7035 matches found
python-multipart affected by Denial of Service via large multipart preamble or epilogue data
SummaryA denial of service vulnerability exists when parsing crafted multipart/form-data requests with large preamble or epilogue sections. DetailsTwo inefficient multipart parsing paths could be abused with attacker-controlled input.Before the first multipart boundary, the parser handled leading...
UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen
uefi-firmware contains a heap out-of-bounds write vulnerability in the native tiano/EFI decompressor. in uefifirmware/compression/Tiano/Decompress.c, ReadCLen reads Number = GetBitsSd, CBIT with CBIT = 9, so Number can be as large as 511, while the destination array Sd-mCLen has NC = 510 elements...
Keras has an untrusted deserialization vulnerability
A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safemode=True. This bypasses the security guarantees of safemode and enables arbitrary attacker-controlled...
OpenStack Keystone: LDAP identity backend does not convert enabled attribute to boolean
In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the userenabledinvert configuration option is False the default. The ldaprestomodel method in the UserApi class only performed string-to-boolean conversion when...
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check
SummaryThe RegexMatching check in the giskard-checks package passes a user-supplied regular expression pattern directly to Python's re.search without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that...
MetaGPT has an eval injection in metagpt/strategy/tot.py
A vulnerability was identified in FoundationAgents MetaGPT up to 0.8.2. This affects the function generatethoughts of the file metagpt/strategy/tot.py of the component Tree-of-Thought Solver. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit is...
Giskard has Unsandboxed Jinja2 Template Rendering in ConformityCheck
Summary The ConformityCheck class in giskard-checks rendered the rule parameter through Jinja2's default Template constructor. Because the rule string is silently interpreted as a Jinja2 template, a developer may not realize that template expressions embedded in rule definitions are evaluated at...
MetaGPT affected by server-side request forgery in metagpt/utils/common.py
A security flaw has been discovered in FoundationAgents MetaGPT up to 0.8.2. This impacts the function decodeimage of the file metagpt/utils/common.py. The manipulation of the argument imgurlorb64 results in server-side request forgery. It is possible to launch the attack remotely. The exploit ha...
ajenti.plugin.core has race conditions in 2FA
ImpactIf the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication. PatchesThis is fixed in the version 0.112. Users should upgrade to this version as soon as possible...
pypdf: Manipulated XMP metadata entity declarations can exhaust RAM
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. PatchesThis has been fixed in pypdf==6.10.0. WorkaroundsIf you cannot upgrade yet, consider applying the changes from PR 3724...
pypdf has long runtimes for wrong size values in cross-reference and object streams
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large /Size values or object streams with wrong large /N values. PatchesThis has been fixed in pypdf==6.10.1. WorkaroundsIf you cannot upgrade yet, consider...
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
SummarypyLoad caches role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database.As a result, an already logged-in user can keep old revoked privileges until logout/session expir...
MetaGPT has an eval injection via a cross-site request forgery attack
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack...
Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
The accesskey and connectionstring connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidently logged to logs, those values could be seen in the logs. Azure...
PraisonAI Vulnerable to RCE via Automatic tools.py Import
PraisonAI automatically imports ./tools.py from the current working directory when launching certain components. This includes call.py, toolresolver.py, and CLI tool-loading paths.A malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python code...
Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble
Authenticated arbitrary file write in artifact bundle assembly SummaryAn authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow.A user with a valid authentication token could cause the application to write attacker-controlled content to a...
PraisonAI Vulnerable to RCE via Automatic tools.py Import
PraisonAI automatically imports ./tools.py from the current working directory when launching certain components. This includes call.py, toolresolver.py, and CLI tool-loading paths.A malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python code...
PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
SummaryThe tableprefix configuration value is directly used to construct SQL table identifiers without validation.If an attacker controls this value, they can manipulate SQL query structure, leading to unauthorized data access e.g., reading internal SQLite tables such as sqlitemaster and tamperin...
PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API
SummaryThe /api/v1/runs endpoint accepts an arbitrary webhookurl in the request body with no URL validation. When a submitted job completes success or failure, the server makes an HTTP POST request to this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server se...
PraisonAI Vulnerable to Sensitive Environment Variable Exposure via Untrusted MCP Subprocess Execution
PraisonAI’s MCP Model Context Protocol integration allows spawning background servers via stdio using user-supplied command strings e.g., MCP"npx -y @smithery/cli ...". These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire parent proces...
PraisonAIAgents: SSRF via unvalidated URL in `web_crawl` httpx fallback
| Field | Value ||---|---|| Severity | High || Type | SSRF -- unvalidated URL in webcrawl httpx fallback allows internal network access || Affected | src/praisonai-agents/praisonaiagents/tools/webcrawltools.py:133-180 | Summarywebcrawl's httpx fallback path passes user-supplied URLs directly to...
