Python

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

PraisonAI before version 4.5.128 exposes sensitive environment variables to untrusted subprocess commands executed through its MCP (Model Context Protocol) integration, enabling credential theft and supply chain attacks when third-party tools like npx packages are invoked. An unauthenticated local attacker with user interaction can trigger MCP commands that inherit the parent process environment, gaining access to API keys, authentication tokens, and database credentials without the knowledge of developers using PraisonAI. The vulnerability is fixed in version 4.5.128.

Arbitrary code execution in PraisonAI multi-agent system (<4.5.128) via Python sandbox escape. Incomplete AST attribute filtering allows type.__getattribute__ trampoline to bypass restrictions on __subclasses__, __globals__, and __bases__, enabling untrusted agent code to break containment. Attack requires local access and user interaction to execute malicious code. No public exploit identified at time of analysis.

Vikunja's file import endpoint bypasses configured maximum file size limits by trusting an attacker-controlled Size field in import metadata rather than validating actual decompressed file content. Authenticated users can upload small compressed zip files (e.g., ~25KB) containing files up to 25MB or larger, exhausting server storage and causing denial of service across all users. The vulnerability affects Vikunja v2.2.2 and earlier versions; a vendor-released patch is available in v2.3.0.

CalDAV output generator in Vikunja allows authenticated users to inject arbitrary iCalendar properties via CRLF characters in task titles, bypassing RFC 5545 TEXT value escaping requirements. An attacker with project write access can craft malicious task titles that break iCalendar property boundaries, enabling injection of fake ATTACH URLs, VALARM notifications, or ORGANIZER spoofing when other users sync via CalDAV. Patch available in version 2.3.0; requires user interaction (calendar sync) to trigger on other users' clients.

Vikunja task title injection in overdue email notifications allows authenticated attackers to embed phishing links and tracking pixels in legitimate SMTP emails by breaking Markdown link syntax with special characters. The vulnerability affects task notification rendering across multiple notification types in Vikunja prior to v2.3.0, where task titles are concatenated directly into Markdown without escaping, survive goldmark rendering and bluemonday sanitization (which intentionally permits <a> and <img> tags), and reach email recipients as trusted-source links within official Vikunja notifications.

Denial of service in Vikunja via algorithmic complexity attack in the addRepeatIntervalToTime function allows authenticated users to exhaust server CPU and database connections by creating repeating tasks with 1-second intervals and dates far in the past (e.g., 1900), triggering billions of loop iterations that hang requests for 60+ seconds and exhaust the default 100-connection pool. CVSS 6.5 with authenticated attack vector; confirmed patched in v2.3.0.

Vikunja task authorization bypass in CalDAV allows authenticated users to read arbitrary task details from any project by knowing a task UID, bypassing REST API permission checks. The GetResource and GetResourcesByList CalDAV methods query tasks by UID without verifying the authenticated user has project access, enabling information disclosure of task titles, descriptions, due dates, and other metadata across organizational boundaries in multi-tenant deployments. Patch available in v2.3.0.

Vikunja API brute-forces TOTP codes by exploiting a database transaction rollback bug that prevents account lockout persistence. When TOTP validation fails, the login handler rolls back the database session containing the failed-attempt counter increment and account lock status, leaving the lockout mechanism non-functional while per-IP rate limiting can be bypassed via distributed attack. Unauthenticated remote attackers who possess a user's password can exhaust the 6-digit TOTP code space (only 1 million combinations) and gain unauthorized access. Patch is available as of Vikunja v2.3.0.

Vikunja API versions prior to 2.3.0 allow authenticated users to read any label metadata and creator information across projects via SQL operator precedence flaw in the hasAccessToLabel function. Any label attached to at least one task becomes readable to all authenticated users regardless of project access permissions, enabling cross-project information disclosure of label titles, descriptions, colors, and creator usernames. The vulnerability requires prior authentication (PR:L per CVSS vector) and carries low complexity attack surface with direct impact to confidentiality. No public exploit code beyond the proof-of-concept in the advisory has been identified, and vendor-released patch version 2.3.0 is available.

Privilege escalation in Vikunja API (v2.2.2 and prior) allows authenticated users with Write permission on a shared project to escalate to Admin by reparenting the project under their own hierarchy. The vulnerability exploits insufficient authorization checks in project reparenting (CanWrite instead of IsAdmin), causing the recursive permission CTE to grant Admin rights. Attackers can then delete projects, remove user access, and manage sharing settings. Publicly available exploit code exists.

Path traversal in zhayujie chatgpt-on-wechat CowAgent up to version 2.0.4 allows unauthenticated remote attackers to read arbitrary files via the filename parameter in the API Memory Content Endpoint (agent/memory/service.py). The vulnerability has a publicly available exploit, carries a moderate CVSS score of 5.3 reflecting limited confidentiality impact, and has been patched by the vendor in version 2.0.5 with patch commit 174ee0cafc9e8e9d97a23c305418251485b8aa89.

PraisonAIAgents versions prior to 1.5.128 allow unauthenticated remote attackers to enumerate arbitrary files on the filesystem by exploiting unvalidated glob patterns in the list_files() tool. An attacker can use relative path traversal sequences (../) within the glob pattern parameter to bypass workspace directory boundary checks, revealing file metadata including existence, names, sizes, and timestamps for any path accessible to the application process. This information disclosure vulnerability has a CVSS score of 5.3 (low/medium impact) and no public exploit code has been identified.

