PT-2026-43449

TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. This vulnerability is of high severity for affected sites and has a high real-world impact. ---- Introduction Arbitrary method call is a type of arbitrary code execution...

Bitcoinrb Vulnerable to Command injection via RPC

Summary: Remote Code Execution Unsafe handling of request parameters in the RPC HTTP server results in command injection Details In lib/bitcoin/rpc/httpserver.rb line 30-39, the JSON body of a POST request is parsed into command and args variables. These values are then passed to send, which is...

CVE-2024-9989 Crypto <= 2.18 - Authentication Bypass via log_in

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. This is due to a limited arbitrary method call to 'cryptoconnectajaxprocess::login' function in the 'cryptoconnectajaxprocess' function. This makes it possible for unauthenticated...

CVE-2024-28121 Reflex arbitrary method call in stimulus_reflex

stimulusreflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of them has security...

ruby: Code injection via command argument of Shell#test / Shell#[]

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument aka the "command" argument to Shell or Shelltest in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method...