CVE-2026-36044

@pensar/apex = 0.0.58 is vulnerable to OS command injection via the smartenumerate tool. The createSmartEnumerateTool function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js...

CVE-2026-25512

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution RCE vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled...

CVE-2026-25512 Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution RCE vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled...

CVE-2025-68802 drm/xe: Limit num_syncs to prevent oversized allocations

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Limit numsyncs to prevent oversized allocations The exec and vmbind ioctl allow userspace to specify an arbitrary numsyncs value. Without bounds checking, a very large numsyncs can force an excessively large allocation,...

VulnCheck KEV: CVE-2025-32778

Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project Lissy93/web-check. The issue stems from user-controlled input url being passed unsanitized into a shell command using exec, allowing attackers t...

EUVD-2017-5630

Malware in sbrugna...

Code Injection

llamaindex is vulnerable to Code Injection. The vulnerability is caused due to a missing validation for the clsname variable used in the exec call in the download/integration.py script. An attacker can execute arbitrary code by injecting malicious input into the clsname variable used in the exec...

LlamaIndex includes an exec call for `import {cls_name}`

An issue was discovered in llamaindex before 0.10.38. download/integration.py includes an exec call for import clsname...

GHSA-FXC2-8M62-M85X LlamaIndex includes an exec call for `import {cls_name}`

An issue was discovered in llamaindex before 0.10.38. download/integration.py includes an exec call for import clsname...

CVE-2024-45201

An issue was discovered in llamaindex before 0.10.38. download/integration.py includes an exec call for import clsname...

PYSEC-2024-192

An issue was discovered in llamaindex before 0.10.38. download/integration.py includes an exec call for import clsname...

CVE-2024-45201

An issue was discovered in llamaindex before 0.10.38. download/integration.py includes an exec call for import clsname...

CVE-2024-45201

An issue was discovered in llamaindex before 0.10.38. download/integration.py includes an exec call for import clsname...

LlamaIndex 安全漏洞

LlamaIndex is a data framework for LLM applications open-sourced by LlamaIndex. A security vulnerability exists in LlamaIndex versions prior to 0.10.38, which stems from a risky exec call to download/integration.py...

CVE-2024-45201

The CVE describes a code-injection style issue in llama_index prior to 0.10.38. The vulnerability resides in download/integration.py, where an exec call uses a parameter cls_name (import {cls_name}), allowing an attacker-controlled input to run arbitrary code. Impacted software: llama_index (vers...

Western Digital MyCloud PR4100 Logger Class Command Injection Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of the Western Digital MyCloud PR4100 NAS device. Authentication is required to exploit this vulnerability. The specific flaw exists within the Logger class. The issue results from the lack of...

SUSE CVE-2017-8114

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin...

OS Command Injection in pulverizr

pulverizr through 0.7.0 allows execution of arbitrary commands. Within lib/job.js, the variable filename can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this...

Command Injection in entitlements

Versions of entitlements prior to 1.3.0 are vulnerable to Command Injection. The package does not validate input on the entitlements function and concatenates it to an exec call, allowing attackers to run arbitrary commands in the system. Recommendation Upgrade to version 1.3.0 or later...

GHSA-WGW3-GF4P-62XC Command Injection in wizard-syncronizer

All versions of wizard-syncronizer are vulnerable to Command Injection. The package does not validate input on the cloneAndSync function and concatenates it to an exec call. This can be abused through a malicious widget containing the payload in the gitURL value or through a MITM attack since the...