Local privilege escalation in Juniper Networks Junos OS and Junos OS Evolved allows low-privileged authenticated users to execute arbitrary code with root privileges. When unsigned Python operation scripts are enabled in device configuration, attackers can inject and execute malicious op scripts under root-equivalent context, achieving complete system compromise. Affects all Junos OS versions before 22.4R3-S7 and multiple branches through 24.4, plus corresponding Junos OS Evolved releases. No public exploit identified at time of analysis. CVSS 8.5 (High) with local attack vector requiring low privileges and no user interaction.

Stored cross-site scripting (XSS) in PraisonAI versions prior to 4.5.128 allows remote attackers to inject arbitrary JavaScript into agent output rendered by the Flask API endpoint. The vulnerability exists because the _sanitize_html function depends on the nh3 library, which is not declared as a required dependency in pyproject.toml; when nh3 is absent (default installation), HTML sanitization becomes a no-op. Attackers can exploit this via RAG data poisoning, malicious web scraping results, or prompt injection to execute malicious scripts in the browsers of users viewing API output. No public exploit code or active exploitation has been confirmed.

Server-Side Request Forgery in web3.py 6.0.0b3 through 7.14.x and 8.0.0b1 enables malicious smart contracts to force the library to issue HTTP requests to arbitrary destinations via CCIP Read (EIP-3668) URL templates without destination validation. The vulnerability affects all applications using web3.py's .call() method against untrusted contract addresses, as CCIP Read is enabled by default, allowing attackers to target internal network services and cloud metadata endpoints. The issue is remedied in versions 7.15.0 and 8.0.0b2.

Authenticated privilege escalation in pyLoad's WebUI JSON endpoints (/json/package_order, /json/link_order, /json/abort_link) allows low-privileged users to perform unauthorized MODIFY operations that violate the application's permission model. Versions prior to 0.5.0b3.dev97 are affected; the vulnerability requires valid authentication but enables privilege boundary bypass without requiring elevated credentials.

Command injection in PraisonAI pip package allows remote code execution when processing untrusted YAML workflows, agent configurations, or LLM-generated tool calls. Multiple execution paths (`execute_command`, workflow shell steps, action orchestrator) pass user-controlled input to `subprocess.run()` with `shell=True`, enabling arbitrary command execution via shell metacharacters (`;`, `|`, `&&`, `$()`). Affected: PraisonAI versions < 4.5.121. Attack vectors include malicious YAML definitions, agent marketplace poisoning, and document-based prompt injection. No public exploit identified at time of analysis. CVSS 9.7 (Critical) reflects network-accessible unauthenticated attack requiring only user interaction, with complete system compromise potential.

LangChain's f-string prompt-template validation allows information disclosure through attribute access and nested format-specifier injection in DictPromptTemplate and ImagePromptTemplate classes. Unauthenticated remote attackers can craft malicious template strings to expose internal object state, model context, or logs when templates are formatted with rich Python objects. Practical impact is limited to applications that accept untrusted template strings (not just variable values) and pass complex objects into template formatting; hardcoded templates and value-only user input are unaffected. Vendor-released patch available in langchain-core 0.3.84 and 1.2.28.

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis.

Remote code execution in dfir-unfurl versions through 20250810 via exposed Werkzeug debugger. Improper string-based config parsing enables Flask debug mode by default, allowing unauthenticated remote attackers to access the interactive debugger interface and execute arbitrary Python code or extract sensitive application data including source code, environment variables, and stack traces. No public exploit identified at time of analysis.

Server-side request forgery (SSRF) in InvenTree prior to versions 1.2.7 and 1.3.0 allows authenticated users to request arbitrary internal URLs when the INVENTREE_DOWNLOAD_FROM_URL feature is enabled, bypassing URL validation through HTTP redirect chains. An attacker with valid credentials can probe internal networks, access cloud metadata endpoints, or interact with backend services not exposed to the public internet by supplying crafted remote_image URLs that are fetched server-side without IP-range restrictions.

Path traversal in AGiXT Python package (versions ≤1.9.1) allows authenticated attackers to read, write, or delete arbitrary files on the host server. The essential_abilities extension's safe_join() function fails to validate that resolved paths remain within the agent workspace directory, enabling directory traversal sequences (e.g., ../../etc/passwd) to bypass intended file access restrictions. Exploitation requires low-privilege authentication (valid API key) but no user interaction. Public exploit code exists demonstrating /etc/passwd disclosure via the read_file command endpoint.

Buffer overflow in pyca/cryptography library allows reading past allocated memory when non-contiguous Python buffers (such as reversed slices) are passed to cryptographic APIs like Hash.update() on Python 3.11+. Attackers can trigger memory disclosure or denial of service by crafting malformed buffer objects, affecting any application using the cryptography package with vulnerable buffer handling.

Template injection in PraisonAI Python package enables remote code execution through unescaped user input in agent-centric tools. Authenticated attackers inject malicious Jinja2 template expressions via agent instructions to execute arbitrary system commands with process privileges. The create_agent_centric_tools() function passes unsanitized user input directly to template-rendering tools under auto-approval mode, causing expressions like {{self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned")}} to execute rather than render as literal text. Affects PraisonAI pip package. No public exploit identified at time of analysis beyond proof-of-concept in advisory.

Remote code execution in praisonaiagents (all versions through 1.5.113) allows authenticated users to escape the Python subprocess sandbox and execute arbitrary shell commands on the host. The vulnerability exists in the execute_code() tool's sandbox mode, where an incomplete AST attribute blocklist permits frame traversal through exception objects (__traceback__, tb_frame, f_back, f_builtins). Attackers chain these four unblocked attributes to retrieve the real exec builtin from the subprocess wrapper's frame, bypassing all security layers. Exploitation requires low-privilege agent API access and no victim interaction. Confirmed actively exploited (CISA KEV). Publicly available exploit code exists.

