Skip to content

Commit 32b8efa

Browse files
committed
add: AVE-2026-0053
1 parent 48c80dc commit 32b8efa

1 file changed

Lines changed: 18 additions & 22 deletions

File tree

vulns/2026/AVE-2026-0053.toml

Lines changed: 18 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,32 +1,28 @@
1-
[id]
2-
ave_id = "AVE-2026-0053"
3-
cve_id = "CVE-2026-49471"
4-
aliases = ["CVE-2026-49471", "GHSA-37h2-6p4f-mp3q"]
5-
61
[basic]
7-
title = "Serena AI 编程助手 Web 面板未授权访问致远程代码执行漏洞"
8-
description = "Serena 是一款 AI 编程助手,其内置 Web 管理面板默认在固定端口(TCP 24282)启动 Flask API 服务,未实施任何身份认证、CSRF 防护或 Host 头验证。攻击者可通过 DNS 重绑定攻击绕过浏览器同源策略,向本地 API 发送恶意请求写入持久化记忆存储。结合默认启用的 execute_shell_command 函数(shell=True),可触发完整的远程代码执行链,完全控制受害者主机。"
9-
severity = "HIGH"
10-
score = 7.5
11-
remediation = "升级至 Serena 官方已修复版本;或在配置中设置 web_dashboard: false 禁用 Web 面板;或通过防火墙限制 127.0.0.1 仅有本地访问 24282 端口。"
12-
published = "2026-07-10"
13-
updated = "2026-07-10"
2+
description = ""
3+
published = ""
4+
remediation = "Refer to vendor advisory and upgrade to fixed version."
5+
score = 0.0
6+
severity = "UNKNOWN"
147
sources = ["ghsa"]
15-
16-
[affected]
17-
vendor = "Serena"
18-
product = "Serena AI Coding Agent"
8+
title = "CVE-2026-49471"
9+
updated = ""
1910

2011
[exploit]
21-
poc_urls = ["https://github.com/user-attachments/files/27755382/verify_vuln.py"]
2212
exp_urls = []
13+
poc_urls = []
2314

24-
[references]
25-
urls = [
26-
"https://nvd.nist.gov/vuln/detail/CVE-2026-49471",
27-
"https://github.com/advisories/GHSA-37h2-6p4f-mp3q"
15+
[id]
16+
aliases = [
17+
"CVE-2026-49471",
18+
"GHSA-37h2-6p4f-mp3q",
2819
]
20+
ave_id = "AVE-2026-0053"
21+
cve_id = "CVE-2026-49471"
2922

3023
[meta]
24+
collected_at = "2026-07-11T00:13:56.955342370+00:00"
3125
status = "completed"
32-
collected_at = "2026-07-10T12:52:47Z"
26+
27+
[references]
28+
urls = []

0 commit comments

Comments
 (0)