33190 matches found
PGHoard: Password written to debug log
Impact When using .pgpass, database connection information including the username and password will be logged at the debug level. Patches Upgrade to version 2.7.1 or greater. Workarounds Filter out debug-level logs. References This issue was discovered by BugCrowd user DRAKOKORIAN...
Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID
Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID Summary The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who...
opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication
githubreceiver Silently Ignores Configured requiredheaders Authentication Summary The githubreceiver webhook handler does not enforce the requiredheaders configuration. Headers are validated at startup config rejects empty keys/values but never checked on incoming requests. This follows the same...
Kirby: `pages.access` permission is not checked in the `site/find` REST API route
TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, options in the model blueprints, or a combination of both settings. It was possible to...
Kirby: Access to files of top-level drafts is not protected by permissions
TL;DR This vulnerability affects Kirby 5 sites that have the content.fileRedirects option enabled set to true or a custom closure as well as all Kirby 4 sites that haven't explicitly disabled this option. It was possible to access clean file URLs of top-level drafts e.g. /about-us/team.jpg withou...
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
TL;DR This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the Forwarded: for=..., X-Client-IP, or X-Real-IP request header. It was possible to install the Panel = create the first admin user i...
Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`
TL;DR This vulnerability affects Kirby sites and plugins that use the writer or list fields or that use $dom-sanitize, Sane::sanitize, Sane\Html::sanitize, Sane\Svg::sanitize, Sane\Xml::sanitize, Sane::sanitizeFile or $file-sanitizeContents with untrusted input. It was possible to inject maliciou...
Kirby: Request header injection in `Http\Remote`
TL;DR This vulnerability affects Kirby sites and plugins that use the Kirby\Http\Remote class including Remote::request, Remote::get, Remote::post, and similar helpers to send outgoing HTTP requests and that pass untrusted, user-controlled data into the headers option of such a request. By...
Kirby: Self cross-site scripting (self-XSS) in the writer field
TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link or email link. This link target would then be clickable by the user who entered it. A successful attack commonly requires knowledge of the...
Kirby: `pages.access` permission is not checked in the pages picker for parent pages
TL;DR This vulnerability affects all Kirby sites that use the pages field and where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, options in the model blueprints, or a combination of both...
opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token
Summary The Sentry exporter constructs Sentry API URLs by interpolating the span's service.name resource attribute into the URL path without validation. Because service.name is controlled by remote OTLP senders and the operator-configured bearer token is attached to every request, a crafted servi...
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP
The nbconvert HTTP handlers in jupyterserver render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a displaydata outpu...
BBOT: Symlink-Following Arbitrary Write via github_workflows Module
The githubworkflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location...
BBOT: Arbitrary File Write in postman_download Module
The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...
BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing
The dockerpull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication reques...
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools e.g. GNU tar which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extractio...
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags
Summary macOS Swift exec allowlist missed combined POSIX inline flags. In affected versions, a command request using combined POSIX inline-command flags could miss inline-command content expressed through combined flags. This advisory is scoped to the named feature and configuration. It does not...
Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr
Summary The fix for GHSA-r7fx-8g49-7hhr / CVE-2026-42841 Stored XSS via Markdown media attribute action is incomplete. The maintainer patched MediaObjectTrait::attribute to deny dangerous attribute names event handlers, style, xmlns, srcdoc, formaction but the sibling MediaObjectTrait::style meth...
praisonai-platform: Authorization Bypass Through User-Controlled Key
Summary The issue create and update endpoints in praisonai-platform accept a projectid in the request body and persist it without validating that the project belongs to the URL workspace. A user who is a member of workspace WB and has no access to workspace WA can create issues that reference a...
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
Summary An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the admin's bcrypt password hash and email, plus user/config/ with all site configuration. The download endpoint requires...
