CyberRota
← Ana sayfaya dön

CVE-2026-60090

CRITICAL · CVSS 9.8 EPSS %0.41 Public Exploit

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-11T14:16:22.353 · Çekilme zamanı: 2026-07-12T18:35:07.971996+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

Public Exploit Sinyali

Bu CVE için açıklama veya referanslarda public exploit / PoC / GitHub / Metasploit sinyali tespit edildi.

Not: Bu bağlantılar yalnızca güvenlik araştırması ve doğrulama amacıyla listelenmiştir.

CVE
CVE-2026-60090
Severity
CRITICAL
CVSS
9.8
EPSS
%0.41

Orijinal NVD Açıklaması

PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store create_collection() backends. Although schema, keyspace, and collection-name identifiers are validated, the dimension value (declared as int but not enforced at runtime) is interpolated directly into the vector column of the generated CREATE TABLE DDL. A caller able to influence collection-creation dimensions can pass a string such as '3); DROP TABLE tenant_secrets; --' to inject SQL/CQL tokens into the statement executed by the database driver.