CVE-2026-45227 is a high-severity vulnerability in Heym before version 0.0.21, allowing authenticated workflow authors to bypass sandbox restrictions using Python introspection techniques. This could lead to arbitrary host command execution as the backend service user. The vulnerability exists in the custom Python tool executor of Heym, where attackers can recover the unrestricted __import__ function, imp [truncated]
CVE-2026-45226 is an authorization bypass vulnerability in Heym workflow execution. The vulnerability allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled executi [truncated]
CVE-2026-45225 is a path traversal vulnerability in the file upload endpoint of Heym before version 0.0.21. This vulnerability allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. The unvalidated filename parameter in the upload_file() handler can be exploited to bypass path restrictions and write, read, or delete fi [truncated]