MCPVault: PathFilter restricted-directory deny-list bypass via case and trailing dot/space equivalence
On case-insensitive filesystems macOS, Windows, PathFilter compiled its deny-list patterns case-sensitively and matched the path verbatim, so names like .Git/config, .GIT/config, or .oBsIdIaN/secrets.md slipped past the .git/.obsidian/nodemodules restriction while the OS opened the real file. On...
pypdf: Missing stream length values ignore defined limits
Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as MAXDECLAREDSTREAMLENGTH is sometimes ignored. This requires parsing a content stream without a /Length value. Patches This has been fixed in pypdf==6.13.3. Workarounds If you cannot upgrade yet,...
Podman: WORKDIR symlink traversal vulnerability
Summary Running a malicous container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree durin...
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
Impact undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI socks5:// or socks://. The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername...
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Impact Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
Impact The undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing...
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message
Message-level raw option bypasses disableFileAccess / disableUrlAccess, enabling arbitrary file read and full-response SSRF in the sent message - Target: nodemailer/nodemailer, npm nodemailer v9.0.0 HEAD 4e58450eb490e5097a74b2b2cce35a8d9e21856e - Verdict: CONFIRMED local PoC, no network Summary...
python-statemachine SCXML <data expr> Eval Injection
Summary python-statemachine 3.1.2 evaluates attributes in SCXML documents using Python's eval. Any application that passes attacker-controlled SCXML content to SCXMLProcessor is vulnerable to arbitrary code execution in the context of the hosting process. Details SCXMLProcessor.parsescxmlfile...
DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)
Summary DOMPurify 3.4.7 shipped a security fix "permanent hook pollution" that makes a registered uponSanitizeAttribute hook's mutation of data.allowedAttributes non-persistent — so allowing an attribute for one element does not leak into later sanitize calls. The fix clones ALLOWEDATTR inside...
praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery
praisonai-platform: default JWT signing secret dev-secret-change-me Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI --- Package: praisonai-platform on PyPI Latest version and version tested: 0.1.4,...
PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable
Summary praisonai.sandbox.SandlockSandbox is documented and implemented as the kernel-enforced sandbox backend for untrusted code. Its SandboxConfig.native path lets callers configure allowed filesystem paths and network=False. On systems where the optional sandlock module imports but reports tha...
PraisonAI: PRAISONAI_CALL_AUTH=disabled environment variable unconditionally disables authentication
Summary Setting PRAISONAICALLAUTH=disabled completely disables all authentication on the /api/v1/agents/id/invoke endpoint. This bypass is advertised in the application's own error messages, making it likely to appear in production Docker and Compose configurations. Details python...
PraisonAI: Server-Side Request Forgery (SSRF) in SearxNG / search_web tools via attacker-controlled searxng_url parameter
Summary A Server-Side Request Forgery SSRF vulnerability in the SearxNG / searchweb search tools allows an attacker to make the server perform requests to arbitrary internal endpoints and read the responses back. The searxngurl argument is passed directly to requests.get with no validation of...
praisonai-platform 0.1.4 still boots on the hardcoded JWT secret dev-secret-change-me (default-open production guard)
Affected: praisonai-platform PyPI CWE-287 Improper Authentication Overview GHSA-3qg8-5g3r-79v5 Critical reported that praisonai-platform's JWT signing secret defaulted to the hardcoded literal "dev-secret-change-me", and that the production guard meant to prevent this was default-open it only...
PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation
Summary The multiedit tool in src/praisonai/praisonai/tools/multiedit.py allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected path guard. This enables an attacker who can influence agent tool arguments via crafted prompts, user...
PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default
Summary The published A2U advisory GHSA-f292-66h9-fpmf says unauthenticated A2U event streaming was fixed in praisonai 4.5.115. Current head still exposes the same A2U subscription and event routes without authentication when the operator starts the documented CLI entrypoint: text praisonai serve...
