7035 matches found
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
SummarySeveral WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model.Confirmed mismatches:- ADD user can reorder packages/files...
parisneo/lollms has an insufficient session expiration vulnerability
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...
stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution
A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution...
OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
Summaryinternalexrundopiz advances the working wavelet pointer with signed 32-bit arithmetic:cwavbuf += nx ny wcount;Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path...
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)
SummaryThe fix for CVE-2026-33509 GHSA-r7mc-x6x7-cqxx added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the Flask session directory is outside both...
OpenEXR has use after free in PyObject_StealAttrString
SummaryThere is a use-after-free in PyObjectStealAttrString of pyOpenEXRold.cpp.This bug was found with ZeroPath. DetailsThe legacy adapter defines PyObjectStealAttrString that calls PyObjectGetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then pas...
PyBlade: SSTI/RCE via Bypassed AST Validation in sandbox.py
A vulnerability has been found in AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha. The affected element is the function issafeast of the file sandbox.py of the component AST Validation. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may...
OpenEXR Makes Use of Uninitialized Memory
SummaryWhile fuzzing openexrexrcheckfuzzer, Valgrind reports a conditional branch depending on uninitialized data inside genericunpack. This indicates a use of uninitialized memory CWE-457. The issue is reproducible with the current OSS-Fuzz harness and a single-file PoC. DetailsEnvironment:-...
OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp
SummaryA heap-buffer-overflow OOB read occurs in the istreamnonparallelread function in ImfContextInit.cpp when parsing a malformed EXR file through a memory-mapped IStream. A signed integer subtraction produces a negative value that is implicitly converted to sizet, resulting in a massive length...
kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write
ImpactPartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured...
PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction
The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources e.g., GitHub, the application uses Python's zipfile.extractall without verifying if the files within the archive resolve...
PraisonAI recipe registry pull path traversal writes files outside the chosen output directory
SummaryPraisonAI's recipe registry pull flow extracts attacker-controlled .praison tar archives with tar.extractall and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains ../ traversal entries and any user who later pulls that...
OpenEXR has buffer overflow in PyOpenEXR_old's channels() and channel()
SummaryA memory safety bug in the legacy OpenEXR Python adapter the deprecated OpenEXR.InputFile wrapper allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects.Integer overflow and unchecked allocation in InputFile.channel and...
LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint
ImpactThe /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to do the following: - Modify proxy configuration and environment variables - Register custom pass-through endpoint handlers pointing to...
LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)
SummaryThe LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing a...
web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling
Summaryweb3.py implements CCIP Read / OffchainLookup EIP-3668 by performing HTTP requests to URLs supplied by smart contracts in offchainlookuppayload"urls". The implementation uses these contract-supplied URLs directly after sender / data template substitution without any destination validation:...
vLLM: Server-Side Request Forgery (SSRF) in `download_bytes_from_url `
SummaryA Server Side Request Forgery SSRF vulnerability in downloadbytesfromurl allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions.This can be used to target interna...
LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass
Subject: Security Vulnerability Report Hardcoded JWT Secret CVE-2026-30762Hi HKUDS team,I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE.Vulnerability: Hardcoded JWT signing secretType: Improper Authentication...
curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)
Summarycurlcffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl.Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curlcffi’s TLS impersonation featu...
pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter
Vulnerability DetailsCWE-918: Server-Side Request Forgery SSRFThe parseurls API function in src/pyload/core/api/init.py line 556 fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can...
D-Tale: Remote Code Execution through redis/shelf storage
ImpactUsers hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code execution allowing attackers to run malicious code on the server. PatchesUsers should upgrade to version 3.22.0. WorkaroundsThere are no workarounds for versions 3.22.0...
OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)
SummaryThe PXR24 decompression function undopxr24impl in OpenEXR internalpxr24.c ignores the actual decompressed size outSize returned by exruncompressbuffer and instead reads from the scratch buffer based solely on the expected size uncompressedsize derived from the header metadata.Additionally,...
OpenEXR: integer overflow to OOB write in uncompress_b44_impl()
SummaryThe B44/B44A decoder in OpenEXR reconstructs row pointers into a scratch buffer using int. When the channel width nx is large enough, the product y nx overflows int, causing the row pointer to wrap before the start of the scratch buffer. Subsequent memcpy calls then write decoded pixel...
