5612 matches found
Open WebUI has an LDAP Empty Password Authentication Bypass
LDAP Empty Password Authentication Bypass Affected Component LDAP authentication endpoint:- backend/openwebui/routers/auths.py lines 468-477, user bind with empty password- backend/openwebui/models/auths.py lines 58-60, LdapForm model Affected VersionsCurrent main branch commit 6fdd19bf1 and like...
Codechecker has an authentication bypass for certain API calls
SummaryAuthentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permissions to any existing user in CodeChecker. DetailsThe following functions are affected under the Authentication endpoint: getAuthorisedNames,...
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
Summaryexecutecode in praisonaiagents/tools/pythontools.py v1.6.37, subprocess sandbox mode can be fully bypassed using print.self to retrieve the real Python builtins module, from which import can be extracted via vars and runtime string construction. This achieves arbitrary OS command execution...
misp-modules website - Missing CSRF protection in the website home blueprint
A Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability was due to the home blueprint being exempted from CSRF protection. This could allow modification of sessi...
FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft
Impact The POST /api/v2/firefighter/raid/jirabot endpoint CreateJiraBotView is reachable without authentication permissionclasses = permissions.AllowAny. Its attachments payload is fetched server-side via httpx.get with no URL validation, then uploaded as an attachment on the Jira ticket that get...
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths
SummaryAlice exposes a Python SDK ProxyShare with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to urllib.parse.urljoin, which replaces Alice's configured target host with Bob's host and returns the server-side response t...
SGLang's multimodal generation runtime has an unauthenticated path traversal vulnerability
SGLang's multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints...
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
Summaryexecutecode in praisonaiagents/tools/pythontools.py v1.6.37, subprocess sandbox mode can be fully bypassed using print.self to retrieve the real Python builtins module, from which import can be extracted via vars and runtime string construction. This achieves arbitrary OS command execution...
Langflow Knowledge Bases API is Vulnerable to Path Traversal
SummaryLangflow is vulnerable to Path Traversal in the Knowledge Bases API DELETE /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this...
Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API
SummaryA SQL injection vulnerability in the Oracle path of FilterEngine.createsqlaquery allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. Attacker-controlled filter keys and values are interpolated...
utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol
SummaryThe substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix or powershell.exe -Command Windows, allowing an attacker to...
SGLanG: Multimodal scheduler deserializes untrusted pickle data on 0.0.0.0 ROUTER socket
SGLang's multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads on incoming messages, enabling RCE when exposed to the internet...
praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}
SummaryType: Vertical privilege escalation. The PATCH /workspaces/workspaceid/members/userid endpoint is gated by requireworkspacememberworkspaceid, which defaults to minrole="member" and is never overridden by the route. The handler then calls MemberService.updateroleworkspaceid, userid, body.ro...
SGLang: Unauthenticated RCE via --enable-custom-logit-processor
SGLang's multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads will be deserialized without validation...
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
SummaryThe Platform server exposes resources under /api/v1/workspaces/workspaceid/... and protects them with a requireworkspacememberworkspaceid FastAPI dependency. The dependency only checks that the caller is a member of the workspaceid in the URL prefix. The route handlers then look up the inn...
Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API
SummaryA SQL injection vulnerability in FilterEngine.createpostgresquery allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint GET /dids//dids/search. When the external metadata plugin postgresmeta is...
mamba language model framework vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub
The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization CWE-502 when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.frompretrained method uses torch.load to load the pytorchmodel.bin weight file without enabling the security-restrictive...
django-s3file is vulnerable to relative path traversal
ImpactS3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILESDepending on how files are handled, this may lead to...
llm CLI tool contains a code injection vulnerability via `--functions` command-line argument
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...
Langroid has Prompt to SQL Injection, Leading to RCE
Security Vulnerability Report: Prompt to SQL Injection leading to RCE in latest Langroid Affected Scopelangroid 0.63.0 Vulnerability Description SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges...
Ludwig framework is vulnerable to insecure deserialization in its model serving component
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
SummaryThe resetuserpassword and gympermissionsuseredit views in wger perform a gym-scope authorization check using Python object comparison != that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment gym=None. A user with...
PraisonAI Has Path Traversal in FileTools
Executive Summary:The path validation has a critical logic bug: it checks for .. AFTER normpath has already collapsed all .. sequences. This makes the check completely useless and allows trivial path traversal to any file on the system.The path validation function also does not resolve the symlin...
