GHSA-X462-JJPC-Q4Q4 PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint

Summary The AGUI endpoint POST /agui has no authentication and hardcodes Access-Control-Allow-Origin: on all responses. Combined with Starlette/FastAPI's Content-Type-agnostic JSON parsing, any website a victim visits can silently trigger arbitrary agent execution against a locally-running AGUI...

PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution

Summary The Chainlit UI modules chat.py and code.py hardcode config.approvalmode = "auto" after loading administrator configuration from the PRAISONAPPROVALMODE environment variable, silently overriding any "manual" or "scoped" approval setting. This defeats the human-in-the-loop approval gate fo...

GHSA-QWGJ-RRPJ-75XM PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution

Summary The Chainlit UI modules chat.py and code.py hardcode config.approvalmode = "auto" after loading administrator configuration from the PRAISONAPPROVALMODE environment variable, silently overriding any "manual" or "scoped" approval setting. This defeats the human-in-the-loop approval gate fo...

CVE-2026-5905

An incorrect security ui flaw was found in the Permissions component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=483899628...

CVE-2026-5899

An incorrect security ui flaw was found in the History Navigation component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=474817168...

CVE-2026-5891

An insufficient policy enforcement flaw was found in the browser UI component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=487471101...

CVE-2026-5880

An incorrect security ui flaw was found in the browser UI component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=424995036...

CVE-2026-5878

An incorrect security ui flaw was found in the Blink component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=365089001...

PT-2026-32047

Name of the Vulnerable Software and Affected Versions Microsoft Edge Chromium-based affected versions not specified Description A user interface misrepresentation allows an attacker to perform spoofing over a network. Recommendations At the moment, there is no information about a newer version th...

Microsoft Edge 安全漏洞

Microsoft Edge is a web browser included with Windows 10 and later versions of the Microsoft operating system. There is a security vulnerability in Microsoft Edge, which stems from incorrect user interface representations of critical information, potentially leading to network spoofing attacks...

KLA90976 Multiple vulnerabilities in Microsoft Browser

Multiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to cause denial of service, spoof user interface, obtain sensitive information, execute arbitrary code, bypass security restrictions. Below is a complete list of vulnerabilities: 1. Heap...

SUSE CVE-2026-5874

Use after free in PrivateAI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: Medium...

SUSE CVE-2026-5891

Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-5874

A flaw was found in Google Chrome. A remote attacker could exploit a use-after-free vulnerability in the PrivateAI component by convincing a user to engage in specific user interface UI gestures through a crafted HTML page. This could potentially allow the attacker to bypass the browser's securit...

CVE-2026-33793

An Execution with Unnecessary Privileges vulnerability in the User Interface UI of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system. When a configuration that allows unsigned Python op scripts is present o...

CVE-2026-33793

An Execution with Unnecessary Privileges vulnerability in the User Interface UI of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system. When a configuration that allows unsigned Python op scripts is present o...

CVE-2026-40071

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

CVE-2026-40071 pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

EUVD-2026-20732

Incorrect security UI in Omnibox in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox URL bar via a crafted HTML page. Chromium security severity: Low...

EUVD-2026-20727

Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...