CVE-2026-46719

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics...

CVE-2026-46719

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics...

PT-2026-41426

Name of the Vulnerable Software and Affected Versions Net::Statsd::Lite versions prior to 0.9.0 Description Net::Statsd::Lite for Perl allows metric injections because metric names are not validated for newlines, colons, or pipes. This enables metrics generated from untrusted sources to inject...

PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries

Summary PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. Details This issue affec...

CVE-2026-44337

PraisionAI across versions 2.4.1–4.6.34 exposes optional SQL/CQL-backed knowledge-store backends that derive table and index identifiers from unvalidated collection names. This can enable SQL/CQL injection when applications pass untrusted collection names into these backends. The issue is fixed i...

EUVD-2026-28640

PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names...

CVE-2026-44337

PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names...

PT-2026-39004

Name of the Vulnerable Software and Affected Versions PraisonAI versions 2.4.1 through 4.6.33 Description PraisonAI is a multi-agent teams system that exposes optional SQL/CQL-backed knowledge-store implementations. These implementations build table and index identifiers using unvalidated name an...

GHSA-FR8X-3VFX-F45H gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository

Summary attachments: pocs.zip Submodule names coming from .gitmodules are exposed as unvalidated names and are later reused to derive the submodule git directory as: /modules/ Because the submodule name is joined directly as a filesystem path component, a name such as ../../../escaped-target.git...

CVE-2025-70952

pf4j before 20c2f80 has a path traversal vulnerability in the extract function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation...

CVE-2025-52331

Cross-site scripting XSS vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to disclose user information such as the computer username, generated report directory, and IP address. The generate report command includes archived file names without validation i...

RubyGems Local Arbitrary File Rewrite Vulnerability

RubyGems is a Ruby package manager from the RubyGems organization, which is used to distribute and manage Ruby packages. A security vulnerability exists in RubyGems 2.6.12 and earlier versions that stems from the program not validating specification names. An attacker can exploit the vulnerabilit...

PT-2015-6842 · Red Hat +2 · Red Hat Openshift Enterprise +2

Name of the Vulnerable Software and Affected Versions: Kubernetes versions prior to the fixed version Red Hat OpenShift Enterprise version 3.0 Description: A directory traversal issue exists due to improper handling of crafted object type names before they are passed to etcd. This allows attacker...