|
3511
|
9.8 |
CRITICAL
Network
|
-
|
-
|
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.j…
|
CWE-77
Command Injection
|
CVE-2026-41501
|
2026-05-9 00:54 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3512
|
8.4 |
HIGH
Local
|
-
|
-
|
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by d…
|
CWE-22
CWE-829
Path Traversal
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-43940
|
2026-05-9 00:54 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3513
|
9.6 |
CRITICAL
Network
|
-
|
-
|
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal di…
|
CWE-88
CWE-601
Argument Injection
Open Redirect
|
CVE-2026-43941
|
2026-05-9 00:54 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3514
|
5.5 |
MEDIUM
Local
|
-
|
-
|
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire…
|
CWE-200
CWE-312
Information Exposure
Cleartext Storage of Sensitive Information
|
CVE-2026-43942
|
2026-05-9 00:54 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3515
|
7.8 |
HIGH
Local
|
-
|
-
|
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm's SFTP open with system edito…
|
CWE-78
CWE-88
OS Command
Argument Injection
|
CVE-2026-43943
|
2026-05-9 00:54 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3516
|
9.8 |
CRITICAL
Network
|
-
|
-
|
PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing …
|
CWE-77
CWE-78
Command Injection
OS Command
|
CVE-2026-41497
|
2026-05-9 00:53 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3517
|
8.4 |
HIGH
Local
|
-
|
-
|
PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_reso…
|
CWE-94
Code Injection
|
CVE-2026-44334
|
2026-05-9 00:53 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3518
|
- |
|
-
|
-
|
PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has b…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-44335
|
2026-05-9 00:53 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3519
|
6.3 |
MEDIUM
Network
|
-
|
-
|
PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers …
|
CWE-20
CWE-89
Improper Input Validation
SQL Injection
|
CVE-2026-44337
|
2026-05-9 00:53 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3520
|
7.3 |
HIGH
Network
|
-
|
-
|
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any …
|
CWE-306
CWE-668
CWE-1188
Missing Authentication for Critical Function
Exposure of Resource to Wrong Sphere
Insecure Default Initialization of Resource
|
CVE-2026-44338
|
2026-05-9 00:53 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
