7035 matches found
Apache Airflow: Authenticated users can bypass the `is_safe_url` check
A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the issafeurl check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to apache-airflow 3.2.2 or later. As a defense-in-dept...
praisonai-platform: Missing authorization on member removal enables full workspace takeover by any user regardless of role
SummaryType: Authorization bypass enabling owner lockout. The DELETE /workspaces/workspaceid/members/userid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member can remove any other member, including the workspace owner, using a single DELETE. There is ...
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID
SummaryPraisonAI Platform's workspace-scoped REST routes contain a systemic object-level authorization flaw that allows an authenticated user from one workspace to access, modify, and delete objects belonging to another workspace by supplying the victim object's global UUID.The affected pattern...
Aider has an SSRF vulnerability through its AWS EC2 Metadata Endpoint
A security vulnerability has been detected in Aider-AI Aider 0.86.3.dev. This affects the function requests.get of the file apidocs.py of the component AWS EC2 Metadata Endpoint. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit...
praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link)
SummaryType: Insecure Direct Object Reference. Five label endpoints — PATCH /workspaces/workspaceid/labels/labelid, DELETE .../labels/labelid, POST .../issues/issueid/labels/labelid, DELETE .../issues/issueid/labels/labelid, GET .../issues/issueid/labels — gate access on...
Apache Airflow has an Improper Authorization issue
The structuredata endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other...
PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership
SummaryPraisonAI Platform has a broken workspace authorization check that allows any authenticated low-privilege workspace member to escalate their own role to owner.The issue is caused by privileged workspace-management routes using the shared dependency requireworkspacemember... without requiri...
Apache Airflow Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
A bug in Apache Airflow's Variable response masker caused nested-key redaction triggered by secret-suffixed key names like password, token, secret, apikey to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nest...
Apache Airflow has no certificate validation on SMTP STARTTLS connections
Apache Airflow's EmailOperator and the underlying airflow.utils.email helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used email smtpstarttls=True without email smtpssl. An attacker positioned between the worker and the configured SMTP...
AstrBot: Manipulation of astr_main_agent's session_id parameter leads to authorization bypass
A vulnerability was identified in AstrBotDevs AstrBot 4.24.2. This affects the function astrmainagent of the file astrbot/core/astrmainagent.py. Such manipulation of the argument sessionid leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly availab...
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API
SummaryThe PraisonAI Platform API has two authorization failures that together break workspace isolation. The service layer for issues and projects performs global primary-key lookups without checking workspace ownership, so any authenticated user can read, modify, and delete resources in any...
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
SummaryPraisonAI's direct-prompt CLI automatically expands @url: mentions in raw prompt text before agent execution begins.If a prompt contains @url:, the CLI calls MentionsParser.process.... The @url: handler then performs a direct urllib.request.urlopen request to the attacker-controlled URL an...
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
SummaryPraisonAI's spidertools URL validation can be bypassed using alternate loopback host encodings.The affected component is:textpraisonaiagents/tools/spidertools.pyThe tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled URLs...
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings
SummaryPraisonAI's spidertools URL validation can be bypassed using alternate loopback host encodings.The affected component is:textpraisonaiagents/tools/spidertools.pyThe tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled URLs...
PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate
SummaryThe fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in mcpserver/adapters/clitools.py: "registers four file-handling tools by default, praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and...
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
SummaryPraisonAI's direct-prompt CLI automatically expands @url: mentions in raw prompt text before agent execution begins.If a prompt contains @url:, the CLI calls MentionsParser.process.... The @url: handler then performs a direct urllib.request.urlopen request to the attacker-controlled URL an...
BoxLite has a Timeout Bypass Vulnerability
SummaryBoxLite is a sandbox service that allows users to create lightweight virtual machines Boxes and run OCI containers within them. BoxLite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, BoxLite sends a signal to kill the...
PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334
Arbitrary code execution via ungated spec.loader.execmodule in agentsgenerator.py v4.6.32 chokepoint refactor bypass Summary The v4.6.32 chokepoint refactor which patched CVE-2026-44334 / GHSA-xcmw-grxf-wjhj added the PRAISONAIALLOWLOCALTOOLS env-var gate to the tooloverride.py sinks. However, tw...
ouroboros-ai Vulnerable to Remote Code Execution via Untrusted Project-Directory .env
ImpactA Remote Code Execution RCE vulnerability was discovered in Ouroboros. If a user clones a malicious repository and runs Ouroboros commands within that directory, it can lead to arbitrary code execution and potential system takeover.The vulnerability CWE-426: Untrusted Search Path & CWE-15:...
zeroconf: Unbounded exception-dedup state retains packet buffers via traceback frame locals, enabling LAN-local memory exhaustion
ImpactDNSIncoming.logexceptiondebug and the four QuietLogger exception-dedup methods stored an unbounded seenlogs dict keyed by strsys.excinfo1. The seven IncomingDecodeError messages raised from readname / decodelabelsatoffset RFC 6762 §18 name-decoding error paths all embed self.source — the...
zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood
ImpactDNSCache.asyncadd inserted every response record into cache, expirations, expireheap, and servicecache with no cap on entry count. The only pre-existing protection was a PTR TTL floor DNSPTRMINTTL = 1125 s, RFC 6762 §10, which actually prolonged attacker-injected records, and a periodic...
xiaomusic contains an unauthenticated path traversal vulnerability
xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/filepath:path endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from...
zeroconf has unbounded recursion in DNS compression-pointer decoder that allows LAN-local denial of service
ImpactDNSIncoming.decodelabelsatoffset recurses once per DNS-name compression pointer RFC 1035 §4.1.4. Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single 3 kB mDNS packet carrying 1500 chained pointers drives the recursion past CPython's...
compliance-trestle Profile Import has an Arbitrary File Read via trestle:// URI and Relative Path Traversal
SummaryThe compliance-trestle library's profile import mechanism resolves trestle:// URIs and relative file paths by joining them with trestleroot and calling .resolve, but performs no boundary check to ensure the resolved path stays within the trestle workspace. An attacker can craft a malicious...
Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows
ImpactArbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows.Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax: - \ — the Windows path separator...
local-deep-research has an SSRF bypass in `safe_get`
SummaryThe URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. DetailsThe current project uses validateurl to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by...
OpenStack Neutron has an Incorrect Authorization issue
In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags...
compliance-trestle Vulnerable to Remote Code Execution via Recursive Server-Side Template Injection (SSTI)
A High severity Server-Side Template Injection SSTI vulnerability exists in the trestle author jinja command. The command recursively evaluates rendered templates, allowing an attacker to achieve arbitrary command execution with privileges of the running process by injecting malicious payloads in...
compliance-trestle Vulnerable to SSRF in Remote Fetching Subsystem
A source code audit led to the discovery of three significant security vulnerabilities in the trestle/core/remote/cache.py module.Finding 1 Critical: SSRF CWE-918The HTTPSFetcher.dofetch method passes a user-supplied URL directly to requests.get without validation. This allows an attacker to...
compliance-trestle - jinja has an Arbitrary File Write via Path Traversal
Relevant Products/Components: trestle/core/commands/author/jinja.py trestle author jinja--- Detailed Description:The -o/--output argument in trestle author jinja allows writing files outside the intended workspace.The application does not properly validate: ../ ..\ absolute pathsThis allows...
Dulwich Vulnerable to Command Injection via Merge Driver Path
SummaryDulwich's ProcessMergeDriver substitutes the file path from the git tree, controllable by an attacker via a malicious branch into the merge driver command via the %P placeholder and executes it with subprocess.run..., shell=True. An attacker who can cause a victim to merge an untrusted...
agno contains a SQL injection vulnerability
agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the deletebymetadata method. Attackers can exploit the unsafe f-string interpolation in...
Shamefile has an arbitrary file read via shamefile.yaml in shame next
ImpactA path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details. PatchesFixed in 0.1.7. Upgrade to eithe...
pretix vulnerable to Authorization Bypass Through User-Controlled Key
When creating an export through the pretix API, API clients are returned an UUID value for their export job a long, random string like 35742818-c375-4d15-839f-d49aecce94d6. Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places...
Taipy contains a path traversal vulnerability
Taipy 4.1.1, fixed in commit 129fd40, contains a path traversal vulnerability in the ElementLibrary.getresource method in taipy/gui/extension/library.py that allows unauthenticated attackers to escape the intended module directory by exploiting an incomplete path containment check using...
compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal
SummaryThe compliance-trestle library's remote fetching cache mechanism HTTPSFetcher and SFTPFetcher constructs the local cache file path from the URL path component without sanitizing path traversal sequences ../. When a remote OSCAL profile references a URL with traversal in its path, the HTTP...
AsyncSSH `AuthorizedKeysFile %u` path traversal allows attacker-selected authorized keys to authenticate a traversal username
SummaryAsyncSSH 2.22.0 expands the OpenSSH-compatible AuthorizedKeysFile %u token with the raw SSH username during pre-authentication server config reload. A server configured with a documented per-user key pattern such as AuthorizedKeysFile authorizedkeys/%u can be made to read an authorized-key...
OpenStack Swift: s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body
In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently...
hermes-agent has an Incorrect Comparison
A security flaw has been discovered in NousResearch hermes-agent 2026.4.23. Affected is the function discoverdashboardplugins of the file hermescli/webserver.py of the component CLI web-dashboard Interface. Performing a manipulation of the argument HERMESENABLEPROJECTPLUGINS results in incorrect...
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability CWE-90 that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP...
vllm has Improper Resource Shutdown or Release
A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used...
Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580)
SummaryWhen an application using Pydantic AI opts a URL into forcedownload='allow-local' which disables the default block on private/internal IPs, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form IPv4-mapped IPv6, 6to4, or NAT64. Dual-stack and...
hermes-agent has an Injection issue
A vulnerability was found in NousResearch hermes-agent 2026.4.23. The impacted element is the function scancontextcontent of the file agent/promptbuilder.py. The manipulation results in injection. The attack may be performed from remote. The exploit has been made public and could be used. The...
Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580)
SummaryWhen an application using Pydantic AI opts a URL into forcedownload='allow-local' which disables the default block on private/internal IPs, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form IPv4-mapped IPv6, 6to4, or NAT64. Dual-stack and...
Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance
Summary Flask-Security-Too 5.8.0's OAuth reauthentication flow can mark a session as fresh after verifying an OAuth account that belongs to a different user. If an attacker can operate an already-authenticated but stale victim session, they can complete OAuth verification using their own OAuth...
hermes-agent has a sandbox issue
A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This impacts the function executecode of the file tools/codeexecutiontool.py of the component Environment Variable Handler. Such manipulation leads to sandbox issue. It is possible to launch the attack remotely. The...
LiteLLM allows a user to modify their own user_role via the /user/update endpoint
LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...
SQLAdmin: Authorization Bypass on `ajax_lookup`
ImpactThe ajaxlookup endpoint in application.py bypasses the isaccessible access control check that all other endpoints enforce.If a developer restricts model access by overriding isaccessible, an authenticated user can still query that model's data through the ajaxlookup endpoint — silently...
Prefect has an Argument Injection issue
A vulnerability in the GitHubRepository block of the prefect-github integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the reference field. The reference field is concatenated directly into a git clone command string without proper...
aiograpi: Unsafe signup challenge path handling
aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. A malicious or tampered challenge payload could cause challenge handling requests to be sent outside the intended...