Lucene search
K
PtsecurityRecent

184925 matches found

Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53133

praisonai-platform: default JWT signing secret dev-secret-change-me Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI --- Package: praisonai-platform on PyPI Latest version and version tested: 0.1.4,...

9.8CVSS5.7AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53140

praisonai: recipe serve authentication middleware silently disables itself when no secret is set Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI --- Package: praisonai on PyPI Version tested: 4.6.48...

9.8CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53151

Compute-bridged file tools allow shell command injection Summary LocalManagedAgent / SandboxedAgent compute bridging wraps read file, list files, and write file when a compute provider is attached. The bridge converts those file operations into shell command strings using raw path arguments, then...

8.8CVSS6.2AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53136

PraisonAI LinearBot processes unsigned webhooks when LINEAR WEBHOOK SECRET is missing Summary PraisonAI's LinearBot starts a public webhook listener on 0.0.0.0 and treats LINEAR WEBHOOK SECRET as optional. When the secret is absent, startup only logs a warning and handle webhook skips...

8.6CVSS6.4AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.13 views

PT-2026-51181

CVE ID :CVE-2026-12475 Published : June 18, 2026, 4:29 p.m. | 1 hour, 40 minutes ago Description :None Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53134

Affected: praisonai-platform PyPI CWE-287 Improper Authentication Overview GHSA-3qg8-5g3r-79v5 Critical reported that praisonai-platform's JWT signing secret defaulted to the hardcoded literal "dev-secret-change-me", and that the production guard meant to prevent this was default-open it only...

9.8CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.12 views

PT-2026-53185

Summary JWSVerifier::getAlgorithm in src/Library/Signature/JWSVerifier.php line 144 merges protected and unprotected headers using PHP's spread operator: php $completeHeader = ...$signature-getProtectedHeader, ...$signature-getHeader; In PHP, when spreading arrays with duplicate string keys, the...

9.1CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53128

Summary PraisonAI recipe execution has a dangerous-tool policy that is supposed to block default-denied tools unless the caller explicitly passes allow dangerous tools=True. That policy only checks tools declared in TEMPLATE.yaml requires.tools. For steps-based recipes, the actual execution path...

7.8CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53159

Root has patched GHSA-3875-8gcx-7v46 in the @rootio/n8n package for Root:npm. Multiple fixed versions available...

9.1CVSS5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.19 views

PT-2026-50746

Name of the Vulnerable Software and Affected Versions Docker MCP Plugin affected versions not specified Description A flaw in the OCI image label parsing allows an attacker to inject arbitrary arguments into the docker run command line. This occurs because the io.docker.server.metadata label is...

8.7CVSS6.3AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.21 views

PT-2026-50778

Name of the Vulnerable Software and Affected Versions Mojolicious::Sessions::Storable versions prior to 0.06 Description The software generates session IDs insecurely. The default session ID generator utilizes a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address o...

5.3CVSS5.9AI score0.00274EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.11 views

PT-2026-50720

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Authenticated users can confirm the existence of arbitrary pages and retrieve their title field values. This occurs when sites use the pages field and user roles have the...

5.3CVSS5.9AI score0.00275EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.20 views

PT-2026-50629

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replace file function. This makes i...

4.3CVSS5.3AI score0.00157EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.21 views

PT-2026-50782

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2 Description pam usb provides hardware authentication for Linux using removable media. The software calls the xmlReadFile function with flags=0 when loading the configuration file, which allows libxml2 to process...

6.7CVSS5.8AI score0.00115EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.18 views

PT-2026-50708

Name of the Vulnerable Software and Affected Versions HAProxy versions prior to 3.4.0 Description A null pointer dereference occurs in the hpack dht insert function within src/hpack-tbl.c because the return value of hpack dht defrag is not validated when the memory pool is exhausted. An attacker...

8.7CVSS5.9AI score0.00431EPSS
Exploits0References30
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.21 views

PT-2026-50795

Name of the Vulnerable Software and Affected Versions mcp-pinot versions prior to 3.1.0 Description mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. The software defaults to running an HTTP MCP server bound to 0.0.0.0:8080 without authentication. Th...

