Lucene search
K
PypaMost viewed

4301 matches found

PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)

Summaryexecutecode in praisonaiagents.tools.pythontools defaults tosandboxmode="sandbox", which runs user code in a subprocess wrapped with arestricted builtins dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper blockedattrs, line 143 ofpythontools.py contai...

9.9CVSS6.6AI score0.00541EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

BoxLite: Permission Bypass Allows Modification of Read-Only Files

SummaryBoxlite is a sandbox service that allows users to create lightweight virtual machines Boxes and launch OCI containers within them to run untrusted code.One of the core security features claimed by Boxlite is the ability to mount host directories in read-only mode readonly=True into the VM...

10CVSS6.2AI score0.00289EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization

In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...

9.8CVSS7.8AI score0.04392EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Sentry: Improper authentication on SAML SSO process allows user identity linking

ImpactA critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program.The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sent...

9.1CVSS6AI score0.00435EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection

SummaryThe fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parsemcpcommand, allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. Affected Package- Ecosystem: PyPI-...

9.8CVSS6.8AI score0.00824EPSS
Exploits2References7Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)

SummaryThe memory hooks executor in praisonaiagents passes a user-controlled command stringdirectly to subprocess.run with shell=True atsrc/praisonai-agents/praisonaiagents/memory/hooks.py lines 303 to 305.No sanitization, no shlex.quote, no character filter, and no allowlist checkexists anywhere...

9.3CVSS6.4AI score0.00229EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading

SummaryThe AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags such as !!js/function and !!js/undefined. This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can...

9.8CVSS6.9AI score0.0058EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

LiteLLM: Authentication bypass via OIDC userinfo cache key collision

ImpactWhen JWT authentication is enabled enablejwtauth: true, the OIDC userinfo cache uses token:20 as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters.This configuration option is not enabled by default. Most instances are not affected.An...

9.4CVSS6AI score0.0049EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

aws-mcp has a Command Injection Remote Code Execution Vulnerability

aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling...

9.8CVSS7.8AI score0.01908EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Google Agent Development Kit (ADK) has a Code Injection and Missing Authentication vulnerability

A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit ADK versions 1.7.0 and 2.0.0a1 through 1.28.1 and 2.0.0a2 on Python OSS, Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance.This...

10CVSS6.4AI score0.01816EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass

SummaryMarimo 19.6k stars has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.Unlike other WebSocket endpoints e.g., /ws that correctly...

9.8CVSS7.6AI score0.95645EPSS
Exploits11References10Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI Has Missing Authentication in WebSocket Gateway

SummaryThe PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. Detailsgateway/server.py:242 source -...

9.1CVSS6AI score0.00444EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI Vulnerable to OS Command Injection

The executecommand function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters.--- DescriptionPraisonAI's workflow system and...

9.6CVSS6.4AI score0.00419EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Apache Airflow: JWT token still valid after logout

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario...

9.1CVSS6AI score0.00667EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI Has Authentication Bypass via OAuthManager.validate_token()

SummaryOAuthManager.validatetoken returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities...

9.1CVSS6AI score0.00375EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

parisneo/lollms vulnerable to stored XSS in the social feature

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

9.6CVSS7.1AI score0.00405EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

pyLoad: SSRF filter bypass via HTTP redirect in BaseDownloader (Incomplete fix for CVE-2026-33992)

SummaryThe fix for CVE-2026-33992 GHSA-m74m-f7cr-432x added IP validation to BaseDownloader.download that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are...

9.3CVSS6AI score0.00397EPSS
Exploits2References7Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions

Summarypraisonai browser start exposes the browser bridge on 0.0.0.0 by default, and its /ws endpoint accepts websocket clients that omit the Origin header entirely. An unauthenticated network client can connect as a fake controller, send startsession, cause the server to forward startautomation ...

9.1CVSS6.2AI score0.00356EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Sentry's improper authentication on SAML SSO process allows user identity linking

ImpactA critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry's private bug bounty program.The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same...

9.8CVSS6AI score0.00623EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()

SummaryThe --mcp CLI argument is passed directly to shlex.split and forwarded through the call chain to anyio.openprocess with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. Detailscli/features/mcp.py:61 source -...

9.8CVSS6.2AI score0.00824EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

gramps-webapi: Zip Slip Path Traversal in Media Archive Import

SummaryA path traversal vulnerability Zip Slip exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server...

9.1CVSS6.1AI score0.00401EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions

Summarypraisonai browser start exposes the browser bridge on 0.0.0.0 by default, and its /ws endpoint accepts websocket clients that omit the Origin header entirely. An unauthenticated network client can connect as a fake controller, send startsession, cause the server to forward startautomation ...

9.1CVSS6.2AI score0.00356EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

pymetasploit3 vulnerable to command injection in console.run_module_with_output()

Command injection vulnerability in console.runmodulewithoutput in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended...

9.8CVSS6.2AI score0.01923EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`

SummaryThe getalluserthreads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via updatethread. When the application loads the thread list, the injected payload executes and grants full database acces...

9.8CVSS6AI score0.00533EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI has critical RCE via `type: job` workflow YAML

praisonai workflow run loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in jobworkflow.py.This supports: - run: → shell command execution via subprocess.run- script: → inline Python execution via exec- python: → arbitrary Python script execution A malicious YAML fi...

