Lucene search
K

4305 matches found

Nuclei
Nuclei
added 5 hours ago8 views

Dashy <= 4.3.6 - Reflected XSS via Workspace

Dashy versions up to 4.3.6 contain a reflected cross-site scripting vulnerability in the workspace view. The url query parameter is passed directly to an iframe src attribute without scheme validation, allowing an attacker to inject javascript: URIs that execute arbitrary JavaScript in the contex...

3.9CVSS6.2AI score0.00255EPSS
Exploits0References2
EUVD
EUVD
added 9 hours ago3 views

EUVD-2026-43618

A weakness has been identified in louisho5 picobot up to 0.2.0. Impacted is the function CreateSkill/GetSkill of the file internal/agent/tools/filesystem.go of the component Workspace Handler. Executing a manipulation can lead to link following. It is possible to launch the attack remotely. The...

6.5CVSS6.3AI score
Exploits0References6
EUVD
EUVD
added 10 hours ago5 views

EUVD-2026-43615

A vulnerability was determined in nextlevelbuilder GoClaw 3.13.3-beta.3. This affects the function writeFile of the file internal/providers/acp/toolbridge.go of the component ACP ToolBridge Workspace Handler. This manipulation causes path traversal. The attack is possible to be carried out...

6.5CVSS6.3AI score
Exploits0References7
CVE
CVE
added 11 hours ago8 views

CVE-2026-15622

The CVE-2026-15622 entry concerns poco-ai poco-claw Workspace API. Affects the function get_workspace_file in executor_manager/app/api/v1/workspace.py; manipulating the user_id parameter can bypass authorization. Impact is an authorization bypass that can be triggered remotely, with a proof-of-co...

6.9CVSS5.9AI score
Exploits0References8
EUVD
EUVD
added 11 hours ago4 views

EUVD-2026-43599

A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...

6.9CVSS5.9AI score
Exploits0References8
Cvelist
Cvelist
added 11 hours ago9 views

CVE-2026-15622 poco-ai poco-claw Workspace API workspace.py get_workspace_file authorization

A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...

6.9CVSS
Exploits0References8
Nuclei
Nuclei
added yesterday93 views

VMWare Workspace ONE UEM - Server-Side Request Forgery

VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without...

7.5CVSS7.1AI score0.97713EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday23 views

VMware Workspace ONE Access - Authentication Bypass

VMware Workspace ONE Access has two authentication bypass vulnerabilities CVE-2022-22955 & CVE-2022-22956 in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework. id: CVE-2022-22956...

9.8CVSS7.2AI score0.50694EPSS
Exploits5References4
CVE
CVE
added yesterday5 views

CVE-2026-26396

OpenBMB XAgent v1.0.0 and earlier are affected by a path traversal in the file() function within XAgent/XAgentServer/application/routers/workspace.py. The input parameter filename is user-controllable and concatenated into the file path without proper validation, enabling potential disclosure of ...

7.5CVSS6AI score
Exploits0References1
Cvelist
Cvelist
added yesterday14 views

CVE-2026-26396

OpenBMB XAgent v1.0.0 and before is vulnerable to path traversal in the file function in XAgent/XAgentServer/application/routers/workspace.py. The input parameter “filename” is user-controllable and is concatenated into the file path to be read without proper validation, leading to a directory...

Exploits0References1
NVD
NVD
added 3 days ago6 views

CVE-2026-61442

PraisonAI Platform praisonai-platform before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign leadid to their ow...

7.1CVSS0.00256EPSS
Exploits0References3
NVD
NVD
added 3 days ago6 views

CVE-2026-60088

PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outsidesecret.txt or absolute paths in project command files to exfiltrate process-readable...

6.8CVSS0.00147EPSS
Exploits0References3
CVE
CVE
added 3 days ago17 views

CVE-2026-61442

PraisonAI Platform before 0.1.9 has an authorization bypass on PATCH routes for projects, issues, and agents, where workspace-members can modify owner-created records. Specifically, a member can reassign lead_id to their own user id and then delete the owner-created project, bypassing the delete ...

7.1CVSS6.1AI score0.00256EPSS
Exploits0References3
EUVD
EUVD
added 3 days ago12 views

EUVD-2026-43180

PraisonAI Platform praisonai-platform before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign leadid to their ow...

7.1CVSS6.1AI score0.00256EPSS
Exploits0References3
Cvelist
Cvelist
added 3 days ago36 views

CVE-2026-61442 PraisonAI Platform before 0.1.9 Authorization Bypass via PATCH

PraisonAI Platform praisonai-platform before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign leadid to their ow...

7.1CVSS0.00256EPSS
Exploits0References3
OSV
OSV
added 3 days ago3 views

CVE-2026-61442 PraisonAI Platform before 0.1.9 Authorization Bypass via PATCH

PraisonAI Platform praisonai-platform before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign leadid to their ow...

7.1CVSS6.1AI score0.00256EPSS
Exploits0References5
EUVD
EUVD
added 3 days ago8 views

EUVD-2026-43174

PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outsidesecret.txt or absolute paths in project command files to exfiltrate process-readable...

6.8CVSS6.1AI score0.00147EPSS
Exploits0References3
CVE
CVE
added 3 days ago12 views

CVE-2026-60088

CVE-2026-60088 affects PraisonAI prior to 4.6.78. The issue is a path traversal flaw in custom command templates, where file paths are not validated, allowing an attacker to read files outside the workspace (e.g., @../outside_secret.txt or absolute paths) and exfiltrate process-readable files int...

6.8CVSS6.1AI score0.00147EPSS
Exploits0References3
Cvelist
Cvelist
added 3 days ago37 views

CVE-2026-60088 PraisonAI before 4.6.78 Path Traversal via Custom Commands

PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outsidesecret.txt or absolute paths in project command files to exfiltrate process-readable...

6.8CVSS0.00147EPSS
Exploits0References3
NVD
NVD
added 4 days ago9 views

CVE-2026-49394

Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the updatepage endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0...

7.1CVSS0.00307EPSS
Exploits0References6
Rows per page
Query Builder