10CVSS5.9AI score0.00498EPSS
Exploits0References15
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.19 views

PT-2026-50799

Name of the Vulnerable Software and Affected Versions Cost Management Interactive Experiences affected versions not specified Description Exposure of sensitive information in Cost Management Interactive Experiences allows an unauthorized attacker to disclose information over a network...

7.5CVSS5.8AI score0.0057EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50634

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf images do setup AJAX handler, which...

8.8CVSS5.9AI score0.00577EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53148

Jobs webhook SSRF protection bypass via DNS rebinding Summary PraisonAI's Async Jobs API validates webhook url when a job request is parsed and again when the internal Job object is constructed. That validation blocks direct loopback/private targets, but it is not bound to the later network...

7.2CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53183

Summary A low-privileged authenticated AgenticMail agent can enumerate another agent's pending/claimed tasks by supplying the target agent name to GET /api/agenticmail/tasks/pending?assignee=. The returned task objects include the task IDs and payloads. The same task IDs can then be used with the...

7.1CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.9 views

PT-2026-53155

Root has patched GHSA-fw8g-cg8f-9j28 in the rootio-github.com/prometheus/prometheus package for Root:Go. Multiple fixed versions available...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53129

DiscordApproval accepts unrelated channel messages as dangerous-tool approvals Summary praisonai.bots.DiscordApproval approves a pending dangerous tool call when it sees any later non-bot message in the configured Discord channel whose text is classified as approval, such as yes. The decision is...

8.8CVSS5.9AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53127

SpiderTools redirect-target SSRF protection bypass Summary SpiderTools.scrape page validates the initial URL and rejects direct loopback, private, link-local, metadata, and internal hostnames. It then calls requests.Session.get without disabling automatic redirects or validating redirect Location...

6.5CVSS6.4AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.11 views

PT-2026-51423

Уязвимость программного обеспечения выявления уязвимостей и ошибок PT Application Inspector связана с отсутствием авторизации. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, повысить свои привилегии...

5.6CVSS5.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53131

Summary The published npm package praisonai ships a TypeScript AgentOS HTTP server that defaults to host: "0.0.0.0" and registers sensitive agent routes without any authentication or authorization middleware. When a developer starts AgentOS, a network attacker who can reach the service can: - rea...

9.4CVSS6.5AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53160

This update for rootlesskit rebuilds it against the current go security release...

5.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.5 views

PT-2026-53116

PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal Summary PraisonAI's Dynamic Context module provides filesystem-backed history and terminal-log storage. The SDK reference describes the module as providing: - artifact storage for tool...

7.5CVSS5.7AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53126

HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools Summary praisonai.bots.HTTPApproval renders pending tool approval arguments directly into the approval dashboard HTML. An attacker-controlled tool argument can inject JavaScript into...

8.8CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.9 views

PT-2026-53186

Summary This advisory covers three distinct SQL Injection vulnerabilities within Budibase's database connectors PostgreSQL, Microsoft SQL Server, and MySQL. Because user-controlled schema and table configurations are interpolated directly into raw SQL queries without proper escaping or...

8.4CVSS6.3AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53188

Summary The Docker API server applied its SSRF destination check validate url destination on the non-streaming /crawl path but not on the streaming path. handle stream crawl request passed seed URLs straight to the crawler with no destination validation. A remote, unauthenticated client could cal...

8.6CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.5 views

PT-2026-53138

Summary The published npm package praisonai exports a TypeScript SandboxExecutor with a network-isolated mode. The CLI lists that mode as: text network-isolated No network access proxy blocked The implementation does not create a network namespace, firewall rule, socket filter, or proxy-enforced...

7.6CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53137

PraisonAI Code agent tools fail open without a workspace boundary Summary PraisonAI Code's agent-compatible CODE TOOLS wrappers keep a global workspace root initialized to None. If an application uses CODE TOOLS, code read file, code search replace, or code apply diff before calling set workspace...

7.3CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.10 views

PT-2026-50862

These are all security issues fixed in the tinyproxy-1.11.3-3.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53182

@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get'host'.startsWithgetHostName. Both...

9.3CVSS5.8AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.11 views

PT-2026-50856

These are all security issues fixed in the containerized-data-importer-1.65-api-1.65.0-1.1 package on the GA media of openSUSE Tumbleweed...