Path traversal via backslash bypass in NiceGUI file upload sanitization allows arbitrary file write on Windows systems. The vulnerability exploits a cross-platform path handling inconsistency where PurePosixPath fails to strip backslash-based path traversal sequences, enabling attackers to write files outside the intended upload directory when applications construct paths using the sanitized filename. Windows deployments are exclusively affected; potential remote code execution is possible if executables or application files can be overwritten. No public exploit code identified at time of analysis, though the vulnerability is confirmed in NiceGUI versions prior to 3.10.0.

Authorization bypass in rfc3161-client's TimeStamp Authority (TSA) verification allows remote attackers to impersonate any trusted TSA by exploiting a naive leaf certificate selection algorithm in the PKCS#7 certificate chain. The vulnerability enables an attacker to inject a forged certificate with a target TSA's common name and timeStamping EKU into an authentic timestamp response, causing the library to validate authorization checks against the fake certificate while the cryptographic signature remains valid under the real TSA. This completely defeats TSA pinning mechanisms (common_name, certificate constraints) that applications rely on to ensure timestamp authenticity. Publicly available proof-of-concept demonstrates successful exploitation against FreeTSA, and a vendor-released patch is available in version 1.0.6.

Privilege escalation in XWiki Platform 17.x allows users with script rights to execute arbitrary Python code via an improperly protected scripting API, bypassing Velocity sandbox protections and gaining full system access. This affects XWiki Platform oldcore and legacy-oldcore components prior to versions 17.4.8 and 17.10.1. While requiring existing script-level privileges, the vulnerability enables complete compromise of confidentiality, integrity, and availability. Vendor-released patch available; no public exploit identified at time of analysis.

LightRAG API authentication can be bypassed via JWT algorithm confusion attack, where an attacker forges tokens by specifying 'alg': 'none' in the JWT header to impersonate any user including administrators. The vulnerability exists in the validate_token() method in lightrag/api/auth.py (line 128), which accepts the unsigned 'none' algorithm despite not explicitly permitting it, allowing unauthenticated remote attackers to gain unauthorized access to protected resources. Publicly available proof-of-concept code demonstrates the attack; vendor has released a patch addressing the root cause of improper algorithm validation.

Path traversal in Emmett Python web framework versions 2.5.0 through 2.8.0 allows unauthenticated remote attackers to read arbitrary files from the server filesystem via malicious requests to the RSGI static handler endpoint. Attackers can bypass directory restrictions by inserting ../ sequences in /__emmett__ asset paths (e.g., /__emmett__/../rsgi/handlers.py) to access sensitive files including source code, configuration files, and credentials. With CVSS 9.1 (Critical) and network-based attack vector requiring no privileges or user interaction, this vulnerability poses severe confidentiality and availability risks. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis.

Unbounded recursion in FastFeedParser (Python RSS/Atom parser) allows remote attackers to crash applications via malicious HTML meta-refresh redirect chains. Affecting all versions prior to 0.5.10, attackers can trigger denial-of-service by serving infinite meta-refresh redirects when parse() fetches attacker-controlled URLs, exhausting the Python call stack with no recursion depth limit. EPSS data not available, no public exploit identified at time of analysis, but exploit development is trivial given the straightforward attack vector requiring only HTTP server control.

Memory exhaustion in JWCrypto before 1.5.7 allows unauthenticated remote attackers to cause denial of service on memory-constrained systems by sending crafted JWE tokens with ZIP compression that decompress to approximately 100MB despite remaining under the 250KB input size limit. The vulnerability exploits incomplete validation in the upstream CVE-2024-28102 patch, which restricted input token size but failed to enforce decompressed output limits.

Path traversal in pyLoad's tar extraction allows writing files outside the intended directory via specially crafted archives. The vulnerability stems from incomplete remediation of a prior path traversal fix (CVE-2026-32808), where the _safe_extractall() function continues to use the insecure os.path.commonprefix() instead of the correct os.path.commonpath(). Unauthenticated remote attackers can exploit this via a malicious tar file when a user extracts it, achieving arbitrary file write on the system. The vulnerability affects pyLoad versions prior to 0.5.0b3.dev97 and is fixed in that release.

Privilege escalation in pyLoad prior to 0.5.0b3.dev97 allows authenticated users with SETTINGS permission to bypass admin-only protections and modify SSL certificate and key file paths due to incorrect option name mappings in the ADMIN_ONLY_CORE_OPTIONS authorization set. The vulnerability arises from name mismatches (ssl_cert/ssl_key vs. ssl_certfile/ssl_keyfile) and complete omission of the ssl_certchain option from authorization checks, enabling any SETTINGS-privileged user to overwrite critical SSL configuration-a capability intended exclusively for administrators. CVSS 6.8 reflects high confidentiality and integrity impact with authenticated access required and high attack complexity.

Unbounded memory consumption in Django ASGI applications allows unauthenticated remote attackers to bypass DATA_UPLOAD_MAX_MEMORY_SIZE protections via malformed Content-Length headers, leading to denial of service. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. CVSS 7.5 (High) with network-accessible, low-complexity attack vector requiring no privileges. EPSS data not available; no public exploit identified at time of analysis. Vendor patches released April 2026 across all affected major branches.

Django's MultiPartParser allows authenticated remote attackers to cause denial of service through performance degradation by submitting multipart uploads with Content-Transfer-Encoding: base64 and excessive whitespace. Affected versions include Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30, with unsupported series 5.0.x, 4.1.x, and 3.2.x potentially also vulnerable. The vulnerability has a CVSS 6.5 score reflecting high availability impact but requires authentication (PR:L) and is not actively exploited or publicly weaponized at analysis time.

