CVE-2024-48908 lychee-action vulnerable to arbitrary code injection in composite action

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2...

CVE-2024-48908 lychee-action vulnerable to arbitrary code injection in composite action

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2...

CVE-2024-48908 lychee-action vulnerable to arbitrary code injection in composite action

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2...

GHSA-65RG-554R-9J5X lychee link checking action affected by arbitrary code injection in composite action

Summary There is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. Details The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action. PoC yaml - uses: lycheeverse/lychee@v2...

CVE-2025-52122

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection SSTI vulnerability, resulting in arbitrary code injection for all users that have access to editing a form submission title...

Arbitrary Code Injection

Overview nemo-curator is a Scalable Data Preprocessing Tool for Training Large Language Models Affected versions of this package are vulnerable to Arbitrary Code Injection via the processing of malicious files. An attacker can execute arbitrary code, escalate privileges, access sensitive...

Arbitrary Code Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Arbitrary Code Injection via the checkArrowFunction function in src/web/twig/Extension.php. An attacker can execute arbitrary code by injecting malicious payloads into templates. Note: This i...

CVE-2025-54172

QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. Regular admin user is not able to inject any JS scripts into th...

Arbitrary Code Injection

Overview rdsearchlogic is a Searchlogic makes using ActiveRecord named scopes easier and less repetitive. Affected versions of this package are vulnerable to Arbitrary Code Injection via the searchinstanceeval parameter, which is dynamically invoked using the send method. An attacker can execute...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via a python dependency. An attacker can execute arbitrary code, escalate privileges, access sensitive information, and tamper with data by injecting malicious input. Remediation A fix was pushed into the master...

Arbitrary Code Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Arbitrary Code Injection via the /updater/restore-db endpoint. An attacker can execute arbitrary code by crafting a malicious request after obtaining a compromised security key and creating a...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection on the host by exploiting write permissions in the root namespace, creating audit files in the plugin directory, and using the plugin registration functionality to execute the created files. Notes: - This is onl...

Arbitrary Code Injection

Overview github.com/hashicorp/vault/vault is a tool for securely accessing secrets. Affected versions of this package are vulnerable to Arbitrary Code Injection on the host by exploiting write permissions in the root namespace, creating audit files in the plugin directory, and using the plugin...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection on the host by exploiting write permissions in the root namespace, creating audit files in the plugin directory, and using the plugin registration functionality to execute the created files. Notes: - This is onl...

Arbitrary Code Injection

letta is vulnerable to Arbitrary Code Injection. The vulnerability is due to insufficient enforcement of execution restrictions in the /v1/tools/run endpoint, allowing crafted payloads to bypass protections and execute arbitrary Python code or system commands...

Arbitrary Code Injection

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Arbitrary Code Injection in the CAPTCHA processing code, via the onCaptchaResult function. An attacker could execute arbitrary code in the client browser an...

CVE-2025-50869

A stored Cross-Site Scripting XSS vulnerability exists in the qureydetails.php page of Institute-of-Current-Students 1.0, where the input fields for Query and Answer do not properly sanitize user input. Authenticated users can inject arbitrary JavaScript code...

Arbitrary Code Injection

Overview letta is a Create LLM agents with long-term memory and custom tools Affected versions of this package are vulnerable to Arbitrary Code Injection via the runlocaldirsandboxdirectly function in the toolexecutionsandbox.py file. An attacker can execute arbitrary Python code and system...

Arbitrary Code Injection

pyLoad-ng is vulnerable to Arbitrary Code Injection. The vulnerability is due to unsafe JavaScript evaluation caused by insecure CAPTCHA processing logic that allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially on the backend server...

Arbitrary Code Injection

Overview livewire/livewire is an A front-end framework for Laravel. Affected versions of this package are vulnerable to Arbitrary Code Injection via the hydration process of component property updates. An attacker can execute arbitrary commands on the server by sending specially crafted requests ...