171 matches found
CVE-2012-10037 PhpTax pfilez Parameter Exec Remote Code Injection
PhpTax version 0.8 contains a remote code execution vulnerability in drawimage.php. The pfilez GET parameter is unsafely passed to the exec function without sanitization. A remote attacker can inject arbitrary shell commands, leading to code execution under the web server's context. No...
Arbitrary Command Injection
Overview mcp-package-docs is an An MCP server that provides LLMs with efficient access to package documentation across multiple programming languages Affected versions of this package are vulnerable to Arbitrary Command Injection via unsanitized input passed to the exec function. An attacker can...
PT-2025-29513 · Unknown · Github-Kanban-Mcp-Server
Name of the Vulnerable Software and Affected Versions: GitHub Kanban MCP Server versions 0.3.0 through 0.4.0 Description: GitHub Kanban MCP Server is a Model Context Protocol MCP server designed for managing GitHub issues in Kanban board format and streamlining LLM task management. The server’s a...
CVE-2025-34099
Affected software: VICIdial v2.9 RC1–2.13 RC1; component: vicidial_sales_viewer.php. Root cause: when password encryption is enabled (non-default), the HTTP Basic Authentication password is directly passed to exec(), enabling unauthenticated command injection. Impact: arbitrary OS command executi...
CVE-2025-34099 VICIdial vicidial_sales_viewer.php Unauthenticated Command Injection via Basic Auth Password
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidialsalesviewer.php component when password encryption is enabled a non-default configuration. The application improperly passes the HTTP Basic Authentication password directly ...
CVE-2025-34099 VICIdial vicidial_sales_viewer.php Unauthenticated Command Injection via Basic Auth Password
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidialsalesviewer.php component when password encryption is enabled a non-default configuration. The application improperly passes the HTTP Basic Authentication password directly ...
CVE-2024-3740
A vulnerability, which was classified as critical, has been found in cym1102 nginxWebUI up to 3.9.9. This issue affects the function exec of the file /adminPage/conf/reload. The manipulation of the argument nginxExe leads to deserialization. The attack may be initiated remotely. The exploit has...
CVE-2020-23151
rConfig 3.9.5 allows command injection by sending a crafted GET request to lib/ajaxHandlers/ajaxArchiveFiles.php since the path parameter is passed directly to the exec function without being escaped...
CVE-2011-3626
Double free vulnerability in the prepareexec function in src/exec.c in Logsurfer 1.5b and earlier, and Logsurfer+ 1.7 and earlier, allows remote attackers to execute arbitrary commands via crafted strings in a log file...
CVE-2019-10777
In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName"...
CVE-2019-10778
devcert-sanscache before 0.4.7 allows remote attackers to execute arbitrary code or cause a Command Injection via the exec function. The variable commonName controlled by user input is used as part of the exec function without any sanitization...
CVE-2019-10783
All versions including 0.0.4 of lsof npm module are vulnerable to Command Injection. Every exported method used by the package uses the exec function to parse user input...
CVE-2025-22029
CVE-2025-22029 is rejected by its CNA and is not an active vulnerability entry.
GHSA-RRQQ-FV6M-692M vanna vulnerable to remote code execution caused by prompt injection
In the latest version of vanna-ai/vanna, the vanna.ask function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the exec function in...
CVE-2024-5826
In the latest version of vanna-ai/vanna, the vanna.ask function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the exec function in...
CVE-2024-5826
CVE-2024-5826 – vanna-ai/vanna has a remote code execution vulnerability in the vanna.ask function due to prompt injection. The root cause is the absence of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the exec function in src/vanna/base/bas...
CVE-2024-5826 Remote Code Execution via Prompt Injection in vanna-ai/vanna
In the latest version of vanna-ai/vanna, the vanna.ask function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the exec function in...
vanna Code Injection Vulnerability
Vanna is a personalized AI SQL agent from Vanna. vanna suffers from a code injection vulnerability that stems from a lack of sandboxing for executing LLM-generated code, which allows an attacker to manipulate the exec function in src/vanna/base/base.py, which can be exploited by an attacker to...
PT-2024-15889 · Sourcecodester · Sourcecodester Online Tours & Travels Management System
Name of the Vulnerable Software and Affected Versions: SourceCodester Online Tours & Travels Management System version 1.0 Description: A critical issue affects the function exec of the file payment.php. The manipulation of the argument id leads to sql injection. The attack may be initiated...
CVE-2023-45869
ILIAS 7.25 2023-09-12 allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec function in the execQuoted method of the ilUtil class...