7035 matches found
LiteLLM: Server-Side Template Injection in /prompts/test endpoint
ImpactThe POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process.The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could...
Apache Airflow's authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance record
The authenticated /ui/dagsendpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DAG...
kaggle-mcp has a Path Traversal issue
A vulnerability has been found in dexhunter kaggle-mcp up to 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d. This vulnerability affects the function preparekaggledataset of the file src/kagglemcp/server.py. The manipulation of the argument competitionid leads to path traversal. The attack is possible t...
AWS Encryption SDK for Python: Key commitment policy bypass via shared key cache
SummaryAWS Encryption SDK ESDK for Python is a client-side encryption library. An issue exists where, under certain circumstances, a specific cryptographic algorithm downgrade in the caching layer might allow an authenticated local threat actor to bypass key commitment policy enforcement via a...
AstrBot has Incomplete Filtering of Special Elements
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function createtemplate of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The atta...
Wooey has an Incorrect Privilege Assignment issue
A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function addorupdatescript of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has...
pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds wit...
Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4
SummaryThe extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 -...
verl's math_equal() Vulnerable to Arbitrary Code Execution via Unsafe eval()
A vulnerability was identified in ByteDance verl up to 0.7.1. Affected is the function mathequal of the file primemath/grader.py. The manipulation leads to a sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be...
InstructLab vulnerable to Path Traversal
A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logsdir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to...
LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading
SummaryA Server-Side Request Forgery SSRF vulnerability exists in LMDeploy's vision-language module. The loadimage function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and...
InstructLab Includes Functionality from Untrusted Control Sphere
A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...
Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope.Users are...
AgentScope vulnerable to Server-Side Request Forgery
A weakness has been identified in modelscope agentscope up to 1.0.18. This vulnerability affects the function processaudioblock of the file src/agentscope/agent/agentbase.py. Executing a manipulation of the argument url can lead to server-side request forgery. It is possible to launch the attack...
Apache Doris MCP Server vulnerable to SQL Injection via improper query context neutralization
Apache Doris MCP Server versions prior to 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Versions 0.6.1...
RAGAS has SSRF via Multi-Modal Faithfulness Collections Module
A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function tryprocesslocalfile/tryprocessurl of the file src/ragas/metrics/collections/multimodalfaithfulness/util.py of the component Collections Module. Performing a manipulation of the argument...
Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API
A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function createuploadfile of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack...
Langflow has an Information Leak through Incomplete API Key Redaction
A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function removeapikeys/hasapiterms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated...
Langflow: Cleartext Storage of Authentication Settings in Project Creation Endpoint
A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...
AgentScope vulnerable to Server-Side Request Forgery
A security flaw has been discovered in modelscope agentscope up to 1.0.18. This affects the function getbytesfromweburl of the file src/agentscope/utils/common.py of the component Internal Service. Performing a manipulation results in server-side request forgery. It is possible to initiate the...
AgentScope vulnerable to Server-Side Request Forgery
A vulnerability was identified in modelscope agentscope up to 1.0.18. Affected by this issue is the function parseurl/prepareimage/openaiaudiototext of the file src/agentscope/tool/multimodality/openaitools.py of the component Cloud Metadata Endpoint. Such manipulation of the argument...
AgentScope Vulnerable to Remote Code Injection
A vulnerability was determined in modelscope agentscope up to 1.0.18. Affected by this vulnerability is the function executepythoncode/executeshellcommand of the file src/AgentScope/tool/coding/python.py. This manipulation causes code injection. The attack is possible to be carried out remotely...
apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
FastChat has a Content Moderation Bypass via Arena Side-by-Side Views
A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function addtext of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used. The root cause was...
Langflow vulnerable to injection
A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function getclientip/installmcpconfig of the file src/backend/base/langflow/api/v1/mcpprojects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument...
FastChat has Denial of Service Through Blocking Event Loop in Model Workers (Incomplete Fix for ff66426)
A security vulnerability has been detected in lm-sys fastchat up to 0.2.36. This issue affects the function apigenerate of the component Worker API Endpoint. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed publicly and may be...
