CVE-2026-3495 Unescaped variables during error page composition

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those...

Arbitrary Code Injection

Overview GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Arbitrary Code Injection via the setvalue function. An attacker can achieve arbitrary code execution by injecting newline characters into configuration values, which...

Apache ZooKeeper: Apache ZooKeeper: Information disclosure via improper handling of configuration values

A flaw was found in Apache ZooKeeper. Improper handling of configuration values in ZKConfig allows an attacker to expose sensitive information. This occurs when sensitive client configuration values are logged at an INFO level in the client's logfile. This vulnerability can lead to information...

Apache ZooKeeper: Apache ZooKeeper: Information disclosure via improper handling of configuration values

A flaw was found in Apache ZooKeeper. Improper handling of configuration values in ZKConfig allows an attacker to expose sensitive information. This occurs when sensitive client configuration values are logged at an INFO level in the client's logfile. This vulnerability can lead to information...

CVE-2026-40623 SenseLive X3050 Missing Authorization

A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive functions, parameters such as IP addressing, watchd...

Apache ZooKeeper: Apache ZooKeeper: Information disclosure via improper handling of configuration values

A flaw was found in Apache ZooKeeper. Improper handling of configuration values in ZKConfig allows an attacker to expose sensitive information. This occurs when sensitive client configuration values are logged at an INFO level in the client's logfile. This vulnerability can lead to information...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the Executrix utility when configuration-derived values, such as PLACENAME, are concatenated into shell commands without sufficient sanitization. An attacker can achieve arbitrary command execution by supplying...

CVE-2026-33406

Pi-hole Admin Interface (6.0–before 6.5) contains a stored HTML attribute injection in the /api/config values embedded into HTML value="" attributes via settings-advanced.js, enabling attribute-level manipulation. The root cause is unescaped config values, which can break out of the attribute con...

Pi-Hole Adminlte 跨站脚本漏洞

Pi-Hole Adminlte is a control panel used for collecting more data. Versions of Pi-Hole Adminlte from 6.0 to 6.5 had a cross-site scripting vulnerability. This vulnerability occurred due to the direct insertion of configuration values into HTML attributes without escaping, which could lead to HTML...

CVE-2026-33641 Glances Vulnerable to Command Injection via Dynamic Configuration Values

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.getvalue and is implemented...

CVE-2026-33641

Glances prior to 4.5.3 is vulnerable to a local command-injection via dynamic configuration values: substrings enclosed in backticks are executed during configuration parsing in Config.get_value(), with no input validation. If an attacker can modify configuration files and Glances runs with eleva...

EUVD-2018-21708

SIPP 3.3 contains a stack-based buffer overflow vulnerability that allows local unauthenticated attackers to execute arbitrary code by supplying malicious input in the configuration file. Attackers can craft a configuration file with oversized values that overflow a stack buffer, overwriting the...

CVE-2026-33886

Statamic CMS vulnerability CVE-2026-33886 affects Antlers-enabled content fields. A control panel user could access sensitive configuration values by inserting config variables into content in affected versions: 5.7.12 through 5.73.15 and 6.7.0 through 6.7.1. The issue is fixed in 5.73.16 and 6.7...

Statamic 信息泄露漏洞

Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows all content, templates, assets, and settings to be stored in files rather than in a database. Versions of Statamic 5.7.12 to 5.73.16, as well as 6.7.2, had an information leakage vulnerability. This vulnerability...

GHSA-GCQF-5X9F-HQ7F Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields

Impact A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. Patches This has been fixed in 5.73.16 and 6.7.2...

PT-2026-28553

Name of the Vulnerable Software and Affected Versions Statamic versions 5.7.12 through 5.73.15 Statamic versions 6.7.0 through 6.7.1 Description A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into...

CVE-2019-25611 MiniFtp parseconf_load_setting Buffer Overflow via Configuration

MiniFtp contains a buffer overflow vulnerability in the parseconfloadsetting function that allows local attackers to execute arbitrary code by supplying oversized configuration values. Attackers can craft a miniftpd.conf file with values exceeding 128 bytes to overflow stack buffers and overwrite...

CVE-2019-25611

MiniFtp contains a buffer overflow vulnerability in the parseconfloadsetting function that allows local attackers to execute arbitrary code by supplying oversized configuration values. Attackers can craft a miniftpd.conf file with values exceeding 128 bytes to overflow stack buffers and overwrite...

CVE-2019-25611 MiniFtp parseconf_load_setting Buffer Overflow via Configuration

MiniFtp contains a buffer overflow vulnerability in the parseconfloadsetting function that allows local attackers to execute arbitrary code by supplying oversized configuration values. Attackers can craft a miniftpd.conf file with values exceeding 128 bytes to overflow stack buffers and overwrite...

MiniFtp 缓冲区错误漏洞

MiniFtp is a lightweight FTP server software developed by Arvin’s individual developer. MiniFtp has a buffer error vulnerability, which stems from a buffer overflow in the parseconfloadsetting function. This vulnerability could allow local attackers to execute arbitrary code by providing...