PraisonAI Vulnerable Untrusted Remote Template Code Execution
PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates.--- DescriptionWhen a user installs a template from a remote source e.g., GitHub, PraisonA...
Open Source Kubectl MCP Server vulnerable to arbitrary code execution via user interaction with crafted HTML page
An issue in Open Source Kubectl MCP Server v1.1.1 allows attackers to execute arbitrary code on a victim system via user interaction with a crafted HTML page...
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution
SummaryThe first-party PraisonAI A2A server example combines three behaviors into a remotely exploitable Critical chain:1. The example exposes an A2A server without configuring authtoken.2. The same example binds the server to 0.0.0.0.3. The example registers a calculateexpression tool implemente...
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
SummaryBoxlite is a sandbox service that allows users to create lightweight virtual machines Boxes and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for...
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...
PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
Summaryexecutecode in praisonaiagents.tools.pythontools defaults tosandboxmode="sandbox", which runs user code in a subprocess wrapped with arestricted builtins dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper blockedattrs, line 143 ofpythontools.py contai...
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
Summaryexecutecode in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith method to the safegetattr wrapper, achieving arbitrary OS command execution on the host. Detailspythontools.py:20...
pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's...
praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset
SummaryType: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORMJWTSECRET is unset. A safety check exists but only fires when PLATFORMENV != "dev"; the default value of PLATFORMENV is "dev", so the check is silently...
PraisonAI Has Missing Authentication in WebSocket Gateway
SummaryThe PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. Detailsgateway/server.py:242 source -...
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
SummaryMarimo 19.6k stars has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.Unlike other WebSocket endpoints e.g., /ws that correctly...
Sentry: Improper authentication on SAML SSO process allows user identity linking
ImpactA critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program.The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sent...
PraisonAI Vulnerable to OS Command Injection
The executecommand function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters.--- DescriptionPraisonAI's workflow system and...
parisneo/lollms vulnerable to stored XSS in the social feature
A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...
Google Agent Development Kit (ADK) has a Code Injection and Missing Authentication vulnerability
A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit ADK versions 1.7.0 and 2.0.0a1 through 1.28.1 and 2.0.0a2 on Python OSS, Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance.This...
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
SummaryThe memory hooks executor in praisonaiagents passes a user-controlled command stringdirectly to subprocess.run with shell=True atsrc/praisonai-agents/praisonaiagents/memory/hooks.py lines 303 to 305.No sanitization, no shlex.quote, no character filter, and no allowlist checkexists anywhere...
LiteLLM: Authentication bypass via OIDC userinfo cache key collision
ImpactWhen JWT authentication is enabled enablejwtauth: true, the OIDC userinfo cache uses token:20 as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters.This configuration option is not enabled by default. Most instances are not affected.An...
aws-mcp has a Command Injection Remote Code Execution Vulnerability
aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling...
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading
SummaryThe AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can...
PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection
SummaryThe fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parsemcpcommand, allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. Affected Package- Ecosystem: PyPI-...
Apache Airflow: JWT token still valid after logout
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
SummaryThe fix for CVE-2026-33992 GHSA-m74m-f7cr-432x added IP validation to BaseDownloader.download that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are...
Agno is vulnerable to Eval Injection
Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...
gramps-webapi: Zip Slip Path Traversal in Media Archive Import
SummaryA path traversal vulnerability Zip Slip exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server...
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
Summarypraisonai browser start exposes the browser bridge on 0.0.0.0 by default, and its /ws endpoint accepts websocket clients that omit the Origin header entirely. An unauthenticated network client can connect as a fake controller, send startsession, cause the server to forward startautomation ...
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer
Remote Code Execution via Unsafe Deserialization in Pipecat's LivekitFrameSerializer SummaryA critical vulnerability exists in Pipecat's LivekitFrameSerializer – an optional, non-default, undocumented frame serializer class now deprecated intended for LiveKit integration. The class's deserialize...
PraisonAI has critical RCE via `type: job` workflow YAML
praisonai workflow run loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in jobworkflow.py.This supports: - run: → shell command execution via subprocess.run- script: → inline Python execution via exec- python: → arbitrary Python script execution A malicious YAML fi...