9.8CVSS6.3AI score0.00609EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Agno is vulnerable to Eval Injection

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...

9.8CVSS6.9AI score0.00852EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Upsonic: remote code execution vulnerability in its MCP server/task creation functionality

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

9.8CVSS6.9AI score0.00974EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Pipecat: Remote Code Execution by Pickle Deserialization Through LivekitFrameSerializer

Remote Code Execution via Unsafe Deserialization in Pipecat's LivekitFrameSerializer SummaryA critical vulnerability exists in Pipecat's LivekitFrameSerializer – an optional, non-default, undocumented frame serializer class now deprecated intended for LiveKit integration. The class's deserialize...

9.8CVSS7.2AI score0.00701EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`

| Field | Value ||---|---|| Severity | Critical || Type | Path traversal -- arbitrary file write via tar.extract without member validation || Affected | src/praisonai/praisonai/cli/features/recipe.py:1170-1172 | Summary cmdunpack in the recipe CLI extracts .praison tar archives using raw...

9.4CVSS6.2AI score0.00379EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Mlflow: Command Injection when serving models with enable_mlserver=True

A command injection vulnerability exists in Mlflow when serving a model with enablemlserver=True. The modeluri is embedded directly into a shell command executed via bash -c without proper sanitization. If the modeluri contains shell metacharacters, such as $ or backticks, it allows for command...

9.6CVSS7.3AI score0.01328EPSS
Exploits2References7Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration

SummaryPyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive...

9.3CVSS6.1AI score0.00397EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

MLFlow path traversal vulnerability

A path traversal vulnerability exists in the extractarchivetodir function within the mlflow/pyfunc/dbconnectartifactcache.py file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An...

10CVSS7.3AI score0.00587EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

MLflow Command Injection vulnerability

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the installmodeldependenciestoenv function. When deploying a model with envmanager=LOCAL, MLflow reads dependency specifications from the model artifact's pythonenv.yaml file and...

10CVSS7.4AI score0.01994EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py

SummaryAn explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will...

9.8CVSS6.3AI score0.05289EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads without authentication...

9.8CVSS7.5AI score0.01534EPSS
Exploits1References9Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

Technical DescriptionThe OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service.A critical vulnerability exists in the buildurl method. When an OpenAPI...

10CVSS6AI score0.00988EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

LiteLLM has SQL Injection in Proxy API key verification

ImpactA database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route for example POST /chat/completions an...

9.8CVSS6.1AI score0.86607EPSS
Exploits7References7Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Authlib JWS JWK Header Injection: Signature Verification Bypass

Description SummaryA JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticatedattacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passedto any JWS deserialization function, the library extracts and uses the cryptographic key...

9.1CVSS7.2AI score0.00548EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI has critical RCE via `type: job` workflow YAML

praisonai workflow run loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in jobworkflow.py.This supports: - run: → shell command execution via subprocess.run- script: → inline Python execution via exec- python: → arbitrary Python script execution A malicious YAML fi...

9.8CVSS6.3AI score0.00609EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PickleScan's profile.run blocklist mismatch allows exec() bypass

Summarypicklescan v1.0.3 blocks profile.Profile.run and profile.Profile.runctx but does NOT block the module-level profile.run function. A malicious pickle calling profile.runstatement achieves arbitrary code execution via exec while picklescan reports 0 issues. This is because the blocklist entr...

9.8CVSS6.5AI score0.0046EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

ajenti.plugin.core has password bypass when 2FA is activated

ImpactIf the 2FA was activated, it was possible to bypass the password authentication PatchesThis is fixed in the version 0.112. Users should upgrade to this version as soon as possible...

9.3CVSS5.9AI score0.00329EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

excel-mcp-server has a Path Traversal issue

SummaryA path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode the documented way to use this server remotely, an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on t...

9.4CVSS6.2AI score0.00391EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment

SummaryThe confluencedownloadattachment MCP tool accepts a downloadpath parameter that is written to without any directory boundary enforcement. An attacker who can call this tool and supply or access a Confluence attachment with malicious content can write arbitrary content to any path the serve...

9CVSS6.7AI score0.0226EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator

The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the target path, malicious actions can overwrite sensitive...

10CVSS6.3AI score0.00312EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion

SummaryA Path Traversal vulnerability allows any user or attacker supplying an untrusted statetoken through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service via crash loops when reading...

10CVSS6.1AI score0.00713EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

SciTokens is vulnerable to SQL Injection in KeyCache

SummaryThe KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format to construct SQL queries with user-supplied data such as issuer and keyid. This allowed an attacker to execute arbitrary SQL commands against the local SQLite database.Ran the POC below...

9.8CVSS6.4AI score0.00492EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

External Control of File Name or Path in h2oai/h2o-3

Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with "C1", if they're exporting ...

9.3CVSS7.3AI score0.00715EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint

SummaryThe POST /api/v1/buildpublictmp/flowid/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored flow...

9.8CVSS8.1AI score0.99972EPSS
Exploits51References14Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

Command Injection in Apache Airflow and Apache Airflow MySQL Provider

Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0...

9.8CVSS7.2AI score0.11082EPSS
Exploits2References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.1 views

SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module

SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads without authentication...

9.8CVSS7.5AI score0.01158EPSS
Exploits1References8Affected Software1
Total number of security vulnerabilities4301