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
SummaryThe approval system in PraisonAI Agents caches tool approval decisions by tool name only, not by invocation arguments. Once a user approves executecommand for any command e.g., ls -la, all subsequent executecommand calls in that execution context bypass the approval prompt entirely. Combin...
PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls
SummaryThe gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no authtoken is configured the default. By adding dangerous tool names e.g., shellexec, filewrite to the allowlist, an attacker can cause the ExecApprovalManager to...
PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
SummaryThe executecommand function in shelltools.py calls os.path.expandvars on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False line 88 for security. This allows exfiltration of secrets stored in environment variable...
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS
SummaryThe AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults...
PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure
PraisonAI's AST-based Python sandbox can be bypassed using type.getattribute trampoline, allowing arbitrary code execution when running untrusted agent code. DescriptionThe executecodedirect function in praisonaiagents/tools/pythontools.py uses AST filtering to block dangerous Python attributes...
PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.specfromfilelocation and immediately executes module-level code via spec.loader.execmodule without explicit user consent,...
PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool
SummaryThe webcrawl function in praisonaiagents/tools/webcrawltools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker or prompt injection in crawled conten...
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
SummaryThe safeextractall function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractall. An attacker can publish a malicious recipe bundle...
PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary
SummaryThe listfiles tool in FileTools validates the directory parameter against workspace boundaries via validatepath, but passes the pattern parameter directly to Path.glob without any validation. Since Python's Path.glob supports .. path segments, an attacker can use relative path traversal in...
PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
Summaryreadskillfile in skilltools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skillpath parameter. Unlike filetools.readfile which enforces workspace boundary confinement, and unlike runskillscript which requires critical-level approval, readskillfile has...
PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS
SummaryThe WSGI-based recipe registry server server.py reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default no token configured, any local process can send arbitrarily large PO...
PraisonAI has Template Injection in Agent Tool Definitions
SummaryDirect insertion of unescaped user input into template-rendering tools allows arbitrary code execution via specially crafted agent instructions. DetailsThe createagentcentrictools function returns tools like acpcreatefile that process file content using template rendering. When user input...
FoundationAgents MetaGPT vulnerable to eval injection
A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xmlfill of the file metagpt/actions/actionnode.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated cod...
FoundationAgents MetaGPT vulnerable to OS Command Injection in metagpt/tools/libs/terminal.py
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affected element is the function Bash.run in the library metagpt/tools/libs/terminal.py. This manipulation causes os command injection. The attack is possible to be carried out remotely. The project was informed of the...
FoundationAgents MetaGPT vulnerable to OS Command Injection in metagpt/utils/common.py
A vulnerability was found in FoundationAgents MetaGPT up to 0.8.1. Impacted is the function getmimetype of the file metagpt/utils/common.py. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. The project was...
FoundationAgents MetaGPT vulnerable to os command injection via the Terminal.run_command
A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.runcommand in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed ...
MetaGPT has an Injection issue
A vulnerability was detected in FoundationAgents MetaGPT up to 0.8.1. This affects the function checksolution of the component HumanEvalBenchmark/MBPPBenchmark. Performing a manipulation results in code injection. The attack may be initiated remotely. The exploit is now public and may be used. Th...
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling
SummaryThe MultiAgentLedger and MultiAgentMonitor components in the provided code exhibit vulnerabilities that can lead to context leakage and arbitrary file operations. Specifically:1. Memory State Leakage via Agent ID Collision: The MultiAgentLedger uses a dictionary to store ledgers by agent I...
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits
SummaryThe /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent...
LangChain has incomplete f-string validation in prompt templates
LangChain's f-string prompt-template validation was incomplete in two respects.First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate cou...
PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars
Summarydeploy.py constructs a single comma-delimited string for the gcloud rundeploy --set-env-vars argument by directly interpolating openaimodel,openaikey, and openaibase without validating that these values do notcontain commas. gcloud uses a comma as the key-value pair separator...
PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)
SummaryThe Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The sanitizehtml function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent the default installation, the...
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
The A2U Agent-to-User event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952.The createa2uroutes function registers the following endpoints with NO authentication checks:- GET /a2u/info —...
OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write
SummaryThe DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store.This bug is reachable from the publ...
PraisonAI recipe registry publish path traversal allows out-of-root file write
SummaryPraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bundl...
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr
SummaryThe attributefilter in the Lupa library is intended to restrict access to sensitive Python attributes when exposing objects to Lua.However, the filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to...
OpenViking contains a missing authorization vulnerability in the task polling endpoints
OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/taskid routes withou...
rfc3161-client Has Improper Certificate Validation
SummaryAn Authorization Bypass vulnerability in rfc3161-client's signature verification allows any attacker to impersonate a trusted TimeStamping Authority TSA. By exploiting a logic flaw in how the library extracts the leaf certificate from an unordered PKCS7 bag of certificates, an attacker can...
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
SummarySeveral WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model.Confirmed mismatches:- ADD user can reorder packages/files...