Lucene search
K
GithubRecent

33190 matches found

Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.8 views

PGHoard: Password written to debug log

Impact When using .pgpass, database connection information including the username and password will be logged at the debug level. Patches Upgrade to version 2.7.1 or greater. Workarounds Filter out debug-level logs. References This issue was discovered by BugCrowd user DRAKOKORIAN...

5.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.10 views

Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID

Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID Summary The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who...

7.5CVSS5.7AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.15 views

opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication

githubreceiver Silently Ignores Configured requiredheaders Authentication Summary The githubreceiver webhook handler does not enforce the requiredheaders configuration. Headers are validated at startup config rejects empty keys/values but never checked on incoming requests. This follows the same...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.12 views

Kirby: `pages.access` permission is not checked in the `site/find` REST API route

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, options in the model blueprints, or a combination of both settings. It was possible to...

7.1CVSS5.4AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.10 views

Kirby: Access to files of top-level drafts is not protected by permissions

TL;DR This vulnerability affects Kirby 5 sites that have the content.fileRedirects option enabled set to true or a custom closure as well as all Kirby 4 sites that haven't explicitly disabled this option. It was possible to access clean file URLs of top-level drafts e.g. /about-us/team.jpg withou...

6.3CVSS5.3AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:4 p.m.12 views

Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header

TL;DR This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the Forwarded: for=..., X-Client-IP, or X-Real-IP request header. It was possible to install the Panel = create the first admin user i...

9.1CVSS5.6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:4 p.m.13 views

Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`

TL;DR This vulnerability affects Kirby sites and plugins that use the writer or list fields or that use $dom-sanitize, Sane::sanitize, Sane\Html::sanitize, Sane\Svg::sanitize, Sane\Xml::sanitize, Sane::sanitizeFile or $file-sanitizeContents with untrusted input. It was possible to inject maliciou...

8.5CVSS5.3AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:4 p.m.8 views

Kirby: Request header injection in `Http\Remote`

TL;DR This vulnerability affects Kirby sites and plugins that use the Kirby\Http\Remote class including Remote::request, Remote::get, Remote::post, and similar helpers to send outgoing HTTP requests and that pass untrusted, user-controlled data into the headers option of such a request. By...

6.9CVSS5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:4 p.m.8 views

Kirby: Self cross-site scripting (self-XSS) in the writer field

TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link or email link. This link target would then be clickable by the user who entered it. A successful attack commonly requires knowledge of the...

7.4CVSS5.4AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:4 p.m.10 views

Kirby: `pages.access` permission is not checked in the pages picker for parent pages

TL;DR This vulnerability affects all Kirby sites that use the pages field and where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, options in the model blueprints, or a combination of both...

5.3CVSS5.5AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:4 p.m.7 views

opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token

Summary The Sentry exporter constructs Sentry API URLs by interpolating the span's service.name resource attribute into the URL path without validation. Because service.name is controlled by remote OTLP senders and the operator-configured bearer token is attached to every request, a crafted servi...

5.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:4 p.m.34 views

Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP

The nbconvert HTTP handlers in jupyterserver render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a displaydata outpu...

9.3CVSS5.3AI score0.00227EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:4 p.m.8 views

BBOT: Symlink-Following Arbitrary Write via github_workflows Module

The githubworkflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location...

2.2CVSS5.1AI score0.00091EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:3 p.m.10 views

BBOT: Arbitrary File Write in postman_download Module

The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...

6.5CVSS5.4AI score0.00251EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:3 p.m.9 views

BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing

The dockerpull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication reques...

3.1CVSS5.5AI score0.00167EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:2 p.m.9 views

BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284

The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools e.g. GNU tar which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extractio...

9.6CVSS5.2AI score0.00658EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:52 p.m.7 views

OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags

Summary macOS Swift exec allowlist missed combined POSIX inline flags. In affected versions, a command request using combined POSIX inline-command flags could miss inline-command content expressed through combined flags. This advisory is scoped to the named feature and configuration. It does not...

9.8CVSS5.5AI score0.0024EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:49 p.m.7 views

Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr

Summary The fix for GHSA-r7fx-8g49-7hhr / CVE-2026-42841 Stored XSS via Markdown media attribute action is incomplete. The maintainer patched MediaObjectTrait::attribute to deny dangerous attribute names event handlers, style, xmlns, srcdoc, formaction but the sibling MediaObjectTrait::style meth...

6.9CVSS5.3AI score0.00397EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:48 p.m.13 views

praisonai-platform: Authorization Bypass Through User-Controlled Key

Summary The issue create and update endpoints in praisonai-platform accept a projectid in the request body and persist it without validating that the project belongs to the URL workspace. A user who is a member of workspace WB and has no access to workspace WA can create issues that reference a...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:31 p.m.12 views

Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets

Summary An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the admin's bcrypt password hash and email, plus user/config/ with all site configuration. The download endpoint requires...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:30 p.m.11 views

MCPVault: PathFilter restricted-directory deny-list bypass via case and trailing dot/space equivalence

On case-insensitive filesystems macOS, Windows, PathFilter compiled its deny-list patterns case-sensitively and matched the path verbatim, so names like .Git/config, .GIT/config, or .oBsIdIaN/secrets.md slipped past the .git/.obsidian/nodemodules restriction while the OS opened the real file. On...

