A vulnerability was detected in code-projects Student Details Management System 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument roll results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may ...
Exim 4.88 before 4.99.4, in some proxy configurations, mishandles certain short payloads, leading to disclosure of uninitialized stack memory values to a client.
praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}
praisonai-platform: Missing authorization on member removal enables full workspace takeover by any user regardless of role
praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link)
praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks
praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset
PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API
PraisonAI has an Arbitrary File Write in Python API
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution
PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings