CVE-2026-41246

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in...

CVE-2026-41246

Contour’s Cookie Rewriting feature (Envoy Lua filter) is vulnerable to Lua code injection from v1.19.0 up to before v1.33.4, v1.32.5, and v1.31.6. An attacker with RBAC to create/modify HTTPProxy resources can inject values into spec.routes[].cookieRewritePolicies[].pathRewrite.value (or services...

CVE-2026-41246 Contour: Lua code injection via Cookie Path Rewrite Policy

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in...

EUVD-2026-25220

Improper Control of Generation of Code 'Code Injection' vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1...

CVE-2026-39440

Summary: CVE-2026-39440 affects the WordPress plugin FunnelFormsPro (FunnelForms LLC) up to version 3.8.1. The issue is an improper control of code generation (code injection) that enables Remote Code Inclusion, effectively a Remote Code Execution vulnerability. The description indicates the affe...

CVE-2026-39440 WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1...

CVE-2026-39440 WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1...

CVE-2026-41229

Summary (CVE-2026-41229) Froxlor prior to v2.3.6 contains a PHP code injection flaw in the generation of userdata.inc.php. PhpHelper::parseArrayToString() writes string values into single-quoted PHP literals without escaping single quotes. When an admin with change_serversettings updates a MySQL ...

CVE-2026-41229 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, t...

CVE-2026-41229 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, t...

EUVD-2026-25178

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, t...

PT-2026-34867

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.19.6 Apache ActiveMQ versions 6.0.0 through 6.2.4 Apache ActiveMQ Broker versions prior to 5.19.6 Apache ActiveMQ Broker versions 6.0.0 through 6.2.4 Apache ActiveMQ All versions prior to 5.19.6 Apache...

Luanti 代码注入漏洞

Luanti is an open-source voxel game engine developed by Luanti itself, supporting mods and game creation. Versions of Luanti from 5.0.0 to 5.15.2 had a code injection vulnerability. This vulnerability stemmed from the ability of malicious mods to escape the sandbox Lua environment, potentially...

Froxlor 代码注入漏洞

Froxlor is a set of lightweight server management software developed by the Froxlor team. Versions of Froxlor prior to 2.3.6 contained a code injection vulnerability. This vulnerability stemmed from the PhpHelper::parseArrayToString function, which did not escape single quotes when writing PHP...

H2O 代码注入漏洞

H2O is an open-source memory platform for distributed, scalable machine learning developed by H2O.ai. Versions of H2O 3.46.0.9 and earlier contained a code injection vulnerability. This vulnerability stemmed from insufficient security controls in the parameter blacklist mechanism. Attackers could...

WordPress plugin FunnelFormsPro 代码注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

Contour 代码注入漏洞

Contour is an open-source Kubernetes ingress controller that uses Envoy proxies. Versions of Contour from v1.19.0 to v1.33.4, v1.32.5 before v1.32.5, and v1.31.6 before v1.31.6 had a code injection vulnerability. This vulnerability stemmed from the Cookie rewriting feature, which was vulnerable t...

Flowise 代码注入漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior to Flowise 3.1.0, there was a code injection vulnerability. This vulnerability stemmed from the CSVAgent component, which allowed the provision of custom Pandas CSV reading code. Lack of...

Flowise 代码注入漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise 3.1.0 contained a code injection vulnerability, which was caused by a lack of input validation in the AirtableAgent.ts file. This vulnerability could lead to remote code...

PT-2026-34633

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with change serversettings permission adds or updates a MySQL server via the API,...