Lucene search
+L

77 matches found

OSV
OSV
added 2 days ago3 views

DEBIAN-CVE-2026-57076

YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syckhdlraddanchor. In the bundled libsyck an anchor name allocated by syckstrndup is stored both as node-anchor, freed when the node is freed, and as the key in the parser's...

7.8CVSS5.4AI score0.00186EPSS
Exploits0References1
NVD
NVD
added 2 days ago7 views

CVE-2026-57075

YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syckbase64dec. The base64 decoder in the bundled libsyck indexes the 256-entry static table b64xtable with a signed char, so any !!binary byte = 0x80 sign-extends to a negative index and...

9.1CVSS0.00186EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-488 PraisonAI has critical RCE via `type: job` workflow YAML

praisonai workflow run loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in jobworkflow.py. This supports: - run: → shell command execution via subprocess.run - script: → inline Python execution via exec - python: → arbitrary Python script execution A malicious YAML...

9.8CVSS6.2AI score0.00609EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.12 views

CVE-2026-40288

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the...

9.8CVSS6.2AI score0.00609EPSS
Exploits1References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux – Vulnerability in snakeyaml

Those who use Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks DOS. If the parser runs on user-supplied input, an attacker may provide content that causes the parser to crash due to a stack overflow. This vulnerability could potentially allow for a Denial of...

6.5CVSS6.7AI score0.01476EPSS
Exploits1References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in snakeyaml

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks DOS. If the parser is running on user-supplied input, an attacker may provide content that causes the parser to crash due to a stack overflow...

6.5CVSS6.6AI score0.01642EPSS
Exploits0References1
NVD
NVD
added 2026/04/14 4:17 a.m.10 views

CVE-2026-40288

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the...

9.8CVSS0.00609EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/14 3:0 a.m.9 views

CVE-2026-40288 PraisonAI: Critical RCE via `type: job` workflow YAML

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the...

9.8CVSS6.4AI score0.00609EPSS
Exploits1References1
CVE
CVE
added 2026/04/14 3:0 a.m.32 views

CVE-2026-40288

PraisonAI and praisonaiagents prior to versions 4.5.139 and 1.5.140 are exposed to a critical RCE via untrusted workflow YAML. When a YAML file for type: job is loaded, the JobWorkflowExecutor (job_workflow.py) processes steps allowing run (subprocess.run), script (inline Python via exec), and py...

9.8CVSS6.4AI score0.00609EPSS
Exploits1References1Affected Software2
OSV
OSV
added 2026/04/14 3:0 a.m.5 views

CVE-2026-40288 PraisonAI: Critical RCE via `type: job` workflow YAML

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the...

9.8CVSS6.5AI score0.00609EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/14 3:0 a.m.7 views

CVE-2026-40288

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the...

9.8CVSS6.4AI score0.00609EPSS
Exploits1References2Affected Software2
EUVD
EUVD
added 2026/04/14 3:0 a.m.10 views

EUVD-2026-22209

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the...

9.8CVSS6.4AI score0.00609EPSS
Exploits1References1
OSV
OSV
added 2026/04/10 7:32 p.m.17 views

GHSA-VC46-VW85-3WVM PraisonAI has critical RCE via `type: job` workflow YAML

praisonai workflow run loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in jobworkflow.py. This supports: - run: → shell command execution via subprocess.run - script: → inline Python execution via exec - python: → arbitrary Python script execution A malicious YAML...

9.8CVSS6.2AI score0.00609EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.9 views

PT-2026-32593

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.139 praisonaiagents versions prior to 1.5.140 Description The workflow engine is susceptible to arbitrary command and code execution through untrusted YAML files. When the system loads a YAML file with type: job...

9.8CVSS6.4AI score0.00609EPSS
Exploits1References16
NVD
NVD
added 2026/01/22 4:16 p.m.11 views

CVE-2026-24009

Docling Core or docling-core is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution RCE vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version...

9.8CVSS0.01376EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/01/22 3:4 p.m.22 views

CVE-2026-24009 Docling Core vulnerable to Remote Code Execution via unsafe PyYAML usage

Docling Core or docling-core is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution RCE vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version...

8.1CVSS0.01376EPSS
Exploits1References5
OSV
OSV
added 2025/11/14 2:29 p.m.4 views

GHSA-MH29-5H37-FV8M js-yaml has prototype pollution in merge (<<)

Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. Patches Problem is patched in js-yaml 4.1.1 and 3.14.2...

5.3CVSS6.8AI score0.00414EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2025/11/14 2:29 p.m.6 views

js-yaml has prototype pollution in merge (<<)

Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. Patches Problem is patched in js-yaml 4.1.1 and 3.14.2...

5.3CVSS6.4AI score0.00414EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2025/11/13 4:42 p.m.4 views

Prototype Pollution

Overview js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Prototype Pollution via the merge function. An attacker can alter object prototypes by supplying specially crafted YAML documents containing proto properties. This can lead to...

6.9CVSS7.8AI score0.00414EPSS
Exploits0References2
OSV
OSV
added 2025/11/13 4:15 p.m.5 views

UBUNTU-CVE-2025-64718

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. The problem is patched in...

5.3CVSS6.6AI score0.00414EPSS
Exploits0References4
Rows per page
Query Builder