PraisonAI recipe workflow policy can be bypassed by declaring and YAML-approving dangerous tools outside TEMPLATE.yaml
Summary PraisonAI recipe execution has a dangerous-tool policy that is supposed to block default-denied tools unless the caller explicitly passes allowdangeroustools=True. That policy only checks tools declared in TEMPLATE.yaml requires.tools. For steps-based recipes, the actual execution path...
npm PraisonAI utility shell safe-command wrapper allowlist bypass via shell chaining
Summary The published npm package praisonai ships dist/tools/utility-tools.js, which exports a shellcommand helper described in source as: text Execute shell command safe version - read-only commands The helper attempts to enforce a safe read-only command allowlist by checking only the first...
npm PraisonAI AgentLoop onToolCall approval runs after tool execution
Summary The published npm package praisonai exports createAgentLoop, whose onToolCall callback is documented and exampled as an approval hook. The implementation calls PraisonAI's generateText wrapper with the caller's executable tools first, receives toolResults, and only then calls onToolCall...
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
Summary The published npm package praisonai exports a TypeScript MCPServer that can expose tools, resources, and prompts over an HTTP JSON-RPC transport with: ts await server.start port: 3000 ; The HTTP transport has no authentication or authorization path. MCPServerConfig does not expose an...
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation
Summary The published npm package praisonai ships a TypeScript AgentOS HTTP server that defaults to host: "0.0.0.0" and registers sensitive agent routes without any authentication or authorization middleware. When a developer starts AgentOS, a network attacker who can reach the service can: - rea...
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool
Summary The codeMode tool in src/praisonai-ts/src/tools/builtins/code-mode.ts uses new Function with a withsandbox pattern to execute LLM-generated code. The blocklist-based "sandbox" can be trivially bypassed via Function'return this' to recover the global object, followed by global.require with...
npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining
Summary The published npm package praisonai exports SandboxExecutor, CommandValidator, and sandboxExec as "safe command execution with restrictions." When allowedCommands is configured, CommandValidator checks only the first whitespace-delimited token of the command string. SandboxExecutor then...
npm PraisonAI codeMode sandbox escape via Function constructor
Summary The published npm package praisonai exports a TypeScript built-in tool named codeMode. The package describes this tool as executing code in a sandboxed environment, marks its capability as sandbox: true, and registers it through the public tools facade. The implementation does not create ...
npm PraisonAI SandboxExecutor network-isolated mode does not block non-proxy-aware network clients
Summary The published npm package praisonai exports a TypeScript SandboxExecutor with a network-isolated mode. The CLI lists that mode as: text network-isolated No network access proxy blocked The implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced...
npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation
Summary The published npm package praisonai exports an MCPSecurity helper described in source as: text MCP Security - Authentication, authorization, and rate limiting Provides security policies for MCP servers. Its AuthMethod type advertises five authentication methods: ts export type AuthMethod ...
PraisonAI: IMAP Command Injection via Unsanitized Email Search Parameters
Summary The email search tool in src/praisonai-agents/praisonaiagents/tools/emailtools.py constructs IMAP SEARCH commands by interpolating LLM-controlled parameters fromaddr, subject, query directly into IMAP protocol strings using f-string formatting with double-quote delimiters. An attacker who...
PraisonAI GitHub template cache path traversal allows outside-cache file write and directory deletion
Summary PraisonAI's template loader accepts GitHub template URIs with refs, for example github:owner/repo/[email protected]. The resolver stores the user-controlled template path and ref verbatim, and the cache layer later joins those values into /.praison/cache/templates/github//// without...
Heimdall: Forwarded Header Injection via Unsanitized Host Header in Proxy Mode
Summary When Heimdall operates in proxy mode, it constructs the Forwarded HTTP header after executing the matched rule pipeline by inserting the incoming request's Host header value directly into the header string without sanitizing commas or semicolons. This allows an attacker to inject addition...
Heimdall: IP Spoofing via Unvalidated Forwarding Headers
Summary When the trustedproxies option is configured, heimdall extracts client IP addresses from the Forwarded for= parameter and X-Forwarded-For headers and exposes them as Request.ClientIPAddresses to the rule pipeline. However, extracted values are not validated to be syntactically valid IP...