Django admin changelist forms with ModelAdmin.list_editable enabled allow high-privileged users to create new instances via forged POST requests, bypassing intended access controls. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30; unsupported versions 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. The vulnerability requires admin-level privileges and results in unauthorized data modification rather than data exposure or availability impact. No public exploit code or active exploitation has been confirmed at time of analysis.

Unauthenticated attackers can bypass add permissions in Django GenericInlineModelAdmin (versions 6.0 <6.0.4, 5.2 <5.2.13, 4.2 <4.2.30) by submitting forged POST data to inline model forms. Permission checks fail to validate creation rights on inline model instances, enabling unauthorized database record insertion with network access alone. CVSS 9.8 critical severity reflects complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.01%).

Header spoofing in Django 4.2 through 6.0 allows remote attackers to bypass security controls by exploiting ambiguous ASGI header normalization. The ASGIRequest handler incorrectly maps both hyphenated and underscored header variants to the same underscored version, enabling attackers to send conflicting headers where the malicious version overwrites legitimate security headers. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. No public exploit identified at time of analysis. EPSS data not available, but the unauthenticated network attack vector and high integrity impact warrant immediate patching.

Remote code execution in HuggingFace Transformers library allows arbitrary code execution via malicious checkpoint files. The `_load_rng_state()` method in the `Trainer` class calls `torch.load()` without the `weights_only=True` parameter, enabling deserialization attacks when PyTorch versions below 2.6 are used with torch>=2.2. An attacker can craft a malicious `rng_state.pth` checkpoint file that executes arbitrary code when loaded by an application using affected Transformers versions. The fix is available in version v5.0.0rc3, and no public exploit has been independently confirmed at time of analysis.

Path traversal in PraisonAI's praisonai-agents package allows unauthenticated remote attackers to read or write arbitrary files on affected systems. The vulnerability stems from a critical logic flaw where path validation checks for '..' sequences after normalization has already collapsed them, rendering the security check completely ineffective. Attackers can trivially bypass protections using standard path traversal sequences (e.g., '/tmp/../etc/passwd') to access sensitive files including system credentials, SSH keys, or write malicious content. Publicly available exploit code exists demonstrating trivial exploitation. While no CVSS score is officially assigned, the vendor assessment indicates CVSS 4.0 score of 9.2 (Critical), and this represents a high-priority remediation given the ease of exploitation and severe impact.

Path traversal in PraisonAI recipe registry (<=4.5.112) allows authenticated publishers to write arbitrary files outside the registry root via malicious bundle manifests. The publish endpoint (`POST /v1/recipes/{name}/{version}`) extracts and writes uploaded recipe bundles using attacker-controlled `name` and `version` fields from the bundle's internal `manifest.json` before validating them against the HTTP route parameters. By embedding directory traversal sequences (e.g., `../../outside-dir`) in the manifest, an attacker can create files in arbitrary filesystem locations on the registry host, even though the request ultimately returns HTTP 400. This represents an authenticated arbitrary file write vulnerability (CVSS 7.1, AV:N/AC:L/PR:L) affecting any deployment exposing the recipe registry publish flow. EPSS data not available; no confirmed active exploitation or public exploit code identified beyond researcher PoC at time of analysis.

Arbitrary file write through path traversal in PraisonAI recipe registry allows authenticated publishers to escape extraction directories when victims pull malicious recipes. Attackers craft .praison tar archives with ../ traversal entries that bypass extraction boundaries, enabling file overwrites outside intended directories (CVSS 7.3, AV:N/AC:L/PR:L/UI:R). Both LocalRegistry and HttpRegistry pull operations use unsafe tar.extractall() without member path validation. No public exploit identified at time of analysis, though proof-of-concept demonstrates reliable exploitation via recipe bundle uploads. EPSS data not available, but attack vector requires minimal complexity-authenticated publisher uploads malicious bundle, victim triggers file write by pulling recipe.

Path traversal in PraisonAI Action Orchestrator (v<4.5.113) allows arbitrary file write via directory traversal sequences in action target paths. Attackers can exploit this through malicious ActionStep payloads containing '../' sequences to overwrite critical system files (SSH keys, shell profiles) or plant executables, achieving local privilege escalation or remote code execution. CVSS 9.0 (Critical). Vendor-released patch available in v4.5.113. No public exploit identified at time of analysis, though detailed proof-of-concept demonstrates trivial exploitation via crafted ActionStep objects targeting paths like '../../../tmp/pwned.txt'.

Arbitrary file write via Zip Slip in PraisonAI allows remote attackers to overwrite system files and achieve code execution when users install malicious community templates. The vulnerability affects the PraisonAI Python package's template installation feature, which uses unsafe `zipfile.extractall()` without path traversal validation. A publicly available proof-of-concept demonstrates creating ZIP archives with directory traversal paths (e.g., `../../../../tmp/evil.sh`) that escape the intended extraction directory. With CVSS 8.1 (High) and requiring only user interaction (UI:R) but no authentication (PR:N), this poses significant risk to organizations using PraisonAI's community template ecosystem. EPSS data not available, but exploitation is straightforward given the documented PoC.

Arbitrary Python file overwrite in text-generation-webui versions prior to 4.1.1 enables authenticated high-privilege users to achieve remote code execution by overwriting critical application files like download-model.py through malicious extension settings saved in .py format, then triggering execution via the Model download interface. No public exploit identified at time of analysis, though EPSS data not available for this recent CVE and exploitation methodology is straightforward for authenticated attackers.

