CVE-2026-48163

A flaw was found in MariaDB server. During the State Snapshot Transfer SST process, a malicious joiner node could exploit improper parameter validation on the donor node. This vulnerability, specifically within the rsync SST method, allows the malicious joiner to execute arbitrary shell commands ...

EUVD-2026-37959

PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode approvalmode to auto, overriding administrator configuration from PRAISONAPPROVALMODE environment variable. Authenticated attackers can instruct the LLM agent to execute arbitrary...

CVE-2026-44168 MariaDB: wsrep SST unsafe parameter handling on the donor side

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. No...

CVE-2026-47167

Vim has a code injection vulnerability in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) affecting builds with +ruby support prior to version 9.2.0496. A crafted step-definition regex pulled from .rb files under features// or stories/ / directories is embedded into a Ruby Kernel.eva...

CVE-2026-49196 Predator Connect W6x: Web Interface Command Injection

The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands...

gitoxide 安全漏洞

GitOxide is a Git implementation written in Rust by Sebastian Thiel. Versions of GitOxide prior to 0.82.0 contained a security vulnerability, which stemmed from improper validation of the update field in.gitmodules. This vulnerability could allow attackers to bypass the...

EUVD-2026-30951

A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection...

CVE-2026-42307

CVE-2026-42307 affects Vim where the netrw plugin is vulnerable to an OS command injection prior to 9.2.0383. By tricking a user to open a crafted URL (e.g., sftp://, file://), an attacker can execute arbitrary shell commands with the Vim process privileges. The issue is mitigated by upgrading to...

Yeapook WDR201A WiFi Extender 操作系统命令注入漏洞

The Yeapook WDR201A WiFi Extender is a wireless signal extension device from the Yeapook company. The Yeapook WDR201A WiFi Extender HW V2.1 version and FW LFMZX28040922V1.02 version have a vulnerability related to operating system command injection. This vulnerability stems from the sz11gChannel ...

PT-2026-36911

Name of the Vulnerable Software and Affected Versions WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 Description An OS command injection issue exists in the 'internet.cgi' binary. Unauthenticated remote attackers can execute arbitrary shell commands by injecting malicious input into the...

vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin

A flaw was found in Vim, an open-source command-line text editor. Specifically, an operating system OS command injection vulnerability exists in the netrw standard plugin. A remote attacker could exploit this by tricking a user into opening a specially crafted URL, such as one using the scp://...

Malicious code in strapi-plugin-api (npm)

strapi-plugin-api is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. It...

PX4 Autopilot

RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker with access to the MAVLink interface to execute arbitrary shell commands without cryptographic authentication. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of...

CVE-2026-32003

OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and PS4 environment variables. An attacker who can invoke system.run with request-scoped environment...

CVE-2026-28417

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL e.g., using the scp:// protocol handler, an attacker can execute arbitrary shell command...

USN-8011-1: Emacs vulnerabilities

It was discovered that Emacs could trigger unsafe Lisp macro expansion, when a user invoked elisp-completion-at-point on untrusted Emacs Lisp source code. An attacker could possibly use this issue to execute arbitrary code. CVE-2024-53920 It was discovered that Emacs did not properly sanitize inp...

CVE-2021-47748

Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the runsql endpoint by crafting malicious GraphQL queries that execute system commands through...

CVE-2026-22812

OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process or any website via permissive CORS to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216...

CVE-2026-22812 OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution

OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process or any website via permissive CORS to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216...

PT-2026-2315

Name of the Vulnerable Software and Affected Versions OpenCode versions prior to 1.0.216 Description OpenCode, an open source AI coding agent, has an issue where it automatically starts an unauthenticated HTTP server. This allows any local process, or any website due to permissive CORS settings, ...