•about 1 hour ago•CVE-2026-39308
7.1CVE-2026-39308: Arbitrary File Write via Path Traversal in PraisonAI Recipe Registry
PraisonAI versions prior to 4.5.113 contain an improper path limitation vulnerability in the recipe registry publish endpoint. An attacker can craft a malicious recipe bundle with directory traversal sequences in its internal manifest to write files outside the designated registry root directory. This critical path traversal flaw results in arbitrary file write capabilities on the hosting server, bypassing deferred request validation.
1 views•6 min read
•about 1 hour ago•CVE-2026-35615
9.2CVE-2026-35615: Critical Path Traversal in PraisonAI FileTools
PraisonAI prior to version 4.5.113 contains a critical path traversal vulnerability in the FileTools component. The vulnerability arises from an incorrect order of operations during path normalization, allowing unauthenticated remote attackers to read or write arbitrary files on the host system.
0 views•6 min read
•about 2 hours ago•CVE-2026-34444
7.9CVE-2026-34444: Sandbox Escape and Remote Code Execution in Lupa
CVE-2026-34444 is a critical sandbox escape vulnerability in the Lupa Python library, allowing remote code execution. The flaw arises from an incomplete attribute_filter implementation that fails to hook Python built-in functions like getattr and setattr, enabling attackers to bypass restrictions and access sensitive internal attributes.
0 views•5 min read
•about 3 hours ago•CVE-2026-35526
7.5CVE-2026-35526: Denial of Service via Resource Exhaustion in Strawberry GraphQL Subscriptions
Strawberry GraphQL prior to version 0.312.3 is vulnerable to an unauthenticated Denial of Service (DoS) attack due to unbounded resource allocation in its WebSocket subscription handlers. An attacker can exhaust server memory and CPU by sending a flood of subscription requests over a single connection.
1 views•6 min read
•about 4 hours ago•CVE-2026-35480
6.2CVE-2026-35480: Unbounded Memory Allocation and Denial of Service in go-ipld-prime DAG-CBOR Decoder
The go-ipld-prime library prior to version 0.22.0 suffers from a resource exhaustion vulnerability in its DAG-CBOR decoding implementation. Maliciously crafted CBOR payloads containing artificially large declared collection sizes bypass early budget checks, triggering massive upfront memory allocations that result in immediate application crashes.
4 views•6 min read
•about 6 hours ago•CVE-2026-4177
9.1CVE-2026-4177: Heap-Based Buffer Overflow and Memory Corruption Suite in YAML::Syck
CVE-2026-4177 represents a critical suite of memory mismanagement vulnerabilities in the YAML::Syck Perl module, affecting versions up to and including 1.36. The core issue is a high-severity heap-based buffer overflow triggered during the emission of YAML tags for Perl objects with exceptionally long class names. Accompanying this primary vulnerability are three secondary flaws: an out-of-bounds read in the Base64 decoder, shared data corruption in the parser, and a memory leak. These vulnerabilities reside in the underlying C library implementation, exposing applications that parse or emit untrusted YAML data to denial of service, memory corruption, and potential arbitrary code execution.
9 views•8 min read
•about 14 hours ago•GHSA-JFWG-RXF3-P7R9
9.8GHSA-JFWG-RXF3-P7R9: CQL/N1QL Injection in Authorizer via String Interpolation
Authorizer versions prior to 2.0.1 contain a critical injection vulnerability in the Cassandra and Couchbase database backends. The software constructs queries using unsafe string interpolation, allowing unauthenticated attackers to execute arbitrary database commands, bypass authentication mechanisms, and access sensitive data.
7 views•7 min read
•about 15 hours ago•GHSA-X3F4-V83F-7WP2
9.8GHSA-X3F4-V83F-7WP2: Unvalidated Redirect Leading to Token Leakage in Authorizer
Authorizer versions prior to 2.0.1 suffer from unvalidated redirect vulnerabilities across multiple GraphQL and HTTP endpoints. This flaw permits attackers to craft malicious URLs that, when interacted with by authenticated or verifying users, exfiltrate sensitive authentication tokens including full OAuth2 session bundles. The root cause is the omission of the `validators.IsValidOrigin` check in specific handler routines.
4 views•6 min read
•about 15 hours ago•CVE-2026-34425
5.4CVE-2026-34425: Validation Bypass in OpenClaw Shell-Bleed Protection
OpenClaw versions prior to commit 8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513 contain a validation bypass vulnerability in the preflight script execution checker. The fail-open design of the command parser allows malicious shell syntax to evade detection and execute arbitrary code. The patch implements a robust, fail-closed command tokenizer.
3 views•5 min read
•about 16 hours ago•GHSA-H6RJ-3M53-887H
7.5GHSA-H6RJ-3M53-887H: Unauthenticated Denial of Service via Log Parsing Recursion in PocketMine-MP
A resource exhaustion vulnerability exists in PocketMine-MP versions prior to 5.41.1. Unauthenticated remote attackers can crash the server by sending a malformed LoginPacket containing deeply nested JSON structures, which triggers a recursive memory allocation loop during log warning generation.
3 views•5 min read
•about 17 hours ago•GHSA-788V-5PFP-93FF
7.1GHSA-788v-5pfp-93ff: Denial of Service via Unconstrained JSON Decoding in PocketMine-MP
PocketMine-MP, a high-performance PHP-based server for Minecraft: Bedrock Edition, suffers from an uncontrolled resource consumption vulnerability prior to version 5.39.2. The server fails to enforce length or nesting boundaries on JSON payloads within incoming `ModalFormResponsePacket` messages. An authenticated attacker can transmit oversized payloads to exhaust server memory and CPU resources, causing the application thread to halt and leading to a complete denial of service.
3 views•6 min read
•about 18 hours ago•GHSA-7HMV-4J2J-PP6F
4.3GHSA-7HMV-4J2J-PP6F: Network Amplification and Resource Exhaustion in PocketMine-MP
PocketMine-MP versions prior to 5.39.2 suffer from a network amplification vulnerability triggered via unvalidated ActorEventPacket messages. Authenticated attackers can exploit this to force the server into O(N) packet broadcasting, resulting in significant CPU and bandwidth exhaustion.
3 views•6 min read