Arbitrary Code Injection

Overview org.webjars.npm:mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of configuration options such as fontFamily, themeCSS, and...

Arbitrary Code Injection

Overview mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of the classDef function in state diagrams. An attacker can inject arbitrary...

Arbitrary Code Injection

Overview org.webjars.npm:mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of the classDef function in state diagrams. An attacker can...

Arbitrary Code Injection

Overview org.webjars.npm:mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of input passed to the addStyleClass function. An attacker c...

EUVD-2026-29101

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

Arbitrary Code Injection

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Arbitrary Code Injection via the Config::toArray function. An attacker can access sensitive configuration data, including plugin secrets, by...

CVE-2026-31254

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

CVE-2026-44995

OpenClaw contains an environment variable validation flaw in the MCP stdio server configuration before version 2026.4.20, allowing local attackers to inject code via startup variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV passed to spawned MCP server processes. The vulnerability is catego...

Exploit for Code Injection in Laravel Livewire

No d...

Arbitrary Code Injection

Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Arbitrary Code Injection via the envs.name field in the configuration file during Dockerfile generation. An attacker can execute arbitrary commands on the build host by crafti...

PT-2026-39639

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

CVE-2026-31254

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

CVE-2026-31254

The CVE-2026-31254 entry concerns the flash-attention project commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-04-13). A code-injection flaw (CWE-94) exists in the training script where Python’s eval() is registered as a Hydra config resolver under the name eval, enabling arbitrary code exec...

OWASP BLT 代码注入漏洞

OWASP BLT is an open-source gamified crowdsourcing platform for testing and disclosing vulnerabilities. Versions of OWASP BLT prior to 2.1.2 contained a code injection vulnerability. This vulnerability stemmed from the use of the pullrequesttarget trigger in the pre-commit-fix.yaml workflow, whic...

WWBN AVideo 代码注入漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained a code injection vulnerability. This vulnerability stemmed from incomplete mitigation measures for the autoEvalCodeOnHTML evaluation function in YPTSocket, allowin...

PT-2026-39922

Name of the Vulnerable Software and Affected Versions SAP Commerce cloud affected versions not specified Description Improper Spring Security configuration allows an unauthenticated user to perform malicious configuration upload and code injection. This can result in arbitrary server-side code...

📄 Fuel CMS 1.4.1 PHP Code Injection

This Metasploit module targets a remote code execution vulnerability in Fuel CMS version 1.4.1. The issue stems from improper input sanitization in the filter parameter, which is passed into a dangerous PHP evaluation eval context, enabling code injection...

Grav 代码注入漏洞

Grav is a scalable content management system CMS developed by the Grav open-source community, suitable for use in personal blogs, small content publishing platforms, and single-page product displays. Versions of Grav prior to 2.0.0-beta.2 contained a code injection vulnerability. This vulnerabili...

EUVD-2022-55969

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=addpost parameter, a...

Arbitrary Code Injection

Overview evolutioncms/evolution is an Evolution CMS is a Content Management System, ex MODX Evolution Affected versions of this package are vulnerable to Arbitrary Code Injection via the post parameter in the module creation process. An attacker can execute arbitrary system commands by injecting...