Lucene search
K

4269 matches found

CVE
CVE
added yesterday8 views

CVE-2026-61442

PraisonAI Platform before 0.1.9 has an authorization bypass on PATCH routes for projects, issues, and agents, where workspace-members can modify owner-created records. Specifically, a member can reassign lead_id to their own user id and then delete the owner-created project, bypassing the delete ...

7.1CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added yesterday9 views

EUVD-2026-43180

PraisonAI Platform praisonai-platform before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign leadid to their ow...

7.1CVSS6.1AI score
Exploits0References3
CVE
CVE
added yesterday6 views

CVE-2026-60088

CVE-2026-60088 affects PraisonAI prior to 4.6.78. The issue is a path traversal flaw in custom command templates, where file paths are not validated, allowing an attacker to read files outside the workspace (e.g., @../outside_secret.txt or absolute paths) and exfiltrate process-readable files int...

6.8CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added yesterday8 views

EUVD-2026-43174

PraisonAI before 4.6.78 fails to validate file path references in custom command templates, allowing attackers to read files outside the workspace. Attackers can include path traversal sequences like @../outsidesecret.txt or absolute paths in project command files to exfiltrate process-readable...

6.8CVSS6.1AI score
Exploits0References3
Nuclei
Nuclei
added yesterday7 views

Dashy <= 4.3.6 - Reflected XSS via Workspace

Dashy versions up to 4.3.6 contain a reflected cross-site scripting vulnerability in the workspace view. The url query parameter is passed directly to an iframe src attribute without scheme validation, allowing an attacker to inject javascript: URIs that execute arbitrary JavaScript in the contex...

3.9CVSS6.2AI score0.00255EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday23 views

VMware Workspace ONE Access - Authentication Bypass

VMware Workspace ONE Access has two authentication bypass vulnerabilities CVE-2022-22955 & CVE-2022-22956 in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework. id: CVE-2022-22956...

9.8CVSS7.2AI score0.50694EPSS
Exploits5References4
CVE
CVE
added 2 days ago7 views

CVE-2026-49394

Frappe CVE-2026-49394: Before version 16.19.0, authorization bypass was possible via the update_page endpoint in Workspace because the Workspace Manager edit check was not enforced for public workspaces. The issue is fixed in 16.19.0. The CVSS metrics indicate a NETWORK attack vector, LOW access ...

7.1CVSS6.1AI score0.00307EPSS
Exploits0References6
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-39123

SiYuan: Stored XSS to RCE via CSS-snippet breakout in renderSnippet...

9.9CVSS6.1AI score0.00307EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-39122

SiYuan: Path Traversal via Double URL Encoding in /assets/path publish mode arbitrary file─read, Incomplete fix of CVE-2026-41894...

7.5CVSS6.2AI score0.01892EPSS
Exploits0References2
NVD
NVD
added 2 days ago6 views

CVE-2026-61432

PraisonAI praisonaiagents before 1.6.78 contains a path traversal vulnerability in the FastContext feature praisonaiagents.context.fast. FastContextAgent.executetool prepends the configured workspacepath only for relative paths and neither rejects absolute paths nor canonicalizes joined paths...

6.9CVSS0.00278EPSS
Exploits0References3
NVD
NVD
added 2 days ago9 views

CVE-2026-59792

In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible...

9.8CVSS0.00424EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago28 views

CVE-2026-59792

In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible...

9.6CVSS0.00424EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-42910

In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible...

9.8CVSS6.4AI score0.00424EPSS
Exploits0References1
CVE
CVE
added 2 days ago14 views

CVE-2026-59792

CVE-2026-59792 affects JetBrains IntelliJ IDEA prior to 2026.1.4, with a path-traversal weakness in project workspace ID handling that could enable code execution. The connected sources corroborate a 2026.2-era code execution claim tied to this path traversal issue. The available documents do not...

9.8CVSS6.4AI score0.00424EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-42898

PraisonAI praisonaiagents before 1.6.78 contains a path traversal vulnerability in the FastContext feature praisonaiagents.context.fast. FastContextAgent.executetool prepends the configured workspacepath only for relative paths and neither rejects absolute paths nor canonicalizes joined paths...

6.9CVSS6.1AI score0.00278EPSS
Exploits0References3
CVE
CVE
added 2 days ago7 views

CVE-2026-61432

PraisionAI (praisonaiagents) before 1.6.78 has a path traversal flaw in the FastContext feature. FastContextAgent.execute_tool() only prefixes workspace_path for relative paths and does not reject absolute paths or canonicalize joined paths, allowing tool arguments or model-generated calls to gre...

6.9CVSS6.1AI score0.00278EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2 days ago7 views

CVE-2026-59152

A flaw was found in the LangSmith Client SDK's TracingMiddleware. An attacker can send an HTTP request to a server running the TracingMiddleware, causing it to read an arbitrary file from its local filesystem. The contents of this file are then uploaded to LangSmith as a trace attachment. This...

5CVSS6.1AI score0.00174EPSS
Exploits0References4
Veracode
Veracode
added 2 days ago4 views

Improper Input Validation

github.com/coder/coder is vulnerable to Improper Input Validation. The vulnerability is due to insufficient validation of the scheme and host in external workspace application URLs before substituting the $SESSIONTOKEN placeholder, which allows an attacker controlling a malicious workspace templa...

7.7CVSS6.1AI score0.00336EPSS
Exploits0References9Affected Software2
NVD
NVD
added 2 days ago5 views

CVE-2026-50181

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, Langroid's ReadFileTool and WriteFileTool appear to treat currdir as the intended working-directory boundary for file operations. However, the tools only change the process working directory t...

7.1CVSS0.00184EPSS
Exploits1References2
NVD
NVD
added 3 days ago8 views

CVE-2026-59832

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /snippets/filepath route handler serveSnippets in kernel/server/serve.go joins a single-decoded request path with the snippets directory without subpath containment or sensitive-path checks, allowing an authenticat...

7.7CVSS0.00316EPSS
Exploits0References3
Rows per page
Query Builder