Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-26057

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-19 Feb, 2026 | 18:41
Updated At-19 Feb, 2026 | 21:24
Rejected At-
Credits

Skill Scanner Unsecured Network Binding Vulnerability

Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of service (DoS) condition or upload arbitrary files. This vulnerability is due to an erroneous binding to multiple interfaces. An attacker could exploit this vulnerability by sending API requests to a device exposing the affected API Server. A successful exploit could allow the attacker to consume an excessive amount of resources (memory starvation) or to upload files to arbitrary folders on the affected device. This vulnerability affects Skill-scanner 1.0.1 and earlier releases when the API Server is enabled. The API Server is not enabled by default. Skill-scanner software releases 1.0.2 and later contain the fix for this vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:19 Feb, 2026 | 18:41
Updated At:19 Feb, 2026 | 21:24
Rejected At:
â–¼CVE Numbering Authority (CNA)
Skill Scanner Unsecured Network Binding Vulnerability

Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of service (DoS) condition or upload arbitrary files. This vulnerability is due to an erroneous binding to multiple interfaces. An attacker could exploit this vulnerability by sending API requests to a device exposing the affected API Server. A successful exploit could allow the attacker to consume an excessive amount of resources (memory starvation) or to upload files to arbitrary folders on the affected device. This vulnerability affects Skill-scanner 1.0.1 and earlier releases when the API Server is enabled. The API Server is not enabled by default. Skill-scanner software releases 1.0.2 and later contain the fix for this vulnerability.

Affected Products
Vendor
cisco-ai-defense
Product
skill-scanner
Versions
Affected
  • < 1.0.2
Problem Types
TypeCWE IDDescription
CWECWE-668CWE-668: Exposure of Resource to Wrong Sphere
Type: CWE
CWE ID: CWE-668
Description: CWE-668: Exposure of Resource to Wrong Sphere
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/cisco-ai-defense/skill-scanner/security/advisories/GHSA-ppfx-73j5-fhxc
x_refsource_CONFIRM
https://github.com/cisco-ai-defense/skill-scanner/commit/1e35e57f3051ecc89ba845ae7206321c8eac20a1
x_refsource_MISC
Hyperlink: https://github.com/cisco-ai-defense/skill-scanner/security/advisories/GHSA-ppfx-73j5-fhxc
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/cisco-ai-defense/skill-scanner/commit/1e35e57f3051ecc89ba845ae7206321c8eac20a1
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:19 Feb, 2026 | 19:22
Updated At:19 Feb, 2026 | 19:22

Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of service (DoS) condition or upload arbitrary files. This vulnerability is due to an erroneous binding to multiple interfaces. An attacker could exploit this vulnerability by sending API requests to a device exposing the affected API Server. A successful exploit could allow the attacker to consume an excessive amount of resources (memory starvation) or to upload files to arbitrary folders on the affected device. This vulnerability affects Skill-scanner 1.0.1 and earlier releases when the API Server is enabled. The API Server is not enabled by default. Skill-scanner software releases 1.0.2 and later contain the fix for this vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-668Primarysecurity-advisories@github.com
CWE ID: CWE-668
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/cisco-ai-defense/skill-scanner/commit/1e35e57f3051ecc89ba845ae7206321c8eac20a1security-advisories@github.com
N/A
https://github.com/cisco-ai-defense/skill-scanner/security/advisories/GHSA-ppfx-73j5-fhxcsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/cisco-ai-defense/skill-scanner/commit/1e35e57f3051ecc89ba845ae7206321c8eac20a1
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/cisco-ai-defense/skill-scanner/security/advisories/GHSA-ppfx-73j5-fhxc
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

11Records found
CVE-2026-21528
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 15.05%
||
7 Day CHG-0.01%
Published-10 Feb, 2026 | 17:51
Updated-19 Feb, 2026 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure IoT Explorer Information Disclosure Vulnerability

Binding to an unrestricted ip address in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_iot_explorerAzure IoT Explorer
CWE ID-CWE-1327
Binding to an Unrestricted IP Address
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-39040
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 20.95%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information leak in Cheese Cafe Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Action-Not Available
Vendor-cheese_cafe_line_projectn/a
Product-cheese_cafe_linen/a
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-39049
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 20.95%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information leak in youmart-tokunaga v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Action-Not Available
Vendor-youmart-tokunaga_projectn/a
Product-youmart-tokunagan/a
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-39046
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 20.95%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information leak in TonTon-Tei_waiting Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Action-Not Available
Vendor-tonton-tei_waiting_projectn/a
Product-tonton-tei_waitingn/a
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2019-4306
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.18% / 39.68%
||
7 Day CHG~0.00%
Published-28 Oct, 2019 | 23:36
Updated-17 Sep, 2024 | 00:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Guardium Big Data Intelligence (SonarG) 4.0 specifies permissions for a security-critical resource which could lead to the exposure of sensitive information or the modification of that resource by unintended parties. IBM X-Force ID: 160986.

Action-Not Available
Vendor-IBM Corporation
Product-security_guardium_big_data_intelligenceSecurity Guardium Big Data Intelligence
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-39039
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 20.95%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information leak in Camp Style Project Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Action-Not Available
Vendor-camp_style_project_line_projectn/a
Product-camp_style_project_linen/a
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-39043
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 23.40%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information leak in YKC Tokushima_awayokocho Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Action-Not Available
Vendor-ykcn/a
Product-tokushima_awayokochon/a
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-39056
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.07% / 20.95%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information leak in Coffee-jumbo v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Action-Not Available
Vendor-coffee-jumbo_projectn/a
Product-coffee-jumbon/a
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2022-34867
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.3||HIGH
EPSS-0.69% / 71.32%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 17:18
Updated-20 Feb, 2025 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Libre Form 2 plugin <= 2.0.8 - Unauthenticated Sensitive Information Disclosure vulnerability

Unauthenticated Sensitive Information Disclosure vulnerability in WP Libre Form 2 plugin <= 2.0.8 at WordPress allows attackers to list and delete submissions. Affects only versions from 2.0.0 to 2.0.8.

Action-Not Available
Vendor-wp_libre_form_projectLibreform
Product-wp_libre_formWP Libre Form 2 (WordPress plugin)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2020-26272
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.97% / 76.16%
||
7 Day CHG~0.00%
Published-28 Jan, 2021 | 18:25
Updated-27 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Electron vulnerable to ID collision when routing IPC messages to renderers containing OOPIFs

The Electron framework lets users write cross-platform desktop applications using JavaScript, HTML and CSS. In versions of Electron IPC prior to 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9, messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no known workarounds for this issue.

Action-Not Available
Vendor-Electron UserlandElectron (OpenJS Foundation)
Product-electronelectron
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-39058
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 25.36%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 00:00
Updated-25 Sep, 2024 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information leak in THE_B_members card v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Action-Not Available
Vendor-the_b_members_card_projectn/a
Product-the_b_members_cardn/a
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
Details not found