Authentication bypass in changedetection.io allows unauthenticated remote attackers to access backup management endpoints due to incorrect Flask decorator ordering. Attackers can trigger backup creation, list all backups, download backup archives containing application secrets, webhook URLs with embedded tokens, monitored URLs, Flask secret keys, and password hashes, or delete all backups without authentication. The vulnerability affects 13 routes across 5 blueprint files where @login_optionally_required is placed before @blueprint.route() instead of after it, causing Flask to register the undecorated function and silently disable authentication. Publicly available exploit code exists (POC demonstrated complete data exfiltration), though no confirmed active exploitation (CISA KEV). EPSS data not provided, but CVSS 9.8 (network-exploitable, no authentication required, high confidentiality/integrity/availability impact) indicates critical severity.

SQL injection in Song-Li cross_browser application allows remote code execution via unsanitized ID parameter in the details endpoint of flask/uniquemachine_app.py. The vulnerability affects all versions up to commit ca690f0fe6954fd9bcda36d071b68ed8682a786a, requires no authentication, and has publicly available exploit code. The vendor has not responded to disclosure attempts, and the product's rolling-release model means no traditional patched version has been released.

Arbitrary code execution in pyload-ng via pickle deserialization allows non-admin users with SETTINGS and ADD permissions to write malicious session files and trigger unauthenticated RCE. Attackers redirect the download directory to Flask's session store (/tmp/pyLoad/flask), plant a crafted pickle payload as a predictable session filename, then trigger deserialization by sending any HTTP request with the corresponding session cookie. This bypasses CVE-2026-33509 fix controls because storage_folder was not added to ADMIN_ONLY_OPTIONS. No public exploit identified at time of analysis, though detailed proof-of-concept methodology is documented in the advisory. EPSS data not available for this recent CVE.

Remote code execution in pyLoad download manager allows authenticated non-admin users with SETTINGS permission to execute arbitrary system commands via the AntiVirus plugin configuration. The vulnerability stems from incomplete enforcement of admin-only security controls: while core configuration options like reconnect scripts and SSL certificates require admin privileges, plugin configuration lacks this protection. Attackers can modify the AntiVirus plugin's executable path (avfile) parameter, which is directly passed to subprocess.Popen() without validation, achieving command execution when file downloads complete. CVSS 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in the GitHub security advisory.

Server-Side Request Forgery in pyLoad-ng allows authenticated users with ADD permissions to read local files via file:// protocol, access internal network services, and exfiltrate cloud metadata. The parse_urls API endpoint fetches arbitrary URLs without protocol validation, enabling attackers to read /etc/passwd, configuration files, SQLite databases, and AWS/GCP metadata endpoints at 169.254.169.254. Error-based responses create a file existence oracle. Multi-protocol support (file://, gopher://, dict://) escalates impact beyond standard HTTP SSRF. CVSS 7.7 reflects network attack vector, low complexity, and scope change with high confidentiality impact. No public exploit code identified at time of analysis, though detailed proof-of-concept included in advisory demonstrates exploitation via curl commands against Docker deployments.

Remote code execution in BentoML's containerization workflow allows attackers to execute arbitrary Python code on victim machines by distributing malicious bento archives containing SSTI payloads. When victims import a weaponized bento and run 'bentoml containerize', unsanitized Jinja2 template rendering executes attacker-controlled code directly on the host system - bypassing all Docker container isolation. The vulnerability stems from using an unsandboxed jinja2.Environment with the dangerous jinja2.ext.do extension to process user-provided dockerfile_template files. Authentication is not required (CVSS PR:N), though exploitation requires user interaction (UI:R) to import and containerize the malicious bento. No public exploit identified at time of analysis, though the GitHub advisory includes detailed proof-of-concept demonstrating host filesystem compromise.

Remote code execution in BerriAI LiteLLM (pkg:pip/litellm) prior to v1.83.0 allows authenticated users without admin privileges to execute arbitrary Python code, modify proxy configuration, read server files, and hijack privileged accounts via an improperly protected /config/update endpoint. Authentication requirements not confirmed from available data. No public exploit identified at time of analysis, but the attack surface is well-documented in the vendor advisory. CVSS score unavailable; however, the combination of RCE capability and authentication bypass warrants immediate remediation for all LiteLLM deployments.

Thread exhaustion in Mesop WebSocket handler (pkg:pip/mesop) allows unauthenticated remote attackers to crash applications via message flooding. The framework spawns unbounded OS threads for each received WebSocket message without rate limiting or pooling, enabling complete denial of service with minimal bandwidth. CVSS 7.5 (High). Publicly available exploit code exists. EPSS data not provided, but the low attack complexity (AC:L) and zero authentication requirement (PR:N) combined with working proof-of-concept significantly elevate real-world exploitation risk. Vendor-released patch available in version 1.2.5 (commit 760a207).

Denial of service in vLLM's VideoMediaIO.load_base64() method allows authenticated remote attackers to crash the server via memory exhaustion by sending API requests with thousands of comma-separated base64-encoded JPEG frames. The vulnerability bypasses the default 32-frame limit enforced in other video loading code paths, allowing attackers to decode gigabytes of image data into memory (e.g., 5000 frames ≈ 4.6 GB for 640x480 RGB) with a small compressed payload. CVSS 6.5 (network-accessible, low complexity, requires authentication, high availability impact); no public exploit code identified at time of analysis.

