4301 matches found
PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
Summaryexecutecode in praisonaiagents.tools.pythontools defaults tosandboxmode="sandbox", which runs user code in a subprocess wrapped with arestricted builtins dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper blockedattrs, line 143 ofpythontools.py contai...
BoxLite: Permission Bypass Allows Modification of Read-Only Files
SummaryBoxlite is a sandbox service that allows users to create lightweight virtual machines Boxes and launch OCI containers within them to run untrusted code.One of the core security features claimed by Boxlite is the ability to mount host directories in read-only mode readonly=True into the VM...
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...
Sentry: Improper authentication on SAML SSO process allows user identity linking
ImpactA critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program.The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sent...
PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection
SummaryThe fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parsemcpcommand, allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. Affected Package- Ecosystem: PyPI-...
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
SummaryThe memory hooks executor in praisonaiagents passes a user-controlled command stringdirectly to subprocess.run with shell=True atsrc/praisonai-agents/praisonaiagents/memory/hooks.py lines 303 to 305.No sanitization, no shlex.quote, no character filter, and no allowlist checkexists anywhere...
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading
SummaryThe AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can...
LiteLLM: Authentication bypass via OIDC userinfo cache key collision
ImpactWhen JWT authentication is enabled enablejwtauth: true, the OIDC userinfo cache uses token:20 as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters.This configuration option is not enabled by default. Most instances are not affected.An...
aws-mcp has a Command Injection Remote Code Execution Vulnerability
aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling...
Google Agent Development Kit (ADK) has a Code Injection and Missing Authentication vulnerability
A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit ADK versions 1.7.0 and 2.0.0a1 through 1.28.1 and 2.0.0a2 on Python OSS, Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance.This...
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
SummaryMarimo 19.6k stars has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.Unlike other WebSocket endpoints e.g., /ws that correctly...
PraisonAI Has Missing Authentication in WebSocket Gateway
SummaryThe PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. Detailsgateway/server.py:242 source -...
PraisonAI Vulnerable to OS Command Injection
The executecommand function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters.--- DescriptionPraisonAI's workflow system and...
Apache Airflow: JWT token still valid after logout
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...
PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
SummaryOAuthManager.validatetoken returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities...
parisneo/lollms vulnerable to stored XSS in the social feature
A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...
pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)
SummaryThe fix for CVE-2026-33992 GHSA-m74m-f7cr-432x added IP validation to BaseDownloader.download that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are...
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
Summarypraisonai browser start exposes the browser bridge on 0.0.0.0 by default, and its /ws endpoint accepts websocket clients that omit the Origin header entirely. An unauthenticated network client can connect as a fake controller, send startsession, cause the server to forward startautomation ...
Sentry's improper authentication on SAML SSO process allows user identity linking
ImpactA critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry's private bug bounty program.The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same...
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
SummaryThe --mcp CLI argument is passed directly to shlex.split and forwarded through the call chain to anyio.openprocess with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. Detailscli/features/mcp.py:61 source -...
gramps-webapi: Zip Slip Path Traversal in Media Archive Import
SummaryA path traversal vulnerability Zip Slip exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server...
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
Summarypraisonai browser start exposes the browser bridge on 0.0.0.0 by default, and its /ws endpoint accepts websocket clients that omit the Origin header entirely. An unauthenticated network client can connect as a fake controller, send startsession, cause the server to forward startautomation ...
pymetasploit3 vulnerable to command injection in console.run_module_with_output()
Command injection vulnerability in console.runmodulewithoutput in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended...
PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`
SummaryThe getalluserthreads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via updatethread. When the application loads the thread list, the injected payload executes and grants full database acces...
PraisonAI has critical RCE via `type: job` workflow YAML
praisonai workflow run loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in jobworkflow.py.This supports: - run: → shell command execution via subprocess.run- script: → inline Python execution via exec- python: → arbitrary Python script execution A malicious YAML fi...
Agno is vulnerable to Eval Injection
Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...
Upsonic: remote code execution vulnerability in its MCP server/task creation functionality
Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...
Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer
Remote Code Execution via Unsafe Deserialization in Pipecat's LivekitFrameSerializer SummaryA critical vulnerability exists in Pipecat's LivekitFrameSerializer – an optional, non-default, undocumented frame serializer class now deprecated intended for LiveKit integration. The class's deserialize...
PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`
| Field | Value ||---|---|| Severity | Critical || Type | Path traversal -- arbitrary file write via tar.extract without member validation || Affected | src/praisonai/praisonai/cli/features/recipe.py:1170-1172 | Summary cmdunpack in the recipe CLI extracts .praison tar archives using raw...
Mlflow: Command Injection when serving models with enable_mlserver=True
A command injection vulnerability exists in Mlflow when serving a model with enablemlserver=True. The modeluri is embedded directly into a shell command executed via bash -c without proper sanitization. If the modeluri contains shell metacharacters, such as $ or backticks, it allows for command...
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration
SummaryPyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive...
MLFlow path traversal vulnerability
A path traversal vulnerability exists in the extractarchivetodir function within the mlflow/pyfunc/dbconnectartifactcache.py file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An...
MLflow Command Injection vulnerability
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the installmodeldependenciestoenv function. When deploying a model with envmanager=LOCAL, MLflow reads dependency specifications from the model artifact's pythonenv.yaml file and...
Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py
SummaryAn explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will...
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads without authentication...
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
Technical DescriptionThe OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service.A critical vulnerability exists in the buildurl method. When an OpenAPI...
LiteLLM has SQL Injection in Proxy API key verification
ImpactA database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route for example POST /chat/completions an...
Authlib JWS JWK Header Injection: Signature Verification Bypass
Description SummaryA JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticatedattacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passedto any JWS deserialization function, the library extracts and uses the cryptographic key...
PraisonAI has critical RCE via `type: job` workflow YAML
praisonai workflow run loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in jobworkflow.py.This supports: - run: → shell command execution via subprocess.run- script: → inline Python execution via exec- python: → arbitrary Python script execution A malicious YAML fi...
PickleScan's profile.run blocklist mismatch allows exec() bypass
Summarypicklescan v1.0.3 blocks profile.Profile.run and profile.Profile.runctx but does NOT block the module-level profile.run function. A malicious pickle calling profile.runstatement achieves arbitrary code execution via exec while picklescan reports 0 issues. This is because the blocklist entr...
ajenti.plugin.core has password bypass when 2FA is activated
ImpactIf the 2FA was activated, it was possible to bypass the password authentication PatchesThis is fixed in the version 0.112. Users should upgrade to this version as soon as possible...
excel-mcp-server has a Path Traversal issue
SummaryA path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode the documented way to use this server remotely, an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on t...
MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment
SummaryThe confluencedownloadattachment MCP tool accepts a downloadpath parameter that is written to without any directory boundary enforcement. An attacker who can call this tool and supply or access a Confluence attachment with malicious content can write arbitrary content to any path the serve...
PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator
The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the target path, malicious actions can overwrite sensitive...
Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion
SummaryA Path Traversal vulnerability allows any user or attacker supplying an untrusted statetoken through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service via crash loops when reading...
SciTokens is vulnerable to SQL Injection in KeyCache
SummaryThe KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format to construct SQL queries with user-supplied data such as issuer and keyid. This allowed an attacker to execute arbitrary SQL commands against the local SQLite database.Ran the POC below...
External Control of File Name or Path in h2oai/h2o-3
Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with "C1", if they're exporting ...
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
SummaryThe POST /api/v1/buildpublictmp/flowid/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored flow...
Command Injection in Apache Airflow and Apache Airflow MySQL Provider
Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0...
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads without authentication...