vulnerability. This vulnerability stemmed from insufficient protection for automatic tool imports in the tooloverride.py script, allowing...

PT-2026-38960

Name of the Vulnerable Software and Affected Versions SEPPmail Secure Email Gateway versions prior to 15.0.2.1 Description The new GINA UI contains a flaw that allows unauthenticated remote code execution. This occurs because an endpoint passes attacker-controlled input from a parameter to the Pe...

CVE-2026-35255

Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line...

CVE-2023-54342

Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the fork command functionality. Attackers can establish a telnet connection to the OSGi console,...

Missing Authentication for Critical Function

Overview arelle-release is an An open source XBRL platform. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the plugins parameter in the /rest/configure endpoint, which is processed without authentication or authorization. An attacker can execu...

VulnCheck KEV: CVE-2026-29014

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...

H2O-3 is Vulnerable to Code Injection

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

Paperclip 授权问题漏洞

Paperclip is an AI proxy orchestration tool developed by Paperclip Open Source. Versions of Paperclip prior to 2026.416.0 contained an authorization vulnerability. This vulnerability stemmed from the default authenticated configuration, allowing unauthenticated attackers to achieve full remote co...

CVE-2026-39918

Vvveb before 1.0.8.1 contains a code injection vulnerability in the installation endpoint. The subdir POST parameter is written unsanitized into env.php without escaping or validation, allowing an attacker to break out of the string context in the define statement and achieve unauthenticated remo...

CVE-2026-40066

Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution...

CVE-2026-6350 Openfind｜MailGates/MailAudit - Stack-based Buffer Overflow

MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary code...

Exploit for Missing Encryption of Sensitive Data in Apache Tomcat

CVE-2026-34486 — Apache Tomcat EncryptInterceptor RCE Apa...

EUVD-2026-22053

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory,...

CVE-2026-40044

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory,...

Palo Alto Networks Autonomous Digital Experience Manager 安全漏洞

Palo Alto Networks Autonomous Digital Experience Manager is an artificial intelligence-based platform for monitoring and analyzing terminal and network experiences developed by Palo Alto Networks. There is a security vulnerability in Palo Alto Networks Autonomous Digital Experience Manager, which...

Agent Development Kit 安全漏洞

Agent Development Kit is an open-source development framework provided by Google for building and deploying AI agents. Versions 1.7.0 to 1.28.1 and 2.0.0a1 to 2.0.0a2 of the Agent Development Kit contain security vulnerabilities. These vulnerabilities stem from code injection and lack of...

CVE-2026-33698 Chamilo LMS affected by unauthenticated RCE in main/install folder

Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals...

Fortinet FortiClient EMS 7.4.5 / 7.4.6 API Authentication Bypass (FG-IR-26-099)

The version of Fortinet FortiClient EMS installed on the remote host is 7.4.5 or 7.4.6. It is, therefore, affected by an authentication bypass vulnerability: - An improper access control vulnerability CWE-284 in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or...

CVE-2026-34424 Smart Slider 3 Pro 3.5.1.35 Supply Chain Attack Remote Access Toolkit

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via...

PT-2026-31821

Name of the Vulnerable Software and Affected Versions Smart Slider 3 Pro version 3.5.1.35 Description Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system. This allows unauthenticated attackers to...