搜尋

5,145 筆結果

嚴重程度:CRITICAL HIGH MEDIUM LOW|生態系:npm PyPI Maven Debian Alpine|⚠ 只看 KEV

—CVE-2026-47191kas checks out SHA-like git branches as valid commits2026/6/1
HIGH8.1CVE-2026-47412praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id}2026/6/1
HIGH8.3CVE-2026-47415praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR2026/6/1
CRITICAL9.6CVE-2026-47413praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members2026/6/1
MEDIUM6.5CVE-2026-47411praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id}2026/6/1
HIGH8.1CVE-2026-47417praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR2026/6/1
HIGH8.1CVE-2026-47418praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR2026/6/1
LOW3.1CVE-2026-45426EPSS 0.04%Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag.2026/6/1
MEDIUM6.5CVE-2026-42360EPSS 0.03%A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g.2026/6/1
MEDIUM5.9CVE-2026-41017EPSS 0.02%Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server be…2026/6/1
MEDIUM6.5CVE-2026-45192EPSS 0.03%A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connec…2026/6/1
CRITICAL9.6CVE-2026-47416praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}2026/5/29
HIGH8.1CVE-2026-47409praisonai-platform: Missing authorization on member removal enables full workspace takeover by any user regardless of role2026/5/29
HIGH7.6CVE-2026-47414praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link)2026/5/29
HIGH8.1CVE-2026-47406praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks2026/5/29
CRITICAL9.8CVE-2026-47410praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset2026/5/29
HIGH8.8CVE-2026-47405PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership2026/5/29
HIGH8.8CVE-2026-47399PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID2026/5/29
—CVE-2026-47407PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation2026/5/29
MEDIUM6.5CVE-2026-47408praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership2026/5/29
HIGH8.8CVE-2026-48169PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API2026/5/29
—CVE-2026-47397PraisonAI has an Arbitrary File Write in Python API2026/5/29
CRITICAL9.8CVE-2026-47391PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution2026/5/29
—CVE-2026-47394PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate2026/5/29
CRITICAL9.9CVE-2026-47392PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)2026/5/29

第 1 / 206 頁下一頁 →