Shmulc8

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload can call Node.js APIs and execute code on the host. This vulnerability is fixed in 3.7.0.

**Name of the Vulnerable Software and Affected Versions** PromptHub versions 0.4.9 through 0.5.3 **Description** An authenticated endpoint "/api/skills/fetch-remote" fetches a user-supplied URL server-side and reflects the response body back to the caller. The Server-Side Request Forgery (SSRF) protection in the `isPrivateIPv6` function attempts to block private or loopback destinations, but it can be bypassed using alternate IPv6 representations. This allows access to any IPv4 address (including loopback, RFC1918, and link-local) via IPv4-mapped IPv6 in hex form, as well as the canonical ::1 address. Any authenticated user with a user or admin role can trigger this issue. In deployments where `ALLOW REGISTRATION` is set to true, any registered internet user can exploit this behavior. **Recommendations** Update to version 0.5.4.

**Name of the Vulnerable Software and Affected Versions** PraisonAI versions 2.4.1 through 4.6.33 **Description** PraisonAI is a multi-agent teams system that exposes optional SQL/CQL-backed knowledge-store implementations. These implementations build table and index identifiers using unvalidated `name` and `collection` arguments. Applications passing untrusted collection names into these backends can trigger SQL or CQL injection, which occurs when malicious SQL or CQL statements are inserted into entry fields for execution. **Recommendations** Update to version 4.6.34.

**Name of the Vulnerable Software and Affected Versions** praisonai versions prior to 4.6.37 praisonaiagents versions prior to 1.6.37 **Description** PraisonAI is a multi-agent teams system. The `praisonaiagents` component resolves unresolved tool names against module globals and ` main ` after failing to match the declared tool list and the registry. Because the default agent configuration sets ` perm allow` to None, undeclared non-dangerous tool names are not rejected by the permission gate. This allows an attacker capable of influencing tool-call names to invoke unintended application callables that were not declared as tools. **Recommendations** Update praisonai to version 4.6.37. Update praisonaiagents to version 1.6.37.

CVE-2026-42312 pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set config value() API method (@permission(Perms.SETTINGS)) in src/p… https://t.co/ADtnuQJj56

CVE-2026-42313 pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set config value() API method (@permission(Perms.SETTINGS)) in src/p… https://t.co/8rZNAbQm5s

**Name of the Vulnerable Software and Affected Versions** PraisonAI versions 2.5.6 through 4.6.33 **Description** PraisonAI ships a legacy Flask API server that has authentication disabled by default due to hard-coded `AUTH ENABLED = False` and `AUTH TOKEN = None` variables in the `api server.py` file. This causes the `check auth()` function to fail open, allowing any network caller to access protected endpoints without a token. Specifically, the 'GET /agents' endpoint exposes agent metadata, and the 'POST /chat' endpoint triggers the `PraisonAI().run()` function to execute the configured `agents.yaml` workflow, regardless of the provided `message` variable. Real-world incidents indicate that automated scanners, such as `CVE-Detector/1.0`, began probing vulnerable systems within 3 hours and 44 minutes of public disclosure. The impact depends on the permissions granted to the agents in `agents.yaml`, which may include access to internal databases, file systems, shell commands, or the consumption of expensive LLM API quotas. Additionally, the Gateway and AGUI endpoints were found to have hard-coded wildcard CORS headers (`Access-Control-Allow-Origin: *`), potentially allowing malicious websites to trigger agents on a local machine. **Recommendations** Update to version 4.6.34. As a temporary mitigation, deploy WAF rules to block unauthenticated access to the '/agents' and '/chat' endpoints. Restrict access to the legacy API server by ensuring it does not bind to `0.0.0.0` if not required.