Server-Side Template Injection in RAGFlow 0.24.0 and earlier allows authenticated users to execute arbitrary OS commands via unsandboxed Jinja2 template rendering in Agent workflow components. The vulnerability affects the Text Processing (StringTransform) and Message components, where user-supplied templates are processed without sandboxing. With a CVSS 8.7 score and low attack complexity (AC:L), authenticated attackers can achieve full system compromise remotely. No public exploit identified at time of analysis, and no vendor-released patch available as of publication date.

Server-Side Request Forgery in curl_cffi Python library allows unauthenticated remote attackers to access internal network resources and cloud metadata endpoints via attacker-controlled redirect chains. The library passes user-supplied URLs directly to libcurl without validating destination IP ranges and follows redirects automatically (CURLOPT_FOLLOWLOCATION enabled), enabling access to services like AWS/GCP metadata APIs (169.254.169.254). TLS fingerprint impersonation features (e.g., 'impersonate=chrome') can disguise these requests as legitimate browser traffic, potentially bypassing network controls. EPSS data not available; no active exploitation confirmed (not in CISA KEV); functional proof-of-concept publicly disclosed in GitHub advisory.

Denial of Service in vLLM OpenAI-compatible API server allows unauthenticated remote attackers to crash the service via a single HTTP request containing an extremely large n parameter. The lack of upper bound validation causes the asyncio event loop to freeze while allocating millions of request object copies, leading to rapid Out-Of-Memory crashes. CVSS 6.5 with moderate real-world risk due to authentication requirement in the disclosed CVSS vector (PR:L), though the description indicates unauthenticated exploitability - a significant discrepancy warranting clarification from the vendor.

Unauthenticated server-side request forgery in Ech0's link preview endpoint allows remote attackers to force the application server to perform HTTP/HTTPS requests to arbitrary internal and external targets. The /api/website/title route requires no authentication, performs no URL validation, follows redirects by default, and disables TLS certificate verification (InsecureSkipVerify: true). Attackers can probe internal networks, access cloud metadata services (169.254.169.254), and trigger denial-of-service by forcing the server to download large files into memory via io.ReadAll. Proof-of-concept demonstrates successful exploitation against Docker deployments reaching host-bound services via host.docker.internal. EPSS score not available; no CISA KEV listing indicates this is not yet confirmed as actively exploited in the wild, though publicly available exploit code exists in the GitHub advisory. Vendor-released patch available.

JWT algorithm confusion in fast-jwt npm package allows remote attackers to forge authentication tokens with arbitrary claims by exploiting incomplete CVE-2023-48223 remediation. The vulnerability (CVSS 9.1 Critical) affects applications using RS256 with public keys containing leading whitespace—a common scenario in database-stored keys, YAML configurations, and environment variables. Attackers possessing the RSA public key (inherently public information) can craft HS256 tokens accepted as valid by the verifier, enabling privilege escalation (e.g., admin: false → admin: true). No authentication required (PR:N), network-exploitable (AV:N), low complexity (AC:L). No public exploit identified at time of analysis, though detailed proof-of-concept code exists in the advisory.

Remote code execution in Agno prior to version 2.3.24 allows attackers to execute arbitrary Python code by manipulating the field_type parameter in FunctionCall objects, which is passed unsafely to eval(). The vulnerability affects all versions before 2.3.24 and requires network access to influence the field_type value, enabling complete system compromise through code injection in the model execution component.

Cross-Origin Resource Sharing (CORS) misconfiguration in vanna-ai vanna up to version 2.0.2 allows authenticated remote attackers to establish permissive cross-domain policies with untrusted domains, leading to information disclosure. The vulnerability affects the FastAPI/Flask Server component and has publicly available exploit code; however, the vendor has not responded to early disclosure attempts. With a CVSS score of 5.3 and confirmed public exploit availability, this represents a moderate-risk authentication-gated information exposure issue.

Path traversal in Ferret's IO::FS::WRITE and IO::FS::READ functions enables remote code execution when web scraping operators process attacker-controlled filenames. The vulnerability affects github.com/MontFerret/ferret (all v2.x and earlier versions), allowing malicious websites to write arbitrary files outside intended directories by injecting '../' sequences into filenames returned via scraped content. Attackers can achieve RCE by writing to /etc/cron.d/, ~/.ssh/authorized_keys, shell profiles, or web server directories. Vendor-released patch available via commit 160ebad6bd50f153453e120f6d909f5b83322917. CVSS 8.1 (High) reflects network attack vector with low complexity requiring user interaction. No public exploit identified at time of analysis beyond the proof-of-concept in the GitHub advisory, and not listed in CISA KEV.

Authentication bypass in PraisonAI MCP server (Python package praisonai) allows remote, unauthenticated attackers to execute arbitrary agents, workflows, and file operations with zero authentication. The OAuthManager.validate_token() method incorrectly returns True for any token when its internal token store is empty (default state), treating all HTTP requests with arbitrary Bearer tokens as authenticated. This grants full access to 50+ registered tools including praisonai.agent.run, praisonai.workflow.run, and container file read/write operations. The server binds to 0.0.0.0 by default with no API key requirement. Public exploit code exists (PoC in GitHub advisory). CVSS 9.1 Critical with network attack vector, low complexity, and no privileges required. EPSS and KEV data not available at time of analysis; no public exploit identified at time of analysis beyond the published PoC.

Missing authentication in PraisonAI Gateway 4.5.87 allows remote unauthenticated attackers to hijack AI agent infrastructure via exposed WebSocket endpoints and topology enumeration. The `/ws` WebSocket endpoint and `/info` REST endpoint accept connections without token validation, enabling arbitrary message injection to registered agents and their tool sets. While the GatewayConfig includes an auth_token field, the implementation never enforces it. Publicly available exploit code exists with concrete proof-of-concept demonstrating unauthenticated connection and agent enumeration. EPSS data not available for this recent CVE, but the network-accessible attack vector (AV:N), low complexity (AC:L), and zero authentication requirement (PR:N) combined with working POC code create immediate risk for exposed instances.

