|
391
|
7.5 |
HIGH
Network
|
apache
|
airflow
|
Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. So…
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2025-66236
|
2026-04-18 03:41 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
392
|
8.8 |
HIGH
Network
|
apache
|
airflow
|
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly tr…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-33858
|
2026-04-18 03:40 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
393
|
9.1 |
CRITICAL
Network
|
apache
|
apisix
|
Header injection vulnerability in Apache APISIX.
The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers.
This issue affects Apache APISIX: from 2…
|
CWE-75
Special Element Injection
|
CVE-2026-31908
|
2026-04-18 03:40 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
394
|
7.5 |
HIGH
Network
|
apache
|
apisix
|
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.
This issue af…
|
CWE-319
Cleartext Transmission of Sensitive Information
|
CVE-2026-31923
|
2026-04-18 03:39 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
395
|
5.3 |
MEDIUM
Network
|
apache
|
apisix
|
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
tencent-cloud-cls log export uses plaintext HTTP
This issue affects Apache APISIX: from 2.99.0 through 3.15.0.
Users …
|
CWE-319
Cleartext Transmission of Sensitive Information
|
CVE-2026-31924
|
2026-04-18 03:38 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
396
|
8.1 |
HIGH
Network
|
apache
|
airflow
|
The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value
from xcom in the way that could be exploited to allow UI user who had access to modify …
|
CWE-94
Code Injection
|
CVE-2025-54550
|
2026-04-18 03:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
397
|
6.5 |
MEDIUM
Network
|
apache
|
airflow
|
The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, a…
|
CWE-200
Information Exposure
|
CVE-2026-25219
|
2026-04-18 03:37 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
398
|
10.0 |
CRITICAL
Network
|
praison
|
praisonai
|
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (succe…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40114
|
2026-04-18 03:36 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
399
|
7.5 |
HIGH
Network
|
praison
|
praisonai
|
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-40115
|
2026-04-18 03:34 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
400
|
7.5 |
HIGH
Network
|
praison
|
praisonai
|
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signatu…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-40116
|
2026-04-18 03:33 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
