Lucene search
K
GithubRecent

33190 matches found

Github Security Blog
Github Security Blog
added 2026/06/18 1:59 p.m.8 views

PraisonAI Code agent tools fail open without a workspace boundary

PraisonAI Code agent tools fail open without a workspace boundary Summary PraisonAI Code's agent-compatible CODETOOLS wrappers keep a global workspace root initialized to None. If an application uses CODETOOLS, codereadfile, codesearchreplace, or codeapplydiff before calling setworkspace, the...

5.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:58 p.m.7 views

PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai

Unauthenticated PraisonAI UI MCP connect endpoint executes attacker-chosen local commands Summary PraisonAI v4.6.48 exposes the PraisonAIUI MCP client management API through the default UI host apps without authentication. A remote unauthenticated client can send POST /api/mcp/connect with a...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:58 p.m.6 views

PraisonAI: Webhook signature verification skipped (fail-open) when secret unset, allowing forged inbound webhooks (WhatsApp & Linear bots)

The WhatsApp and Linear bot adapters verify the inbound webhook HMAC signature only when a secret is configured. When the secret environment variable is unset — the default on a fresh install and common in development — verification is skipped entirely and the webhook body is parsed and dispatche...

5.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:58 p.m.9 views

PraisonAI: Missing ownership check on DELETE endpoints allows members to delete others' content in Platform API

Summary A workspace member can permanently delete any resource — projects, agents, issues, labels, issue dependencies, and issue-label attachments — created by the workspace owner or other members. All six content DELETE endpoints enforce workspace membership but perform no ownership or role chec...

5.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:57 p.m.7 views

PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation

AgentOS remains unauthenticated after GHSA-pm96 patched version and allows remote agent invocation Summary PraisonAI's AgentOS FastAPI deployment surface remains unauthenticated in current main and in releases after the published patched version for GHSA-pm96-6xpr-978x / CVE-2026-40151. The publi...

5.3CVSS5.5AI score0.00758EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:57 p.m.8 views

PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints

PraisonAI AgentTeam.launch exposes unauthenticated remote agent invocation endpoints Summary PraisonAI's documented Python AgentTeam.launch / Agents.launch HTTP server starts externally reachable agent invocation endpoints without any authentication enforcement. The current implementation registe...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:57 p.m.9 views

PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding

Jobs webhook SSRF protection bypass via DNS rebinding Summary PraisonAI's Async Jobs API validates webhookurl when a job request is parsed and again when the internal Job object is constructed. That validation blocks direct loopback/private targets, but it is not bound to the later network reques...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:57 p.m.10 views

PraisonAI: Jobs API exposes agent-execution endpoints with no authentication

praisonai: Jobs API exposes agent-execution endpoints with no authentication Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI --- Package: praisonai on PyPI Affected version empirically tested: 4.6.48...

6.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:57 p.m.7 views

PraisonAI: Arbitrary File Read via `@file:` Mention Path Traversal

Summary The MentionsParser in src/praisonai-agents/praisonaiagents/tools/mentions.py processes @file: mentions in agent prompts by reading arbitrary files from the filesystem. When a file path is not found relative to the workspace, the parser falls back to using the path as an absolute path...

5.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:56 p.m.10 views

praisonai: recipe serve auth middleware silently disables itself when no secret is set

praisonai: recipe serve authentication middleware silently disables itself when no secret is set Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI --- Package: praisonai on PyPI Version tested: 4.6.48...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:56 p.m.7 views

praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS

praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI Weakness: CWE-918 Server-Side Request Forgery SSRF. --- Summary The SSRF gua...

5.3AI score0.00014EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:56 p.m.12 views

PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass

Unauthenticated Remote Code Execution via Jobs API and Approval Bypass in PraisonAI Summary An unauthenticated attacker can execute arbitrary OS commands on any server running the PraisonAI Jobs API by submitting a crafted workflow YAML. The attack chains two weaknesses: the /api/v1/runs endpoint...

7AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/18 1:56 p.m.9 views

PraisonAI: Unauthenticated Local File Inclusion via agent_file path in PraisonAI Jobs API

Summary An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the agentfile field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs. Details The agentfile field in...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:55 p.m.9 views

PraisonAI: MCP SSE transport binds 0.0.0.0 with no authentication and no Origin validation; bundled SecurityConfig is never wired in

The MCP SSE server started via ToolsMCPServer.runsse / launchtoolsmcpservertransport="sse" binds to 0.0.0.0 by default and builds its Starlette application with no authentication middleware and no Origin-header validation. The module mcp/mcpsecurity.py provides exactly the needed controls origin...

