Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.1 HIGH
CVE-2026-34774 — Electron: Use-after-free in offscreen child window paint callback

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow child…

electron | Remote | Memory Corruption
Apr 04, 2026 Apr 04, 2026
Apr 04, 2026
Apr 04, 2026
4.7 MEDIUM
CVE-2026-34773 — Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, on Windows, app.setAsDefaultProtocolClien…

electron | Misconfiguration
Apr 04, 2026 Apr 04, 2026
Apr 04, 2026
Apr 04, 2026
5.8 MEDIUM
CVE-2026-34772 — Electron: Use-after-free in download save dialog callback

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, apps that allow downloads and prog…

electron | Memory Corruption
Apr 04, 2026 Apr 04, 2026
Apr 04, 2026
Apr 04, 2026
7.5 HIGH
CVE-2026-34771 — Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permi…

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, apps that register an asynchronous…

electron | Remote | Memory Corruption
Apr 04, 2026 Apr 04, 2026
Apr 04, 2026
Apr 04, 2026
7.0 HIGH
CVE-2026-34770 — Electron: Use-after-free in PowerMonitor on Windows and macOS

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, apps that use the powerMonitor mod…

electron | Memory Corruption
Apr 04, 2026 Apr 04, 2026
Apr 04, 2026
Apr 04, 2026
7.7 HIGH
CVE-2026-34769 — Electron: Renderer command-line switch injection via undocumented commandLineSwitches web…

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, an undocumented commandLineSwitche…

electron | Misconfiguration
Apr 04, 2026 Apr 04, 2026
Apr 04, 2026
Apr 04, 2026
3.9 LOW
CVE-2026-34768 — Electron: Unquoted executable path in app.setLoginItemSettings on Windows

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettin…

electron | Misconfiguration
Apr 04, 2026 Apr 04, 2026
Apr 04, 2026
Apr 04, 2026
5.9 MEDIUM
CVE-2026-34767 — Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handle…

electron | Remote | Injection
Apr 04, 2026 Apr 04, 2026
Apr 04, 2026
Apr 04, 2026
3.3 LOW
CVE-2026-34766 — Electron: USB device selection not validated against filtered device list

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callba…

electron | Authorization
Apr 04, 2026 Apr 04, 2026
Apr 04, 2026
Apr 04, 2026
5.3 MEDIUM
CVE-2026-35468 — nimiq/core-rs-albatross: Panic in history index request handlers when a full node runs wi…

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, two peer-facing consensus request handlers as…

Remote | Misconfiguration
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
8.6 HIGH
CVE-2026-34954 — PraisonAI: SSRF in FileTools.download_file() via Unvalidated URL

PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing …

Remote | Server-Side Request Forgery
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
9.1 CRITICAL
CVE-2026-34953 — PraisonAI: Authentication Bypass in OAuthManager.validate_token()

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request…

Remote | Authentication
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
9.1 CRITICAL
CVE-2026-34952 — PraisonAI: Missing Authentication in WebSocket Gateway

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any netw…

Remote | Authentication
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
6.5 MEDIUM
CVE-2026-34939 — PraisonAI: ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitizatio…

Remote | Denial of Service
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
10.0 CRITICAL
CVE-2026-34938 — PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code

PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing…

Remote | Misconfiguration
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
7.8 HIGH
CVE-2026-34937 — PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution

PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passin…

| Injection
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
7.7 HIGH
CVE-2026-34936 — PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and pa…

Remote | Server-Side Request Forgery
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
9.8 CRITICAL
CVE-2026-34935 — PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()

PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_pr…

Remote | Injection
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
9.8 CRITICAL
CVE-2026-34934 — PraisonAI: Second-Order SQL Injection in `get_all_user_threads`

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An …

Remote | Injection
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
5.5 MEDIUM
CVE-2026-34933 — Avahi: Reachable assertion in `transport_flags_from_domain()` via conflicting publish fla…

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a …

avahi | Denial of Service
Apr 03, 2026 Apr 03, 2026
Apr 03, 2026
Apr 03, 2026
Showing 20 of 5981 Results