Lucene search
K

706 matches found

CVE
CVE
added 2026/03/30 5:0 p.m.10 views

CVE-2026-5125

The vulnerability CVE-2026-5125 affects raine consult-llm-mcp up to 2.5.3, specifically the function child_process.execSync in src/server.ts. Manipulating git_diff.base_ref/git_diff.files can lead to OS command injection with local access. A public exploit exists and upgrading to 2.5.4 (patch 4ab...

5.3CVSS5.8AI score0.0083EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/03/30 12:0 a.m.5 views

PT-2026-29158

Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.0.28 Description NocoBase is an AI-powered no-code/low-code platform. Versions of NocoBase prior to 2.0.28 have a security flaw that allows an authenticated attacker to achieve Remote Code Execution RCE as root. Th...

9.9CVSS6.1AI score0.36503EPSS
Exploits7References22
RedhatCVE
RedhatCVE
added 2026/03/26 2:57 p.m.10 views

CVE-2026-26832

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

9.8CVSS5.9AI score0.01706EPSS
Exploits3References1
OSV
OSV
added 2026/03/25 6:31 p.m.3 views

GHSA-9PCJ-M5RR-P28G textract is vulnerable to OS Command Injection

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

9.8CVSS5.9AI score0.02421EPSS
Exploits4References7
Github Security Blog
Github Security Blog
added 2026/03/25 6:31 p.m.9 views

thumbler allows OS Command Injection

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...

9.8CVSS5.9AI score0.02308EPSS
Exploits4References6Affected Software1
NVD
NVD
added 2026/03/25 4:16 p.m.16 views

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

9.8CVSS0.02421EPSS
Exploits4References6
EUVD
EUVD
added 2026/03/25 3:31 p.m.4 views

EUVD-2026-15457

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...

9.8CVSS5.8AI score0.02493EPSS
Exploits4References4
OSV
OSV
added 2026/03/25 3:31 p.m.6 views

GHSA-Q5MH-72XG-628W pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via...

9.8CVSS5.9AI score0.02493EPSS
Exploits4References3
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.2 views

PT-2026-27802

Name of the Vulnerable Software and Affected Versions thumbler versions prior to 1.1.3 Description The software contains a flaw that allows for the injection of operating system commands. This occurs through the input, output, time, or size parameters within the thumbnail function. The issue aris...

9.8CVSS6.1AI score0.02308EPSS
Exploits4References7
ATTACKERKB
ATTACKERKB
added 2026/03/25 12:0 a.m.2 views

CVE-2026-26830

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...

9.8CVSS5.8AI score0.02493EPSS
Exploits4References4
Cvelist
Cvelist
added 2026/03/25 12:0 a.m.24 views

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

0.02421EPSS
Exploits4References6
Cvelist
Cvelist
added 2026/03/25 12:0 a.m.28 views

CVE-2026-26832

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

9.8CVSS0.01706EPSS
Exploits3References4
EUVD
EUVD
added 2026/03/20 9:31 p.m.6 views

EUVD-2026-13768

A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function childprocess.exec of the file src/gitUtils.ts of the component showmergediff/quickmergesummary/showfilediff. The manipulation results in os command...

5.3CVSS5.5AI score0.00697EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/03/20 6:32 p.m.26 views

CVE-2026-4496 sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection

A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function childprocess.exec of the file src/gitUtils.ts of the component showmergediff/quickmergesummary/showfilediff. The manipulation results in os command...

5.3CVSS0.00697EPSS
Exploits0References7
CVE
CVE
added 2026/03/20 6:32 p.m.7 views

CVE-2026-4496

Sigmade Git-MCP-Server (up to commit 785aa159f262a02d5791a5d8a8e13c507ac42880) is affected. The vulnerability resides in the function child_process.exec in src/gitUtils.ts (component show_merge_diff/quick_merge_summary/show_file_diff) and allows local OS command injection. The attack requires loc...

5.3CVSS5.5AI score0.00697EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/03/20 6:32 p.m.4 views

CVE-2026-4496

A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function childprocess.exec of the file src/gitUtils.ts of the component showmergediff/quickmergesummary/showfilediff. The manipulation results in os command...

5.3CVSS5.5AI score0.00697EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/03/20 12:0 a.m.7 views

Git MCP Server 操作系统命令注入漏洞

Git MCP Server is an MCP server developed by Casey Hand individually. Git MCP Server has a vulnerability related to operating system command injection. This vulnerability stems from the use of the childprocess.exec function in the file gitUtils.ts, which contains commands like...

5.3CVSS6.1AI score0.00697EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.5 views

PT-2026-26662

A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child process.exec of the file src/gitUtils.ts of the component show merge diff/quick merge summary/show file diff. The manipulation results in os...

5.3CVSS5.2AI score0.00697EPSS
Exploits0References8
EUVD
EUVD
added 2026/03/13 8:2 p.m.5 views

EUVD-2026-11694

Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:childprocess...

8.1CVSS5.8AI score0.01483EPSS
Exploits1References2
OSV
OSV
added 2026/03/13 8:2 p.m.4 views

GHSA-4C96-W8V2-P28J Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process

Summary A command injection vulnerability exists in Deno's node:childprocess polyfill shell: true mode that bypasses the fix for CVE-2026-27190 GHSA-hmh4-3xvx-q5hr. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's...

8.1CVSS6.1AI score0.01483EPSS
Exploits1References3
Rows per page
Query Builder