5.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:55 p.m.8 views

PraisonAI: execute_code sandbox bypass: str.format C-level attribute access reads every blocklisted dunder

Summary The executecode tool's subprocess sandbox advertises a three-layer defense AST validation, text-pattern blocklist, restricted builtins. In sandbox mode the default only two layers are active — the text-pattern blocklist is skipped — and both remaining layers are bypassed by combining two...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:55 p.m.7 views

PraisonAI: SpiderTools redirect-target SSRF protection bypass

SpiderTools redirect-target SSRF protection bypass Summary SpiderTools.scrapepage validates the initial URL and rejects direct loopback, private, link-local, metadata, and internal hostnames. It then calls requests.Session.get without disabling automatic redirects or validating redirect Location...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:55 p.m.11 views

PraisonAI: Compute-bridged file tools allow shell command injection

Compute-bridged file tools allow shell command injection Summary LocalManagedAgent / SandboxedAgent compute bridging wraps readfile, listfiles, and writefile when a compute provider is attached. The bridge converts those file operations into shell command strings using raw path arguments, then...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:53 p.m.7 views

PraisonAI recipe.run_stream skips dangerous-tool policy enforcement

PraisonAI recipe.runstream skips dangerous-tool policy enforcement Summary PraisonAI recipe execution blocks default-denied dangerous tools unless the caller explicitly passes allowdangeroustools=True. The normal recipe.run path enforces this with checktoolpolicy. The streaming path,...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.8 views

PraisonAI: HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools

HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools Summary praisonai.bots.HTTPApproval renders pending tool approval arguments directly into the approval dashboard HTML. An attacker-controlled tool argument can inject JavaScript into...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.11 views

PraisonAI LinearBot processes unsigned webhooks when LINEAR_WEBHOOK_SECRET is missing

PraisonAI LinearBot processes unsigned webhooks when LINEARWEBHOOKSECRET is missing Summary PraisonAI's LinearBot starts a public webhook listener on 0.0.0.0 and treats LINEARWEBHOOKSECRET as optional. When the secret is absent, startup only logs a warning and handlewebhook skips Linear-Signature...

6.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.11 views

PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage

PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage Summary PraisonAI's Dynamic Context Discovery feature exposes artifact helper tools through ctx.gettools: python ctx = setupdynamiccontext agent = Agent instructions="You are a data analyst.",...

5.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.7 views

PraisonAI Slack app_mention bypasses configured user/channel authorization

PraisonAI Slack appmention bypasses configured user/channel authorization Summary PraisonAI's Slack bot applies its configured allowedusers, allowedchannels, and unknown-user pairing policy in the normal Slack message event handler, but not in the adjacent Slack appmention event handler. A Slack...

6.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.9 views

PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard

PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard Summary PraisonAI's installed console entrypoint is Typer-first. In current releases, the recipe command is registered in the Typer app and praisonai recipe serve dispatches to the deprecated Typer command in...

6.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.10 views

PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools

PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools Summary praisonaiagents.mcp.ToolsMCPServer.runsse builds a Starlette MCP HTTP+SSE server around mcp.server.sse.SseServerTransport. The server exposes /sse and /messages/, but it does not valida...

8.1CVSS7.7AI score0.00463EPSS
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.6 views

PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal

PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal Summary PraisonAI's Dynamic Context module provides filesystem-backed history and terminal-log storage. The SDK reference describes the module as providing: - artifact storage for tool...

5.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.10 views

PraisonAI DiscordApproval accepts unrelated channel messages as dangerous-tool approvals

DiscordApproval accepts unrelated channel messages as dangerous-tool approvals Summary praisonai.bots.DiscordApproval approves a pending dangerous tool call when it sees any later non-bot message in the configured Discord channel whose text is classified as approval, such as yes. The decision is...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.11 views

ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider

Summary An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider IdP implementation. When validating JSON Web Tokens JWTs from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer iss, but it fails to validate the...

5.6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.17 views

ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider

Summary Two closely related token lifecycle validation vulnerabilities were discovered in ZITADEL's external JWT Identity Provider IdP implementation. Specifically, within the validation pipeline: Missing Expiration exp Enforcement: If an incoming JWT omits the exp claim entirely, the expiration...

5.5AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.8 views

ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)

Summary Zitadel's OAuth2 / OIDC CodeExchange and RefreshToken implementations omit a critical validation step to ensure that the requesting client matches the client that originally initiated the authorization flow. This violates RFC 6749 Section 4.1.3, which mandates that the authorization serve...

5.9AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:52 p.m.10 views

PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint

Summary The SSE Server-Sent Events server in src/praisonai-agents/praisonaiagents/server/server.py exposes a /publish endpoint that broadcasts arbitrary messages to all connected clients without any authentication. The ServerConfig dataclass line 24 defines an authtoken field, but this token is...

5.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:7 p.m.6 views

ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers

Summary A flaw in the user lifecycle enforcement allowed deleted users to retain their original organization/tenant association. Recreating a deleted user under a distinct organization can cause the new user instance to be incorrectly provisioned within the original organization if the previous I...

