Tag
high
advisory
npm PraisonAI utility-tools.shell() Allowlist Bypass via Shell Chaining (GHSA-5jv7-2mjm-h6qj)
2 rules 1 TTPThe npm package `praisonai` versions 1.5.1 through 1.7.1 contains a command injection vulnerability (GHSA-5jv7-2mjm-h6qj) in its `utility-tools.shell()` helper, which allows attackers to bypass a 'safe read-only' command allowlist by appending arbitrary shell commands with metacharacters after an allowed command, leading to arbitrary code execution with the PraisonAI process privileges.
praisonai
command-injection
npm-package
nodejs
rce
allowlist-bypass
ghsa
2r
1t
high
advisory
tmp NPM Package Path Traversal Vulnerability (CVE-2026-44705)
2 rules 1 TTPThe tmp npm package contains a path traversal vulnerability (CVE-2026-44705) that allows writing files outside the intended temporary directory when untrusted data flows into the `prefix`, `postfix`, or `dir` options, leading to arbitrary file creation.
tmp
path traversal
npm package
2r
1t