| CVE-2026-10112 |
low |
2.4 |
2.4 |
|
|
|
7d ago |
A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. Affected is an unknown function of the component Dashboard Page. The manipulation of the argument Name leads to cross site s… |
| CVE-2026-10111 |
high |
7.3 |
7.3 |
|
|
|
7d ago |
A flaw has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. This impacts an unknown function of the component Login Page. Executing a manipulation of the argument email can lead to sql injectio… |
| CVE-2026-10110 |
high |
7.3 |
7.3 |
|
|
|
7d ago |
A vulnerability was detected in code-projects Student Details Management System 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument roll results in… |
| CVE-2026-47416 |
unknown |
— |
— |
|
|
|
7d ago |
praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id} |
| CVE-2026-47409 |
unknown |
— |
— |
|
|
|
7d ago |
praisonai-platform: Missing authorization on member removal enables full workspace takeover by any user regardless of role |
| CVE-2026-47414 |
unknown |
— |
— |
|
|
|
7d ago |
praisonai-platform: Label endpoints' unchecked label_id/issue_id enable cross-workspace label IDOR (edit, delete, link) |
| CVE-2026-47406 |
unknown |
— |
— |
|
|
|
7d ago |
praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks |
| CVE-2026-47410 |
unknown |
— |
— |
|
|
|
7d ago |
praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset |
| CVE-2026-47405 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI Platform: Missing role checks let any workspace member become owner and control workspace membership |
| CVE-2026-47399 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI Platform workspace-scoped routes allow cross-workspace object access by global object ID |
| CVE-2026-47407 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation |
| CVE-2026-47408 |
unknown |
— |
— |
|
|
|
7d ago |
praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership |
| CVE-2026-48169 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API |
| CVE-2026-47397 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI has an Arbitrary File Write in Python API |
| CVE-2026-47391 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution |
| CVE-2026-47394 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate |
| CVE-2026-47392 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode) |
| CVE-2026-47395 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context |
| CVE-2026-47393 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default |
| CVE-2026-47396 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset |
| CVE-2026-47390 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings |
| CVE-2026-47398 |
unknown |
— |
— |
|
|
|
7d ago |
PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334 |
| CVE-2026-47268 |
unknown |
— |
— |
|
|
|
7d ago |
Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host |
| CVE-2026-47233 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` — incomplete fix of #2024 |
| CVE-2026-47234 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio writes session IDs and auto-login cookie values to application logs |
| CVE-2026-47232 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio PKCS#12 private key export action lacks CSRF protection |
| CVE-2026-47231 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders |
| CVE-2026-47230 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders |
| CVE-2026-47229 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio: CSRF in SSO client `enable` action toggles SAML/OIDC clients without token validation |
| CVE-2026-47228 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords |
| CVE-2026-47227 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php` |
| CVE-2026-47226 |
unknown |
— |
— |
|
|
|
7d ago |
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges |
| CVE-2026-47213 |
unknown |
— |
— |
|
|
|
7d ago |
BoxLite has a Timeout Bypass Vulnerability |
| CVE-2026-47211 |
unknown |
— |
— |
|
|
|
7d ago |
ouroboros-ai Vulnerable to Remote Code Execution via Untrusted Project-Directory .env |
| CVE-2026-47203 |
unknown |
— |
— |
|
|
|
7d ago |
Authelia Missing Username Canonicalization in Basic Auth (LDAP) |
