4602 matches found
ormar is vulnerable to SQL Injection through aggregate functions min() and max()
Report of SQL Injection Vulnerability in Ormar ORM A SQL Injection attack can be achieved by passing a crafted string to the min or max aggregate functions. Brief descriptionWhen performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into...
wolfSSL Python module vulnerable to Improper Authentication
A vulnerability in the handling of verifymode = CERTREQUIRED in the wolfssl Python package wolfssl-py causes client certificate requirements to not be fully enforced.Because the WOLFSSLVERIFYFAILIFNOPEERCERT flag was not included, the behavior effectively matched CERTOPTIONAL: a peer certificate...
dcap-qvl has Missing Verification for QE Identity
ImpactThis vulnerability involves a critical gap in the cryptographic verification process within the dcap-qvl.The library fetches QE Identity collateral including qeidentity, qeidentitysignature, and qeidentityissuerchain from the PCCS. However, it skips to verify the QE Identity signature again...
Azure AI Language Authoring Elevation of Privilege Vulnerability can Lead to RCE
Deserialization of untrusted data in the Azure AI Language Conversations Authoring client library for Python allows an unauthorized attacker to execute code over a network...
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
ImpactA critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection SSTI. Patches Flask-Reuploaded has been patched in version 1.5.0 Workarounds1. Do not pas...
vLLM has RCE In Video Processing
SummaryA chain of vulnerabilities in vLLM allow Remote Code Execution RCE:1. Info Leak - PIL error messages expose memory addresses, bypassing ASLR2. Heap Overflow - JPEG2000 decoder in OpenCV/FFmpeg has a heap overflow that lets us hijack code executionResult: Send a malicious video URL to vLLM...
MLflow Use of Default Password Authentication Bypass Vulnerability
This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The file contains hard-coded default credentials. An attacker can leverage...
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering
SummaryAn unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event.The payload executes only if a user explicitly views the affected Stacktrace in the web UI. Details When Pygments returns more lines than it was given a known upstream quirk th...
Langflow has Remote Code Execution in CSV Agent
SummaryThe CSV Agent node in Langflow hardcodes allowdangerouscode=True, which automatically exposes LangChain’s Python REPL tool pythonreplast. As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution RCE. 2...
Langroid has WAF Bypass Leading to RCE in TableChatAgent
Affected Scopelangroid = 0.59.31 Vulnerability Description CVE-2025-46724 fix bypass:TableChatAgent can call pandaseval tool to evaluate the expression. There is a WAF in langroid/utils/pandasutils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to literalok...
Codechecker has an authentication bypass for certain API calls
SummaryAuthentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permissions to any existing user in CodeChecker. DetailsThe following functions are affected under the Authentication endpoint: getAuthorisedNames,...
SGLang's multimodal generation runtime has an unauthenticated path traversal vulnerability
SGLang's multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints...
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
Summaryexecutecode in praisonaiagents/tools/pythontools.py v1.6.37, subprocess sandbox mode can be fully bypassed using print.self to retrieve the real Python builtins module, from which import can be extracted via vars and runtime string construction. This achieves arbitrary OS command execution...
Compromise of PyTorch Lightning PyPi Package Versions
Security Advisory: Compromise of PyTorch Lightning PyPI Package Versions Published: 2026-04-30 Last Updated: 2026-05-12 Github Advisory: CVE-2026-44484We have identified a security incident affecting certain versions of one of our PyPI packages. What happenedWe have determined that one or more...
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
SummaryCVE-2026-44338 GHSA-6rmh-7xcm-cpxj documents that PraisonAI ships a code-generator praisonai.deploy.api.generateapiservercode that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart praisonai deploy --type api get a server that:-...
ChromaDB Python project has a pre-authentication code injection vulnerability
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trustremotecode set to true in...
FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft
Impact The POST /api/v2/firefighter/raid/jirabot endpoint CreateJiraBotView is reachable without authentication permissionclasses = permissions.AllowAny. Its attachments payload is fetched server-side via httpx.get with no URL validation, then uploaded as an attachment on the Jira ticket that get...
Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API
SummaryA SQL injection vulnerability in the Oracle path of FilterEngine.createsqlaquery allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. Attacker-controlled filter keys and values are interpolated...
imgaug contains an insecure deserialization vulnerability in BackgroundAugmenter class within multicore.py module
The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize data received via a multiprocessing queue in the augmentimagesworker method without any safety...
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
Summaryexecutecode in praisonaiagents/tools/pythontools.py v1.6.37, subprocess sandbox mode can be fully bypassed using print.self to retrieve the real Python builtins module, from which import can be extracted via vars and runtime string construction. This achieves arbitrary OS command execution...
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths
SummaryAlice exposes a Python SDK ProxyShare with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to urllib.parse.urljoin, which replaces Alice's configured target host with Bob's host and returns the server-side response t...
EPyT-Flow vulnerable to unsafe JSON deserialization (__type__)
ImpactEPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer myloadfromjson that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This...
MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...
Open WebUI has an LDAP Empty Password Authentication Bypass
LDAP Empty Password Authentication Bypass Affected Component LDAP authentication endpoint:- backend/openwebui/routers/auths.py lines 468-477, user bind with empty password- backend/openwebui/models/auths.py lines 58-60, LdapForm model Affected VersionsCurrent main branch commit 6fdd19bf1 and like...
utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol
SummaryThe substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix or powershell.exe -Command Windows, allowing an attacker to...
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
SummaryThe Platform server exposes resources under /api/v1/workspaces/workspaceid/... and protects them with a requireworkspacememberworkspaceid FastAPI dependency. The dependency only checks that the caller is a member of the workspaceid in the URL prefix. The route handlers then look up the inn...
PySyft server-side arbitrary Python execution after code approval
PySyft Syft Datasite/Server versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions via @sy.syftfunction for remote execution on the server. While a...
SGLanG: Multimodal scheduler deserializes untrusted pickle data on 0.0.0.0 ROUTER socket
SGLang's multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads on incoming messages, enabling RCE when exposed to the internet...
SGLang: Unauthenticated RCE via --enable-custom-logit-processor
SGLang's multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads will be deserialized without validation...
Langroid has Prompt to SQL Injection, Leading to RCE
Security Vulnerability Report: Prompt to SQL Injection leading to RCE in latest Langroid Affected Scopelangroid 0.63.0 Vulnerability Description SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges...
django-s3file is vulnerable to relative path traversal
ImpactS3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILESDepending on how files are handled, this may lead to...
Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API
SummaryA SQL injection vulnerability in FilterEngine.createpostgresquery allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint GET /dids//dids/search. When the external metadata plugin postgresmeta is...
llm CLI tool contains a code injection vulnerability via `--functions` command-line argument
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...
mamba language model framework vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub
The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization CWE-502 when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.frompretrained method uses torch.load to load the pytorchmodel.bin weight file without enabling the security-restrictive...
Horovod contains an insecure deserialization vulnerability in its KVStore HTTP server component
Horovod thru 0.28.1 contains an insecure deserialization vulnerability CWE-502 in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT...
PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset
SummaryPraisonAI's call server exposes a network-facing agent control API without authentication when CALLSERVERTOKEN is not configured.The affected component is the praisonai.api.agentinvoke router as mounted by praisonai.api.call. The authentication helper verifytoken fails open when...
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection
SummaryPraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and join...
Ludwig framework is vulnerable to insecure deserialization through its predict() method.
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...
APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization
The JSONSerializer and CBORSerializer in APScheduler all versions including 3.10.x and 4.0.0a5 are vulnerable to Remote Code Execution RCE via Insecure Deserialization. The unmarshalobject function allows for arbitrary class instantiation and state injection by dynamically importing modules and...
ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView
The /add/ endpoint AddView in core/views.py accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE.When PUBLICADDVIEW=True commo...
praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}
SummaryType: Vertical privilege escalation. The PATCH /workspaces/workspaceid/members/userid endpoint is gated by requireworkspacememberworkspaceid, which defaults to minrole="member" and is never overridden by the route. The handler then calls MemberService.updateroleworkspaceid, userid, body.ro...
PraisonAI Vulnerable Untrusted Remote Template Code Execution
PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates.--- DescriptionWhen a user installs a template from a remote source e.g., GitHub, PraisonA...
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
SummaryBoxlite is a sandbox service that allows users to create lightweight virtual machines Boxes and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for...
amazon-redshift-python-driver vulnerable to Remote Code Execution via eval() Injection
Summaryamazon-redshift-python-driver is the official Python connector for Amazon Redshift. In versions 2.1.13 and earlier, the driver insufficiently validates data received from the server during query result processing. A rogue server or man-in-the-middle could leverage this to execute arbitrary...
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution
SummaryThe first-party PraisonAI A2A server example combines three behaviors into a remotely exploitable Critical chain:1. The example exposes an A2A server without configuring authtoken.2. The same example binds the server to 0.0.0.0.3. The example registers a calculateexpression tool implemente...
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
Summaryexecutecode in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith method to the safegetattr wrapper, achieving arbitrary OS command execution on the host. Detailspythontools.py:20...
Ludwig framework is vulnerable to insecure deserialization in its model serving component
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
SummaryThe resetuserpassword and gympermissionsuseredit views in wger perform a gym-scope authorization check using Python object comparison != that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment gym=None. A user with...
PraisonAI Has Path Traversal in FileTools
Executive Summary:The path validation has a critical logic bug: it checks for .. AFTER normpath has already collapsed all .. sequences. This makes the check completely useless and allows trivial path traversal to any file on the system.The path validation function also does not resolve the symlin...
pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's...