Server-Side Request Forgery (SSRF) in praisonaiagents allows unauthenticated remote attackers to access internal network resources and cloud metadata services. The FileTools.download_file() function passes user-controlled URLs directly to httpx.stream() with redirect following enabled, bypassing network boundaries. On AWS EC2 instances with IMDSv1, attackers can retrieve IAM credentials from the metadata service (169.254.169.254) and write them to disk. Exploitation requires no authentication (PR:N) and can be triggered via indirect prompt injection. EPSS data not available for this recent CVE, but publicly available exploit code exists in the GitHub advisory with a working proof-of-concept demonstrating credential theft on cloud infrastructure.

Command injection in PraisonAI's SubprocessSandbox allows authenticated local users to bypass all sandbox modes (BASIC, STRICT, NETWORK_ISOLATED) and execute arbitrary OS commands. The vulnerability stems from shell=True usage combined with inadequate blocklist filtering that omits 'sh' and 'bash' executables, enabling trivial escape via 'sh -c' wrapper. CVSS 8.8 (High) reflects scope change and complete CIA triad compromise. No active exploitation confirmed (not in CISA KEV), but GitHub advisory includes working proof-of-concept code. EPSS data not available for this recent CVE. Critical for deployments using PraisonAI's sandbox feature with untrusted agent code or exposed to prompt injection attacks.

Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. With default AUTH_ENABLED=False configuration, this is remotely exploitable to retrieve EC2 IAM credentials via IMDSv1 (169.254.169.254) or reach internal services like Redis, Elasticsearch, and Kubernetes APIs within cloud VPCs. Public exploit code exists demonstrating localhost and metadata service access. EPSS data not available, not listed in CISA KEV.

Denial of service in PraisonAI's MCPToolIndex.search_tools() allows authenticated remote attackers to block the Python thread for hundreds of seconds via a crafted regular expression causing catastrophic backtracking. The vulnerable function compiles caller-supplied query strings directly as regex patterns without validation, timeout, or exception handling. A single malicious request can sustain complete service outage, and the MCP server HTTP transport runs without authentication by default, significantly lowering the practical barrier to exploitation despite the CVSS requiring PR:L.

SQL injection in PraisonAI's thread listing function allows unauthenticated remote attackers to execute arbitrary SQL queries and achieve complete database compromise. The vulnerability exists in sql_alchemy.py where thread IDs stored via update_thread are concatenated into raw SQL queries using f-strings without sanitization. Attackers inject malicious SQL through thread_id parameters, which execute when get_all_user_threads loads the thread list. CVSS 9.8 (Critical) reflects network-accessible exploitation requiring no authentication or user interaction. No public exploit confirmed beyond the GitHub security advisory POC, though EPSS data unavailable. Immediate patching required for all PraisonAI Python package installations.

Arbitrary OS command execution in PraisonAI (Python package) versions prior to 4.5.69 allows remote unauthenticated attackers to execute commands as the process user via the unsanitized `--mcp` CLI argument. The vulnerability stems from passing user-controlled input directly to `shlex.split()` and `anyio.open_process()` without validation. CVSS 9.8 (Critical). Vendor-released patch available in version 4.5.69 (commit 47bff65). No public exploit code independently confirmed beyond the GitHub advisory PoC, and not listed in CISA KEV at time of analysis.

Command injection in PraisonAI's run_python() function allows authenticated local attackers to execute arbitrary operating system commands with the privileges of the application process. The vulnerability stems from incomplete input sanitization that fails to escape shell metacharacters ($() and backticks) before passing user-controlled code to subprocess.run() with shell=True. Attackers with low-privilege local access can exploit this to achieve full system compromise (confidentiality, integrity, and availability impact rated High). Proof-of-concept code demonstrates successful command injection via the praisonaiagents Python package. No active exploitation confirmed via CISA KEV at time of analysis, but publicly available exploit code exists in the GitHub security advisory.

Critical sandbox escape in praisonaiagents Python library allows remote unauthenticated attackers to execute arbitrary OS commands by exploiting a type-checking flaw in the _safe_getattr wrapper. The vulnerability affects pkg:pip/praisonaiagents and carries a maximum CVSS 10.0 score with network attack vector, no authentication required, and changed scope impact. Deployments using default autonomous modes (PRAISONAI_AUTO_APPROVE=true) execute attacker code silently without human confirmation, enabling indirect prompt injection attacks against AI agent pipelines. Publicly available exploit code exists with working proof-of-concept demonstrating full OS command execution via subprocess.Popen access.

Haraka email server crashes when processing emails with `__proto__` as a header name, enabling remote unauthenticated denial of service. Attackers can send a specially crafted email via SMTP to crash worker processes, disrupting email delivery. In single-process deployments, the entire server becomes unavailable; in cluster mode, all active sessions are terminated. No public exploit identified at time of analysis beyond the published proof-of-concept code, though exploitation requires only basic SMTP access.

Copier's `_external_data` feature allows malicious templates to read arbitrary files outside the destination directory via path traversal (e.g., `../secret.yml`) or absolute paths (e.g., `/tmp/secret.yml`), exposing YAML-parsed contents in rendered output without requiring the `--UNSAFE` flag. This affects all versions of the Copier package and poses a risk when running untrusted templates, as attackers can disclose sensitive files accessible to the user running Copier.