8.3CVSS6.6AI score0.01279EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.13 views

PT-2026-50858

These are all security issues fixed in the inspektor-gadget-0.53.2-1.1 package on the GA media of openSUSE Tumbleweed...

7.5CVSS5.9AI score0.0056EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.7 views

PT-2026-53178

Impact When a JWE uses a password-based key-encryption algorithm PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, PBES2AESKW::unwrapKey reads the p2c PBKDF2 iteration count parameter directly from the attacker-controlled JOSE header and passes it to hash pbkdf2 with no upper bound. The...

8.7CVSS6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.10 views

PT-2026-53141

On case-insensitive filesystems macOS, Windows, PathFilter compiled its deny-list patterns case-sensitively and matched the path verbatim, so names like .Git/config, .GIT/config, or .oBsIdIaN/secrets.md slipped past the .git/.obsidian/node modules restriction while the OS opened the real file. On...

6.9CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.6 views

PT-2026-53153

PraisonAI AgentTeam.launch exposes unauthenticated remote agent invocation endpoints Summary PraisonAI's documented Python AgentTeam.launch / Agents.launch HTTP server starts externally reachable agent invocation endpoints without any authentication enforcement. The current implementation registe...

9.8CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.9 views

PT-2026-53161

This update for rootlesskit rebuilds it against the current go security release...

5.8AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.10 views

PT-2026-53149

PraisonAI recipe.run stream skips dangerous-tool policy enforcement Summary PraisonAI recipe execution blocks default-denied dangerous tools unless the caller explicitly passes allow dangerous tools=True. The normal recipe.run path enforces this with check tool policy. The streaming path,...

7.8CVSS6.1AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.9 views

PT-2026-53147

Summary A workspace member can permanently delete any resource — projects, agents, issues, labels, issue dependencies, and issue-label attachments — created by the workspace owner or other members. All six content DELETE endpoints enforce workspace membership but perform no ownership or role chec...

8.1CVSS5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.12 views

PT-2026-50859

These are all security issues fixed in the kubevirt-1.8-container-disk-1.8.3-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.12 views

PT-2026-50860

These are all security issues fixed in the python311-starlette-1.3.1-1.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score0.00187EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.8 views

PT-2026-53181

Summary The digits parameter parsed from a provisioning URI is validated only with a lower bound $value 0 and has no upper bound src/OTP.php:353-357. OTP generation computes $code % 10 $this-getDigits src/OTP.php:283. When digits is large enough that 10 digits overflows PHP's integer range and th...

8.7CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.25 views

PT-2026-50792

Name of the Vulnerable Software and Affected Versions guzzlehttp/psr7 versions prior to 2.12.1 Description guzzlehttp/psr7 fails to reject Carriage Return CR and Line Feed LF characters in specific HTTP start-line fields, including the request method, protocol version, and response reason phrase...

4.8CVSS5.8AI score0.00158EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.23 views

PT-2026-50580

Name of the Vulnerable Software and Affected Versions PTC Windchill PDMlink versions prior to 11.0 M030 PTC FlexPLM versions prior to 11.0 M030 CPS affected versions not specified Description A critical remote code execution RCE flaw exists due to the deserialization of untrusted data and imprope...

9.8CVSS7AI score0.01247EPSS
Exploits0References33
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.20 views

PT-2026-50707

Name of the Vulnerable Software and Affected Versions HAProxy versions prior to 3.4.0 Description An integer overflow exists in the drl field of the fcgi conn structure within the FastCGI parser. When the contentLength is 65535 and the paddingLength is 1 or more, the drl field wraps to 0. This...

9.1CVSS5.9AI score0.00321EPSS
Exploits0References31
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.9 views

PT-2026-50855

These are all security issues fixed in the alloy-1.17.0-1.1 package on the GA media of openSUSE Tumbleweed...

9.6CVSS7.4AI score0.00533EPSS
Exploits5References15
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.9 views

PT-2026-50854

These are all security issues fixed in the MozillaFirefox-152.0-1.1 package on the GA media of openSUSE Tumbleweed...

9.8CVSS5.9AI score0.00476EPSS
Exploits0References41
Total number of security vulnerabilities184925