36507 matches found
Arbitrary Code Injection
Overview dbgate-web is a This package is used internally by DbGate Affected versions of this package are vulnerable to Arbitrary Code Injection through the FontIcon rendering path in packages/web/src/icons/FontIcon.svelte. An attacker can execute arbitrary JavaScript in a victim’s browser, or...
CVE-2026-29014
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...
Multiple vulnerabilities in PostgreSQL affect PowerVM VIOS
IBM SECURITY ADVISORY First Issued: Thu Apr 2 15:29:58 CDT 2026 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/postgresadvisory.asc Security Bulletin: Multiple vulnerabilities in PostgreSQL affect PowerVM VIOS...
Arbitrary Code Injection
org.springframework.ai:spring-ai-vector-store is vulnerable to Arbitrary Code Injection. The vulnerability is due to unsafe use of user-supplied input as a filter expression key in SimpleVectorStore, which allows an attacker to inject malicious expressions and execute arbitrary code...
itsourcecode Payroll Management System 代码注入漏洞
itsourcecode Payroll Management System is an open-source payroll management system developed by itsourcecode. Version 1.0 of the itsourcecode Payroll Management System has a code injection vulnerability. This vulnerability stems from improper handling of the page parameter in the /navbar.php file...
SourceCodester Simple Customer Relationship Management System 代码注入漏洞
SourceCodester Simple Customer Relationship Management System is a simple customer relationship management system developed under open source by SourceCodester. Version 1.0 of the SourceCodester Simple Customer Relationship Management System contains a code injection vulnerability. This...
Henan Xiaopi Panel 代码注入漏洞
Henan Xiaopi Panel is a Linux graphical interface developed by Henan Xiaopi in Henan, China. Version 1.0.0 of Henan Xiaopi Panel contains a code injection vulnerability. This vulnerability stems from improper handling of the parameter “param” in the file/demo.php of the component WAF Firewall,...
DbGate 代码注入漏洞
DbGate is an open-source database manager developed by DbGate. Versions of DbGate from 7.0.0 to 7.1.5 had a code injection vulnerability. This vulnerability occurred because SVG icon strings controlled by attackers were rendered as raw HTML without being cleaned properly, which could lead to...
Webkul Krayin CRM 代码注入漏洞
Webkul Krayin CRM is a free and open-source CRM solution for small and medium-sized businesses from the Indian company Webkul. Versions of Webkul Krayin CRM 2.2 and earlier contained a code injection vulnerability. This vulnerability stemmed from an error in the composeMail function of the...
lodash vulnerable to Code Injection via `_.template` imports key names
Impact The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. When an application passes untrusted input as options.imports key names, an attacker...
GHSA-R5FR-RJXR-66JC lodash vulnerable to Code Injection via `_.template` imports key names
Impact The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. When an application passes untrusted input as options.imports key names, an attacker...
Arbitrary Code Injection
Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Arbitrary Code Injection via the executecode method. An attacker can execute arbitrary operating system commands by passing a crafted str...
EUVD-2026-17875
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...
CVE-2026-29014
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...
CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...
CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...
CVE-2026-29014
CVE-2026-29014 affects MetInfo CMS versions 7.9, 8.0, and 8.1 with an unauthenticated PHP code injection that enables remote code execution. The vulnerability arises from insufficient input neutralization in the execution path, allowing remote attackers to send crafted requests containing PHP cod...
CVE-2026-30309
InfCode's terminal auto-execution module contains a critical command filtering vulnerability that renders its blacklist security mechanism completely ineffective. The predefined blocklist fails to cover native high-risk commands in Windows PowerShell such as powershell, and the matching algorithm...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection through the escapeNodeAttributeValues process. An attacker can execute arbitrary operating system commands by crafting a malicious .sy.zip file containing specially formatted block attribute values, which, when...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection through the escapeNodeAttributeValues process. An attacker can execute arbitrary operating system commands by crafting a malicious .sy.zip file containing specially formatted block attribute values, which, when...