Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-34774 — Electron: Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption. Apps are only affect CVSSv3.1 8.1 (HIGH)
CVE-2026-34954 — Praison Praisonaiagents: Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no
PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95. CVSSv3.1 8.6 (HIGH)
CVE-2026-34953 — Praison Praisonai: Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34952 — Praison Praisonai: Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. This issue has been patched in version 4.5.97. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-34938 — Praison Praisonaiagents: Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox
PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue has been patched in version 1.5.90. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-34935 — Praison Praisonai: From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly
PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-34934 — Praison Praisonai: Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application loads the thread list, the injected payload executes and grants full database access. This issue has been patched in version 4.5.90. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-34612 — Kestra Kestra: Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS CVSSv3.1 9.9 (CRITICAL)
CVE-2021-4477 — Hirschmann: HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec
Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec deployments that allows traffic from VPN connections to bypass configured firewall rules. Attackers can exploit this vulnerability by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while simultaneously using an IPv6 Internet connection to circumvent firewall policy enforcement. CVSSv3.1 9.1 (CRITICAL)
CVE-2018-25236 — Hirschmann: HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS
Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by crafting specially formed HTTP requests. Attackers can exploit improper authentication handling to obtain the authentication status and privileges of a previously authenticated user without providing valid credentials. CVSSv3.1 9.8 (CRITICAL)
CVE-2017-20236 — ProSoft: Technology ICX35-HWC versions 1.3 and prior cellular gateways contain an input validation vulnerability
ProSoft Technology ICX35-HWC versions 1.3 and prior cellular gateways contain an input validation vulnerability in the web user interface that allows remote attackers to inject and execute system commands by submitting malicious input through unvalidated fields. Attackers can exploit this vulnerability to gain root privileges and execute arbitrary commands on the device through the accessible web interface. CVSSv3.1 9.8 (CRITICAL)
CVE-2017-20235 — ProSoft: Technology ICX35-HWC version 1.3 and prior cellular gateways contain an authentication bypass vulnerability
ProSoft Technology ICX35-HWC version 1.3 and prior cellular gateways contain an authentication bypass vulnerability in the web user interface that allows unauthenticated attackers to gain access to administrative functions without valid credentials. Attackers can bypass the authentication mechanism in affected firmware versions to obtain full administrative access to device configuration and settings. CVSSv3.1 9.1 (CRITICAL)
CVE-2017-20234 — GarrettCom: Magnum 6K and 10K managed switches contain an authentication bypass vulnerability that allows
GarrettCom Magnum 6K and 10K managed switches contain an authentication bypass vulnerability that allows unauthenticated attackers to gain unauthorized access by exploiting a hardcoded string in the authentication mechanism. Attackers can bypass login controls to access administrative functions and sensitive switch configuration without valid credentials. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-33175 — OAuthenticator: is software that allows OAuth2 identity providers to be plugged in and used
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0. CVSSv3.1 8.8 (HIGH)
CVE-2026-28797 — RAGFlow: In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsandboxed) to render user-supplied templates, allowing any authenticated user to execute arbitrary operating system commands on the server. At time of publication, there are no public CVSSv3.1 8.8 (HIGH)
CVE-2026-27634 — Piwigo Piwigo: This could result in an unauthenticated attacker reading the full database, including user password
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2018-25237 — Hirschmann: HiSecOS devices versions prior to 05.3.03 contain a buffer overflow vulnerability in the
Hirschmann HiSecOS devices versions prior to 05.3.03 contain a buffer overflow vulnerability in the HTTPS login interface when RADIUS authentication is enabled that allows remote attackers to crash the device or execute arbitrary code by submitting a password longer than 128 characters. Attackers can exploit improper bounds checking in password handling to overflow a fixed-size buffer and achieve denial of service or remote code execution. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-15058 — Hirschmann: Attackers with local network access can sniff SNMP traffic or extract configuration data to
Hirschmann HiLCOS Classic Platform switches Classic L2E, L2P, L3E, L3P versions prior to 09.0.06 and Classic L2B prior to 05.3.07 contain a credential exposure vulnerability where user passwords are synchronized with SNMPv1/v2 community strings and transmitted in plaintext when the feature is enabled. Attackers with local network access can sniff SNMP traffic or extract configuration data to recover plaintext credentials and gain unauthorized administrative access to the swit CVSSv3.1 8.1 (HIGH)
CVE-2015-10148 — Hirschmann: HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to
Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications. Attackers can perform man-in-the-middle attacks, impersonate devices, and expose sensitive information by leveraging the shared default cryptographic keys across multiple devices. CVSSv3.1 8.2 (HIGH)
CVE-2026-28766 — A specific endpoint exposes all user account information for registered Gardyn users without requiring
A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication. CVSSv3.1 9.3 (CRITICAL)
CVE-2026-25197 — A specific endpoint allows authenticated users to pivot to other user profiles by modifying
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-22665 — Fka Prompts.chat: prior to commit 1464475 contains an identity confusion vulnerability due to inconsistent case-sensitive
prompts.chat prior to commit 1464475 contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks. Attackers can exploit non-deterministic username resolution to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform. CVSSv3.1 8.1 (HIGH)
CVE-2026-22661 — Fka Prompts.chat: prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling
prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path traversal sequences. Attackers can exploit missing server-side filename validation to inject path traversal sequences ../ into skill file archives, which when extracted by vulnerable tools write files outside the intended directory an CVSSv3.1 8.1 (HIGH)
CVE-2025-10681 — Storage: This vulnerability may grant unauthorized access to production storage containers.
Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers. CVSSv3.1 8.6 (HIGH)
CVE-2017-20237 — Hirschmann: Industrial HiVision versions prior to 06.0.07 and 07.0.03 contains an authentication bypass vulnerability
Hirschmann Industrial HiVision versions prior to 06.0.07 and 07.0.03 contains an authentication bypass vulnerability in the master service that allows unauthenticated remote attackers to execute arbitrary commands with administrative privileges. Attackers can invoke exposed interface methods over the remote service to bypass authentication and achieve remote code execution on the underlying operating system. CVSSv3.1 9.8 (CRITICAL)