5.5AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:7 p.m.15 views

JLine3 Telnet server: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables

Summary The JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option. An unauthenticated attacker can flood the server with a large number of unique variable pairs before sending the terminating IAC SE byte,...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:7 p.m.13 views

JLine3 Telnet server: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry

Summary The JLine3 Telnet server remote-telnet module does not apply an upper bound to terminal dimensions received via the Telnet NAWS Negotiate About Window Size option. An unauthenticated remote attacker can send a NAWS subnegotiation advertising a 65535×65535 terminal and repeatedly alternate...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:7 p.m.7 views

TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes

TinaCMS rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs — including case-variant, whitespace-padded, and control-character-obfuscated forms — is rendered into href/src and execut...

4.8CVSS5.2AI score0.00239EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/18 1:6 p.m.10 views

Karate Mock Server RCE via embedded expression evaluation of request-derived data

Summary Karate Mock Server can execute embedded expressions found in attacker-controlled HTTP request data when a Mock Server feature assigns request-derived values such as request, requestHeaders, or requestParams to variables. In affected scenarios, an unauthenticated remote attacker can place ...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:6 p.m.6 views

Hydro: Insufficient session expiration when recreating sessions

Impact Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token. As a result, a...

5.4AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:6 p.m.14 views

http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

Summary fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData, which interpolates each req.body key and value directly in...

7.5CVSS5.4AI score0.00243EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:6 p.m.25 views

http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

Summary http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configur...

8.6CVSS5.6AI score0.0034EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:5 p.m.9 views

NCalc: Denial of Service via Unbounded and Non-Terminating Factorial Evaluation

Impact A denial-of-service DoS vulnerability exists in the factorial operator implementation of NCalc. Specially crafted expressions containing extremely large factorial operands can trigger excessive CPU consumption or cause evaluation to enter a non-terminating loop due to integer overflow in t...

5.6AI score
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/18 1:5 p.m.8 views

piscina: Prototype Pollution Gadget → RCE via inherited options.filename

Summary piscina's constructor and run paths read the filename option via plain member access: js // dist/index.js line 92 constructor const filename = options.filename ? 0, common1.maybeFileURLToPathoptions.filename : null; this.options = ...kDefaultOptions, ...options, filename, maxQueue: 0 ; //...

8.1CVSS5.4AI score0.00296EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:5 p.m.7 views

Docker MCP Gateway: Argument injection via OCI image label YAML

Summary A maliciously crafted OCI image label can inject arbitrary arguments into the docker run command line constructed by the MCP Gateway. An attacker who controls an image that the victim references via docker://, or that the victim's catalog pulls a snapshot from, can mount the host...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:5 p.m.10 views

jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()

Summary Jodit.modules.Helpers.setchain, value, obj walks the dot-separated chain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with or contains proto, constructor, or prototype lets the final assignment reach and mutate Object.prototype...

6.3CVSS5.3AI score0.00315EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:4 p.m.7 views

Gotenberg: SSRF via LibreOffice document processing

Summary Server-Side Request Forgery SSRF vulnerability affecting the /forms/libreoffice/convert endpoint in Gotenberg v8.33.0 running with the default configuration. By uploading a specially crafted DOCX document, an attacker can cause LibreOffice to automatically retrieve external resources duri...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:4 p.m.6 views

Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator

Impact When only the Topic or only the User operators are deployed as part of the Entity Operator in the Kafka custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That...

5.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:4 p.m.7 views

Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`

Impact Having the Topic and User operators to watch different namespaces than the one where the Kafka cluster is deployed, is a fully documented feature. When the watchedNamespace field is used within the Topic or User operator as part of the Kafka.spec.entityOperator field, the Cluster Operator...

5.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:4 p.m.7 views

OpenClaw: Tool group policy callers could accept unvalidated group IDs

Summary Tool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id. This advisory is scoped to the named feature and configuration. It does not change...

7.1CVSS5.5AI score0.00169EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:4 p.m.10 views

OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution

Summary Workspace .env CLOUDSDKPYTHON could influence Gmail setup gcloud execution. In affected versions, a workspace .env in a repository opened by a trusted operator could influence which Python runtime gcloud used through CLOUDSDKPYTHON. This advisory is scoped to the named feature and...

7.1CVSS5.6AI score0.00133EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:3 p.m.8 views

OpenClaw: Shell inline-command parsing could miss an allowlist check

Summary Shell inline-command parsing could miss an allowlist check. In affected versions, a command request using shell inline-command forms could route an inline command through a parser case that did not receive the expected allowlist decision. This advisory is scoped to the named feature and...

8.1CVSS5.6AI score0.0026EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:3 p.m.11 views

OpenClaw: Pairing-scoped device session could restore revoked node token authority

Summary In affected releases, a surviving pairing-scoped session for a device could re-establish node token authority after that node token had been revoked. Revocation should require the device to lose that authority unless it is approved again through the normal pairing flow. This issue affects...

8.8CVSS5.3AI score0.00275EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 1:2 p.m.18 views

OpenClaw: Host environment sanitizer missed two Node.js control variables

Summary Host environment sanitizer missed two Node.js control variables. In affected versions, a lower-trust env source such as a workspace .env, tool env override, or skill env block could pass Node.js control variables through the shared sanitizer. This advisory is scoped to the named feature a...

8.1CVSS5.5AI score0.00246EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities33190