搜尋

924 筆結果

嚴重程度:CRITICAL HIGH MEDIUM LOW|生態系:npm PyPI Maven Debian Alpine|⚠ 只看 KEV

CRITICAL9.6CVE-2026-47413praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members2026/6/1
LOW3.1CVE-2026-45426EPSS 0.04%Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access2026/6/1
CRITICAL9.6CVE-2026-47416praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}2026/5/29
CRITICAL9.8CVE-2026-47410praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset2026/5/29
CRITICAL9.8CVE-2026-47391PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution2026/5/29
CRITICAL9.9CVE-2026-47392PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)2026/5/29
CRITICAL9.8CVE-2026-47393PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default2026/5/29
CRITICAL9.8CVE-2026-47396PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset2026/5/29
CRITICAL9.8CVE-2026-8838EPSS 0.08%amazon-redshift-python-driver vulnerable to Remote Code Execution via eval() Injection2026/5/29
CRITICAL9.6CVE-2026-2611EPSS 0.04%MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution2026/5/29
LOW3.7CVE-2026-48524EPSS 0.06%PyJWT is a JSON Web Token implementation in Python.2026/5/28
CRITICAL9.8CVE-2026-25879EPSS 0.08%Langroid has Prompt to SQL Injection, Leading to RCE2026/5/27
CRITICAL9.6CVE-2026-46703OCI layer symlink escape → arbitrary host write2026/5/21
CRITICAL10.0CVE-2026-46695Read-only volume remount bypass via guest CAP_SYS_ADMIN2026/5/21
CRITICAL9.8CVE-2026-31072EPSS 0.18%APScheduler's JSONSerializer and CBORSerializer are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization2026/5/19
LOW3.1CVE-2026-45739Strawberry GraphQL: Default GraphiQL may expose HTTP headers in URLs2026/5/19
CRITICAL9.6CVE-2026-45758Malicious code in guardrails-ai 0.10.1 (supply chain compromise)2026/5/19
CRITICAL9.8CVE-2026-7304EPSS 0.43%SGLang: Unauthenticated RCE via --enable-custom-logit-processor2026/5/18
CRITICAL9.1CVE-2026-7302EPSS 0.10%SGLang's multimodal generation runtime has an unauthenticated path traversal vulnerability2026/5/18
CRITICAL9.8CVE-2026-7301EPSS 0.06%SGLanG: Multimodal scheduler deserializes untrusted pickle data on 0.0.0.0 ROUTER socket2026/5/18
CRITICAL10.0CVE-2026-45369EPSS 0.01%utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol2026/5/14
LOW3.5CVE-2026-45316EPSS 0.01%Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)2026/5/14
LOW3.1CVE-2026-44970dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction2026/5/14
LOW2.5CVE-2026-44969dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled2026/5/14
CRITICAL9.8CVE-2026-31239EPSS 0.05%mamba language model framework vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub2026/5/12

第 1 / 37 頁下一頁 →