Ajenti has an authorization bypass during custom package installation
ImpactAn authenticated user using the authusers plugin authentication method could install a custom package even if this user is not superuser. PatchesThis is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible...
PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution
Summaryrunpython in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "" and passing it to subprocess.run..., shell=True. The escaping logic only handles \ and ", leaving $ and backtick substitutions unescaped, allowing arbitrary OS command executio...
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
SummaryWhile testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub...
Open WebUI has Broken Access Control in Tool Valves
Summary Broken Access Control in Tool ValvesOpen WebUI supports function calling through "Tools". Function calling allows an LLM to reliably connect to external tools and interact with external APIs. Exemplary use-cases include connecting to an internal knowledge base, retrieving emails from an...
PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback
Summarypassthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is...
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()
SummaryMCPToolIndex.searchtools compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete...
OpenStack Glance is affected by Server-Side Request Forgery (SSRF)
OpenStack Glance versions = 30.0.0 30.1.1, == 31.0.0 are affected by Server-Side Request Forgery SSRF. By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only the glance image import functionality is affected. In particular, the...
FastMCP has a Command Injection vulnerability - Gemini CLI
Server names containing shell metacharacters e.g., & can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are...
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
SummaryFileTools.downloadfile in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream with followredirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata...
alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
ImpactThe Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. PatchesFixed in v9.1.0. The Postgres query parser now uses parameterized queries with...
PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
SummarySubprocessSandbox in all modes BASIC, STRICT, NETWORKISOLATED calls subprocess.run with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode v...
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys
SummaryAn issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions.1. ecdsa.der.removeoctetstring accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096...
Hugging Face Smolagents has an Injection issue
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluateaugassign/evaluatecall/evaluatewith of the file src/smolagents/localpythonexecutor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to...
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check
Vulnerability IDOR in GET/PATCH/DELETE /api/v1/flow/flowidThe readflow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTOLOGIN setting to decide whether to filter by userid. When AUTOLOGIN was False i.e., authentication was enabled, neither branch enforced an ownership check...
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check
Vulnerability IDOR in GET/PATCH/DELETE /api/v1/flow/flowidThe readflow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTOLOGIN setting to decide whether to filter by userid. When AUTOLOGIN was False i.e., authentication was enabled, neither branch enforced an ownership check...
Apache Airflow Provider for Databricks: TLS Certificate Verification is Disabled in Databricks Provider K8s Token Exchange
Improper Certificate Validation vulnerability in Apache Airflow Provider for Databricks. Provider code did not validate certificates for connections to Databricks back-end which could result in a man-of-a-middle attack that traffic is intercepted and manipulated or credentials exfiltrated w/o...
Home Assistant has stored XSS in history-graphs
SummaryThe "remaining charge time"-sensor for mobile phones imported/included from Android Auto it appears is vulnerable to the same issue as CVE-2025-62172.This also indicates that any sensor showing their name in the history-graph, is likely to be vulnerable to this issue. DetailsAnother entity...
MLFlow allows Tracing + Assessments Access
In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NOPERMISSIONS on the experiment, to read trace information and create assessments for...
Home Assistant has stored XSS in Map-card through malicious device name
SummaryAn authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point The lines or the dots representi...
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
SummaryAny authenticated user can read other users' private memories via /api/v1/retrieval/query/collection DetailsVulnerability 1: Missing authorization in collection queryingIn backend/openwebui/routers/retrieval.py, the querycollectionhandler function accepts a list of collectionnames but...
Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment
SummaryChatWorkflow.chatmessage passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to this method enables full remote code execution via Jinja2 class traversal.The method name chat and parameter name message naturally...
Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries
Summaryadx-mcp-server ListDictstr, Any: client = getkustoclient query = f"tablename | getschema" ListDictstr, Any: client = getkustoclient query = f"tablename | sample samplesize" ListDictstr, Any: client = getkustoclient query = f".show table tablename details" -- KQL injection resultset =...
NVIDIA NeMo Framework contains an RCE vulnerability in checkpoint loading
NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering...
Open WebUI has unauthorized deletion of knowledge files
SummaryAn access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin, but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from...
Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`
SummaryAn unsanitised filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a FileNotFoundError whose message — including the server's absolute DATADIR path — is returned verbatim in the HTTP 400 response body, confirming information...
Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching
A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been release...
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
SummaryThe setconfigvalue API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run in the thread manager's reconnect logic. A SETTINGS...