5.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:28 p.m.28 views

pypdf: Missing stream length values ignore defined limits

Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as MAXDECLAREDSTREAMLENGTH is sometimes ignored. This requires parsing a content stream without a /Length value. Patches This has been fixed in pypdf==6.13.3. Workarounds If you cannot upgrade yet,...

5.3AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:28 p.m.11 views

Podman: WORKDIR symlink traversal vulnerability

Summary Running a malicous container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree durin...

5.3CVSS5.4AI score0.00317EPSS
Exploits1References4Affected Software3
Github Security Blog
Github Security Blog
added 2026/06/18 2:28 p.m.10 views

undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent

Impact undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI socks5:// or socks://. The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername...

7.4CVSS5.9AI score0.00459EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:28 p.m.16 views

undici vulnerable to cross-user information disclosure via shared cache whitespace bypass

Impact Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...

5.9CVSS7AI score0.00374EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:28 p.m.11 views

undici WebSocket client vulnerable to denial of service via cumulative fragment bypass

Impact The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing...

7.5CVSS7AI score0.00426EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:28 p.m.41 views

Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message

Message-level raw option bypasses disableFileAccess / disableUrlAccess, enabling arbitrary file read and full-response SSRF in the sent message - Target: nodemailer/nodemailer, npm nodemailer v9.0.0 HEAD 4e58450eb490e5097a74b2b2cce35a8d9e21856e - Verdict: CONFIRMED local PoC, no network Summary...

5.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:28 p.m.8 views

python-statemachine SCXML <data expr> Eval Injection

Summary python-statemachine 3.1.2 evaluates attributes in SCXML documents using Python's eval. Any application that passes attacker-controlled SCXML content to SCXMLProcessor is vulnerable to arbitrary code execution in the context of the hosting process. Details SCXMLProcessor.parsescxmlfile...

9.8CVSS6.2AI score0.01188EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:27 p.m.27 views

DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)

Summary DOMPurify 3.4.7 shipped a security fix "permanent hook pollution" that makes a registered uponSanitizeAttribute hook's mutation of data.allowedAttributes non-persistent — so allowing an attribute for one element does not leak into later sanitize calls. The fix clones ALLOWEDATTR inside...

5.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:27 p.m.12 views

praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery

praisonai-platform: default JWT signing secret dev-secret-change-me Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI --- Package: praisonai-platform on PyPI Latest version and version tested: 0.1.4,...

5.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:27 p.m.9 views

PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable

Summary praisonai.sandbox.SandlockSandbox is documented and implemented as the kernel-enforced sandbox backend for untrusted code. Its SandboxConfig.native path lets callers configure allowed filesystem paths and network=False. On systems where the optional sandlock module imports but reports tha...

10CVSS6.2AI score0.00383EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:27 p.m.15 views

PraisonAI: PRAISONAI_CALL_AUTH=disabled environment variable unconditionally disables authentication

Summary Setting PRAISONAICALLAUTH=disabled completely disables all authentication on the /api/v1/agents/id/invoke endpoint. This bypass is advertised in the application's own error messages, making it likely to appear in production Docker and Compose configurations. Details python...

5.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:27 p.m.10 views

PraisonAI: Server-Side Request Forgery (SSRF) in SearxNG / search_web tools via attacker-controlled searxng_url parameter

Summary A Server-Side Request Forgery SSRF vulnerability in the SearxNG / searchweb search tools allows an attacker to make the server perform requests to arbitrary internal endpoints and read the responses back. The searxngurl argument is passed directly to requests.get with no validation of...

5.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:27 p.m.10 views

praisonai-platform 0.1.4 still boots on the hardcoded JWT secret dev-secret-change-me (default-open production guard)

Affected: praisonai-platform PyPI CWE-287 Improper Authentication Overview GHSA-3qg8-5g3r-79v5 Critical reported that praisonai-platform's JWT signing secret defaulted to the hardcoded literal "dev-secret-change-me", and that the production guard meant to prevent this was default-open it only...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:27 p.m.10 views

PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation

Summary The multiedit tool in src/praisonai/praisonai/tools/multiedit.py allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected path guard. This enables an attacker who can influence agent tool arguments via crafted prompts, user...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:27 p.m.7 views

PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default

Summary The published A2U advisory GHSA-f292-66h9-fpmf says unauthenticated A2U event streaming was fixed in praisonai 4.5.115. Current head still exposes the same A2U subscription and event routes without authentication when the operator starts the documented CLI entrypoint: text praisonai serve...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:26 p.m.7 views

