CVE-2026-25776

Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script...

CVE-2026-43892

AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16...

CVE-2026-3120

Improper Control of Generation of Code 'Code Injection' vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This issue affects SambaBox: from 5.1 before 5.3...

CVE-2026-33862

A vulnerability has been identified in Teamcenter V2312 All versions V2312.0014, Teamcenter V2406 All versions V2406.0012, Teamcenter V2412 All versions V2412.0009, Teamcenter V2506 All versions V2506.0005, Teamcenter V2512 All versions. The affected application does not properly encode or filter...

CVE-2026-24937

Improper Control of Generation of Code 'Code Injection' vulnerability in VideoWhisper.Com Broadcast Live Video allows Code Injection. This issue affects Broadcast Live Video: from n/a before 7.1.3...

CVE-2026-4810

A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit ADK versions 1.7.0 and 2.0.0a1 through 1.28.1 and 2.0.0a2 on Python OSS, Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance. This...

CVE-2026-22314

Improper Control of Generation of Code 'Code Injection' vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users' systems. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component:...

CVE-2026-39440

Improper Control of Generation of Code 'Code Injection' vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1...

Updated cockpit packages fix security vulnerabilities

CVE-2026-4631, Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects...

GHSA-WM5R-5QP3-5VXF Authenticated Remote Code Execution via loadReader functionName code injection in DbGate

Summary DbGate is vulnerable to authenticated Remote Code Execution RCE. Any user with valid DbGate credentials can execute arbitrary OS commands as root by exploiting an unsanitized functionName parameter in the /runners/load-reader endpoint. The require = null mitigation is trivially bypassed v...

Markdown Preview Enhanced 安全漏洞

Markdown Preview Enhanced is a highly powerful markup extension developed by Yiyi Wang. Version 0.8.x of Markdown Preview Enhanced contains security vulnerabilities, which stem from code injection in the WaveDrom rendering pipeline. This vulnerability allows attackers to execute arbitrary...

MalSkillBench: A Runtime-Verified Benchmark of Malicious Agent Skills

AI coding agents such as Claude Code and Gemini CLI increasingly extend themselves with third-party skills: markdown packages bundling natural-language instructions, executable scripts, and tool permissions. Because a skill is at once code and agent-facing instruction, it introduces a supply chai...

CollegeManagementSystem 代码注入漏洞

CollegeManagementSystem is a comprehensive management system for college students and academic administration, developed by Tittu Varghese. CollegeManagementSystem has a code injection vulnerability. This vulnerability stems from improper handling of the departmentname parameter in the...

Markdown Preview Enhanced 代码注入漏洞

Markdown Preview Enhanced is a highly powerful markup extension developed by Yiyi Wang. Versions of Markdown Preview Enhanced prior to 0.8.28 contained a code injection vulnerability. This vulnerability stemmed from the use of interpretJS to parse Bitfield and execute code, potentially allowing...

Revive Adserver 6.0.6 XSS / SQL Injection / Code Injection

Revive Adserver versions 6.0.6 and below suffer from access control, code injection, cross site scripting, and remote SQL injection vulnerabilities...

CVE-2026-11062

Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. Chromium security severity: Medium...

qt6-qtdeclarative security update

An update is available for qt6-qtdeclarative. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Qt6 - QtDeclarative component. Security Fixes: qt: Qt SVG: Arbitra...

RLSA-2026:20567 Important: qt6-qtdeclarative security update

Qt6 - QtDeclarative component. Security Fixes: qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file CVE-2025-14576 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via insufficient validation of query parameters used in JSP file creation. An attacker can execute arbitrary code on the server by supplying crafted query parameters that cause a JSP file containing...

CoreShop 代码注入漏洞

CoreShop is an open-source e-commerce system developed by CoreShop. Versions 5.0.1 to 5.1.0-beta.1 of CoreShop have a code injection vulnerability. This vulnerability arises from the GitHub Actions workflow using pullrequesttarget to trigger and inspect unvalidated code, potentially allowing remo...