|
2111
|
7.4 |
HIGH
Network
|
-
|
-
|
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementi…
|
CWE-526
Cleartext Storage of Sensitive Information in an Environment Variable
|
CVE-2026-40153
|
2026-04-14 01:16 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2112
|
7.9 |
HIGH
Local
|
-
|
-
|
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is co…
|
CWE-396
|
CVE-2026-40149
|
2026-04-14 01:16 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2113
|
- |
|
-
|
-
|
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at sr…
|
CWE-78
OS Command
|
CVE-2026-40111
|
2026-04-14 01:16 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2114
|
8.1 |
HIGH
Network
|
-
|
-
|
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier'…
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2026-40070
|
2026-04-14 01:16 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2115
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Insertion of Sensitive Information Into Sent Data vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Retrieve Embedded Sensitive Data.This issue affects RepairBuddy: from n/a throu…
|
CWE-201
Insertion of Sensitive Information Into Sent Data
|
CVE-2026-39586
|
2026-04-14 01:16 |
2026-04-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2116
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themefic Instantio instantio allows Retrieve Embedded Sensitive Data.This issue affects Instantio: from n/a…
|
CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
|
CVE-2026-39571
|
2026-04-14 01:16 |
2026-04-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2117
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and…
|
CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
|
CVE-2026-39536
|
2026-04-14 01:16 |
2026-04-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2118
|
4.9 |
MEDIUM
Network
|
-
|
-
|
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1.
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-39521
|
2026-04-14 01:16 |
2026-04-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2119
|
4.1 |
MEDIUM
Network
|
-
|
-
|
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT …
|
CWE-93
CRLF Injection
|
CVE-2026-35601
|
2026-04-14 01:16 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2120
|
5.9 |
MEDIUM
Network
|
-
|
-
|
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP val…
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-35597
|
2026-04-14 01:16 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