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
SummaryThe DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would...
Apache Airflow allows code execution through crafted XCom payloads
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
SummaryThe DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would...
Apache Airflow exposes SQL stack trace despite "api/expose_stack_traces" set to false
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/exposestacktraces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue...
Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions
UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
SummaryThe DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would...
Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case the variables were retrieved by the user the secrets stored as nested fields were not masked.If developers do not store variables with sensitive values in JSON form, their projects are not affected. Otherwise...
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
SummaryThe DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would...
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
The fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass tableprefix straight into f-string SQL. Same root cause, same code pattern, same exploitation...
Home Assistant Command-line Interface: Handling of user-supplied Jinja2 templates
ImpactUp to 1.0.0 of home-assitant-cli or hass-cli for short an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and...
pypdf: Possible long runtimes for wrong size values in incremental mode
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer /Size value in incremental mode. PatchesThis has been fixed in pypdf==6.10.2. WorkaroundsIf you cannot upgrade yet, consider applying the changes from PR 37...
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using /FlateDecode with large size values. PatchesThis has been fixed in pypdf==6.10.2. WorkaroundsIf you cannot upgrade yet, consider applying the changes from P...
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
The fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass tableprefix straight into f-string SQL. Same root cause, same code pattern, same exploitation...
Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures
SummaryThe readonly mode in mcp-neo4j-cypher versions prior to 0.6.0 can be bypassed using CALL procedures. Details ImpactThe enforcing of readonly mode in vulnerable versions could be bypassed by certain APOC procedures. Patchesv0.6.0 release hardened the checks around the mode. The only way to...
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
SummaryThe DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would...
Dagster Vulnerable to SQL Injection via Dynamic Partition Keys in Database I/O Manager Integrations
SummaryThe DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would...
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using /FlateDecode with a /Predictor unequal 1 and large predictor parameters. PatchesThis has been fixed in pypdf==6.10.2. WorkaroundsIf you cannot...
wger has Stored XSS via Unescaped License Attribution Fields
Stored XSS via Unescaped License Attribution Fields SummaryThe AbstractLicenseModel.attributionlink property in wger/utils/models.py constructs HTML strings by directly interpolating user-controlled fields licenseauthor, licensetitle, licenseobjecturl, licenseauthorurl, licensederivativesourceurl...
UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen
uefi-firmware contains a heap out-of-bounds write vulnerability in the native tiano/EFI decompressor. in uefifirmware/compression/Tiano/Decompress.c, ReadCLen reads Number = GetBitsSd, CBIT with CBIT = 9, so Number can be as large as 511, while the destination array Sd-mCLen has NC = 510 elements...
UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable
uefi-firmware contains a stack out-of-bounds write vulnerability in the native tiano/EFI decompressor. in uefifirmware/compression/Tiano/Decompress.c, MakeTable does not validate that bit-length values read from the compressed bitstream are within the expected range 0..16. a crafted firmware blob...
LangSmith SDK: Streaming token events bypass output redaction
SummaryThe LangSmith SDK's output redaction controls hideOutputs in JS, hideoutputs in Python do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a newtoken event containing the raw token value. These events bypass the redaction pipeline...
Apache Airflow: RCE by race condition in example_xcom dag
The example examplexcomthat was included in airflow documentation implemented unsafe pattern of reading valuefrom xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitraryexecution of code on the worker. Since the UI users are already highly...
Apache Airflow: JWT token appearing in logs
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix.Users are recommended to upgrade to version 3.2.0, which fixes this issue...
wger has Broken Access Control in Global Gym Configuration Update Endpoint
Summarywger exposes a global configuration edit endpoint at /config/gym-config/edit implemented by GymConfigUpdateView. The view declares permissionrequired = 'config.changegymconfig' but does not enforce it because it inherits WgerFormMixin ownership-only checks instead of the project’s...