Path traversal in Copier's _subdirectory setting allows template escape without --UNSAFE flag. A malicious or compromised template can use parent-directory traversal sequences (e.g., `_subdirectory: ..`) to render files from outside the intended template directory, enabling unauthorized file access during template instantiation. CVSS 4.4 (low-to-moderate severity); no public exploit code or active exploitation confirmed at time of analysis.

Authentication bypass in goshs (Go Simple HTTP Server) allows unauthenticated attackers to execute arbitrary system commands via WebSocket connections by exploiting a logic flaw in the BasicAuthMiddleware's share token validation. The middleware processes share tokens before credential checks, and attackers can combine a legitimate share token (intended for single-file downloads) with WebSocket query parameters to gain full CLI access. Confirmed actively exploited (CISA KEV). Public proof-of-concept code demonstrates remote command execution retrieving /etc/passwd. EPSS score indicates elevated exploitation probability given the simplicity of the attack chain.

AIOHTTP prior to version 3.13.4 allows multiple Host headers in HTTP requests, enabling information disclosure through header injection attacks. An unauthenticated remote attacker can exploit this by crafting malicious requests with duplicate Host headers to potentially bypass security controls or extract sensitive information from affected applications. The vulnerability has been patched in version 3.13.4, and no public exploit code or active exploitation has been identified at the time of analysis.

AIOHTTP's C parser accepts null bytes and control characters in HTTP response headers prior to version 3.13.4, allowing remote attackers to inject malformed headers that bypass validation and cause information disclosure. This vulnerability affects all versions before 3.13.4 and has been patched upstream; exploitation requires no authentication or user interaction but results in limited integrity impact to response headers rather than confidentiality breach.

Header injection in AIOHTTP prior to version 3.13.4 allows remote attackers to inject arbitrary HTTP headers or conduct similar exploits by controlling the reason parameter when creating a Response object. The vulnerability has low real-world impact (CVSS 2.7, EPSS not available) and requires the attacker to control application-level input that directly influences the reason parameter; no public exploit code or active exploitation has been identified. A vendor-released patch is available in version 3.13.4.

AIOHTTP prior to version 3.13.4 leaks sensitive authentication credentials across origin boundaries during HTTP redirects by failing to drop Cookie and Proxy-Authorization headers while inconsistently removing the Authorization header. This information disclosure vulnerability affects all Python applications using vulnerable AIOHTTP versions when following cross-origin redirects, potentially exposing session tokens and proxy credentials to untrusted origins. No public exploit code or active exploitation has been identified, and the EPSS score of 2.7 indicates low exploitation probability despite the low CVSS score reflecting confidentiality impact.

Aiohttp prior to version 3.13.4 allocates entire multipart form fields into memory before validating against the client_max_size limit, enabling unauthenticated remote attackers to cause denial of service through memory exhaustion. The vulnerability affects all versions before 3.13.4 and carries a low CVSS score (2.7) reflecting limited availability impact, with no public exploit code or active exploitation confirmed at time of analysis.

Memory exhaustion vulnerability in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to trigger denial of service via specially crafted HTTP responses containing excessive multipart headers. The vulnerability exploits insufficient memory limits during multipart header parsing, causing the server or client to consume more memory than intended. CVSS 6.6 (medium-high availability impact) with no public exploit code identified at time of analysis.

AIOHTTP static resource handler on Windows exposes NTLMv2 remote path information to unauthenticated remote attackers, allowing information disclosure with high confidentiality impact. Versions prior to 3.13.4 are affected. The vulnerability has been patched and no active exploitation has been confirmed at this time.

Header injection in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to inject arbitrary headers by controlling the content_type parameter, potentially enabling HTTP response splitting or cache poisoning attacks. The vulnerability has a low CVSS score (2.7) reflecting limited integrity impact, but affects all versions before the patched release 3.13.4.

Unbounded DNS cache in AIOHTTP prior to version 3.13.4 allows remote attackers to cause denial of service through excessive memory consumption. An attacker can trigger repeated DNS lookups with unique hostnames to grow the in-memory cache without bounds, eventually exhausting available system memory. AIOHTTP 3.13.4 and later include a patch that implements cache limits. This is a network-accessible vulnerability requiring no authentication or user interaction, but exploitation requires deliberate attack traffic and does not result in data compromise or system takeover.

Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires initial admin credentials to inject malicious serialized objects via SQL injection, then triggers via anonymous GET request. Vendor-released patch available in v2.10.2. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though detailed proof-of-concept included in advisory with working Python exploit scripts.

Arbitrary attribute injection in ONNX Python library (versions prior to 1.21.0) allows unauthenticated remote attackers to manipulate internal object properties by embedding malicious metadata in ONNX model files, resulting in potential information disclosure, data integrity violations, and high availability impact (CVSS 8.6). The vulnerability stems from unchecked use of Python's setattr() with externally-controlled keys during ExternalDataInfo deserialization. No public exploit code or CISA KEV listing identified at time of analysis, but proof-of-concept development is trivial given the straightforward nature of Python attribute manipulation. EPSS data not provided, but the unauthenticated network-accessible attack vector and low complexity suggest material risk for organizations processing untrusted ONNX models.

Flask-HTTPAuth versions prior to 4.8.1 allow authentication bypass when applications store empty string tokens in their user database, enabling unauthenticated attackers to authenticate as any user with an empty token set by submitting requests without a token or with an empty token value. This affects only token-based authentication mechanisms that verify tokens via database lookup rather than cryptographic means (e.g., JWTs). CVSS score 6.5 reflects moderate integrity impact with low computational attack complexity, and no public exploit code has been identified at the time of analysis.