Arbitrary Code Injection

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization...

Arbitrary Code Injection

Overview flowise-ui is a Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization. This is only...

Flowise: Code Injection in CSVAgent leads to Authenticated RCE

Summary The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide the following payload: DataFrame'foo': 'bar!';import os;os.system'whoami' that will get interpolated and executed by the server. Details The code in question that introduces t...

GHSA-9WC7-MJ3F-74XV Flowise: Code Injection in CSVAgent leads to Authenticated RCE

Summary The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide the following payload: DataFrame'foo': 'bar!';import os;os.system'whoami' that will get interpolated and executed by the server. Details The code in question that introduces t...

Arbitrary Code Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection through the pythonCodeValidator and the Python execution paths in AirtableAgent.ts and CSVAgent.ts. An attacker can supply LLM-generated Python code that smuggles in...

Timing Attack

Overview mojic is an Obfuscate C source code into encrypted, password-seeded emoji streams. Affected versions of this package are vulnerable to Timing Attack in the getDecryptStream process. An attacker can bypass file integrity checks by exploiting timing discrepancies in the HMAC verification,...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the example code in examplexcom. Unsafe pattern of reading value from xcom could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Note: Vendor...

Code Injection

Handlebars is vulnerable to code injection. The vulnerability is due to improper sanitization of user-controlled inputs in the CLI precompiler, which allows an attacker to inject arbitrary JavaScript via crafted template filenames or CLI arguments and execute it when the generated code is run...

EUVD-2026-23174

Due to improper input validation in one of the Eaton Intelligent Power Protector IPP XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version...

Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)

Summary PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, the privilegeduser parameter which has no input validation is written...

GHSA-GC9W-CC93-RJV8 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)

Summary PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, the privilegeduser parameter which has no input validation is written...

Arbitrary Code Injection

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Arbitrary Code Injection via the PhpHelper::parseArrayToString process. An attacker can execute arbitrary PHP code as the web server user by injecting specially crafted input into...

PT-2026-33256

Due to improper input validation in one of the Eaton Intelligent Power Protector IPP XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version...

SAP NetWeaver AS Java Code Injection (3719397)

The version of SAP NetWeaver Application Server Java detected on the remote host is affected by a code injection vulnerability as disclosed in the SAP Security Patch Day April 2026: - Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java Web Dynpro Java, an unauthenticate...

Apache ActiveMQ Improper Input Validation Vulnerability

Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection...

CVE-2026-27674

Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java Web Dynpro Java, an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, th...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the multiple writer sinks such as serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission. An attacker can execute arbitra...

Arbitrary Code Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Arbitrary Code Injection via the msg and callback fields in relayed WebSocket messages, which are processed by client-side eval sinks. An attacker can execute...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the INI settings parser when environment variable interpolation is processed via the parseinistring function. An attacker with Editor permissions can retrieve sensitive environment variables by injecting...

CVE-2026-39640

Cross-Site Request Forgery CSRF vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through = 3.2...