PraisonAI recipe workflow policy can be bypassed by declaring and YAML-approving dangerous tools outside TEMPLATE.yaml

Summary PraisonAI recipe execution has a dangerous-tool policy that is supposed to block default-denied tools unless the caller explicitly passes allowdangeroustools=True. That policy only checks tools declared in TEMPLATE.yaml requires.tools. For steps-based recipes, the actual execution path...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:26 p.m.8 views

npm PraisonAI utility shell safe-command wrapper allowlist bypass via shell chaining

Summary The published npm package praisonai ships dist/tools/utility-tools.js, which exports a shellcommand helper described in source as: text Execute shell command safe version - read-only commands The helper attempts to enforce a safe read-only command allowlist by checking only the first...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:26 p.m.8 views

npm PraisonAI AgentLoop onToolCall approval runs after tool execution

Summary The published npm package praisonai exports createAgentLoop, whose onToolCall callback is documented and exampled as an approval hook. The implementation calls PraisonAI's generateText wrapper with the caller's executable tools first, receives toolResults, and only then calls onToolCall...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:26 p.m.10 views

npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call

Summary The published npm package praisonai exports a TypeScript MCPServer that can expose tools, resources, and prompts over an HTTP JSON-RPC transport with: ts await server.start port: 3000 ; The HTTP transport has no authentication or authorization path. MCPServerConfig does not expose an...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:26 p.m.9 views

npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation

Summary The published npm package praisonai ships a TypeScript AgentOS HTTP server that defaults to host: "0.0.0.0" and registers sensitive agent routes without any authentication or authorization middleware. When a developer starts AgentOS, a network attacker who can reach the service can: - rea...

6.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:26 p.m.8 views

PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool

Summary The codeMode tool in src/praisonai-ts/src/tools/builtins/code-mode.ts uses new Function with a withsandbox pattern to execute LLM-generated code. The blocklist-based "sandbox" can be trivially bypassed via Function'return this' to recover the global object, followed by global.require with...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:26 p.m.8 views

npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining

Summary The published npm package praisonai exports SandboxExecutor, CommandValidator, and sandboxExec as "safe command execution with restrictions." When allowedCommands is configured, CommandValidator checks only the first whitespace-delimited token of the command string. SandboxExecutor then...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:26 p.m.9 views

npm PraisonAI codeMode sandbox escape via Function constructor

Summary The published npm package praisonai exports a TypeScript built-in tool named codeMode. The package describes this tool as executing code in a sandboxed environment, marks its capability as sandbox: true, and registers it through the public tools facade. The implementation does not create ...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:26 p.m.9 views

npm PraisonAI SandboxExecutor network-isolated mode does not block non-proxy-aware network clients

Summary The published npm package praisonai exports a TypeScript SandboxExecutor with a network-isolated mode. The CLI lists that mode as: text network-isolated No network access proxy blocked The implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:25 p.m.8 views

npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation

Summary The published npm package praisonai exports an MCPSecurity helper described in source as: text MCP Security - Authentication, authorization, and rate limiting Provides security policies for MCP servers. Its AuthMethod type advertises five authentication methods: ts export type AuthMethod ...

9.1CVSS5.7AI score0.00375EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:25 p.m.8 views

PraisonAI: IMAP Command Injection via Unsanitized Email Search Parameters

Summary The email search tool in src/praisonai-agents/praisonaiagents/tools/emailtools.py constructs IMAP SEARCH commands by interpolating LLM-controlled parameters fromaddr, subject, query directly into IMAP protocol strings using f-string formatting with double-quote delimiters. An attacker who...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:24 p.m.11 views

PraisonAI GitHub template cache path traversal allows outside-cache file write and directory deletion

Summary PraisonAI's template loader accepts GitHub template URIs with refs, for example github:owner/repo/[email protected]. The resolver stores the user-controlled template path and ref verbatim, and the cache layer later joins those values into /.praison/cache/templates/github//// without...

5.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:24 p.m.9 views

Heimdall: Forwarded Header Injection via Unsanitized Host Header in Proxy Mode

Summary When Heimdall operates in proxy mode, it constructs the Forwarded HTTP header after executing the matched rule pipeline by inserting the incoming request's Host header value directly into the header string without sanitizing commas or semicolons. This allows an attacker to inject addition...

5.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 2:24 p.m.9 views

Heimdall: IP Spoofing via Unvalidated Forwarding Headers

Summary When the trustedproxies option is configured, heimdall extracts client IP addresses from the Forwarded for= parameter and X-Forwarded-For headers and exposes them as Request.ClientIPAddresses to the rule pipeline. However, extracted values are not validated to be syntactically valid IP...

5.6AI score
Exploits0References2Affected Software1
Total number of security vulnerabilities33190