Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-34954 — PraisonAI: SSRF in FileTools.download_file() via Unvalidated URL

PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing …

| Server-Side Request Forgery
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34953 — PraisonAI: Authentication Bypass in OAuthManager.validate_token()

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request…

| Authentication
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
9.8 CRITICAL
CVE-2017-20236 — ProSoft Technology ICX35-HWC Command Injection via Web Interface

ProSoft Technology ICX35-HWC versions 1.3 and prior cellular gateways contain an input validation vulnerability in the web user interface that allows remote attackers to inject and execute system com…

Remote | Injection
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34952 — PraisonAI: Missing Authentication in WebSocket Gateway

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any netw…

| Authentication
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34939 — PraisonAI: ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitizatio…

| Denial of Service
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
8.8 HIGH
CVE-2017-20235 — ProSoft Technology ICX35-HWC Authentication Bypass

ProSoft Technology ICX35-HWC version 1.3 and prior cellular gateways contain an authentication bypass vulnerability in the web user interface that allows unauthenticated attackers to gain access to a…

Remote | Authentication
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34938 — PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code

PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing…

| Misconfiguration
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34937 — PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution

PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passin…

| Injection
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34936 — PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and pa…

| Server-Side Request Forgery
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
9.8 CRITICAL
CVE-2017-20234 — GarrettCom Magnum 6K and 10K Authentication Bypass via Hardcoded String

GarrettCom Magnum 6K and 10K managed switches contain an authentication bypass vulnerability that allows unauthenticated attackers to gain unauthorized access by exploiting a hardcoded string in the …

Remote | Authentication
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34934 — PraisonAI: Second-Order SQL Injection in `get_all_user_threads`

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An …

| Injection
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34935 — PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()

PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_pr…

| Injection
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
5.9 MEDIUM
CVE-2017-20233 — Hirschmann HiLCOS Layer-2 Firewall Multicast Broadcast Traffic Bypass

Hirschmann HiLCOS products OpenBAT, BAT450, WLC, BAT867 contains a firewall filtering vulnerability that fails to correctly filter IPv4 multicast and broadcast traffic when management IP address filt…

| Misconfiguration
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
9.8 CRITICAL
CVE-2018-25236 — Hirschmann HiOS HiSecOS Authentication Bypass via HTTP Management

Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthentic…

Remote | Authentication
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34933 — Avahi: Reachable assertion in `transport_flags_from_domain()` via conflicting publish fla…

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a …

| Denial of Service
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34824 — Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service

Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocke…

| Denial of Service
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34612 — Kestra: Remote Code Execution via SQL Injection

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Exec…

| Injection
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
9.3 CRITICAL
CVE-2021-4477 — Hirschmann HiLCOS OpenBAT BAT450 IPv6 IPsec Firewall Bypass

Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec deployments that allows traffic from VPN connections to bypass configured firewall rules. Attackers…

Remote | Misconfiguration
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34788 — Emlog: SQL Injection in tag_model::updateTagName() via unsanitized parameters

Emlog is an open source website building system. In versions 2.6.2 and prior, a SQL injection vulnerability exists in include/model/tag_model.php at line 168. The updateTagName() function directly in…

| Injection
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
0.0 NA
CVE-2026-34787 — Emlog: Local File Inclusion in plugin.php via unsanitized plugin parameter

Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion (LFI) vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET requ…

| Path Traversal
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
Showing 20 of 6373 Results