EUVD-2026-21653

NoMachine External Control of File Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to...

CVE-2026-5054

NoMachine External Control of File Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to...

CVE-2026-5054 NoMachine External Control of File Path Local Privilege Escalation Vulnerability

NoMachine External Control of File Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to...

CVE-2026-5053 NoMachine External Control of File Path Arbitrary File Deletion Vulnerability

NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to...

CVE-2026-39983

A flaw was found in basic-ftp, an FTP client for Node.js. A remote attacker can exploit this vulnerability by injecting Carriage Return Line Feed CRLF sequences into file path parameters used by high-level APIs. This allows the attacker to split a single intended FTP command into multiple command...

CVE-2026-33705 Chamilo LMS has unauthenticated access to Twig template source files exposes application logic

Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files .tpl under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel...

EUVD-2026-21349

A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLEID results in sql injection. The attack can be executed remotely. The exploit has be...

CVE-2026-6025

A vulnerability was identified in Totolink A7100RU 7.4cu.2313b20191024. This affects the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack remotely. The...

CVE-2026-5998

A flaw has been found in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects the function dispatch of the file agent/memory/service.py of the component API Memory Content Endpoint. This manipulation of the argument filename causes path traversal. The attack can be initiated remotely. Th...

ROS-20260410-73-0009

Vulnerability in libssh related to incorrect external control of file name or path. Exploitation of the vulnerability could allow an attacker to escalate privileges...

Linux Distros Unpatched Vulnerability : CVE-2026-5187

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Two potential heap out-of-bounds write locations existed in DecodeObjectId in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot befor...

EUVD-2026-20930

A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The...

Arbitrary Command Injection

Overview @idachev/mcp-javadc is a Model Context Protocol MCP server for Java decompilation Affected versions of this package are vulnerable to Arbitrary Command Injection via the HTTP Interface component when processing the jarFilePath argument. An attacker can execute arbitrary operating system...

cmd/go: cmd/go: Arbitrary file write via malicious pkg-config directive

A flaw was found in cmd/go. An attacker can exploit this by building a malicious Go source file that uses the 'cgo pkg-config:' directive. This allows the attacker to write to an arbitrary file with partial control over its content, by providing a '--log-file' argument to the pkg-config command...

PT-2026-31446

A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might...

MCP Java Decompiler Server 操作系统命令注入漏洞

MCP Java Decompiler Server is a Java bytecode decompilation server developed by Ivan Dachev. Versions of MCP Java Decompiler Server 1.2.4 and earlier had a vulnerability related to operating system command injection. This vulnerability stemmed from the handling of the parameter jarFilePath in the...

CVE-2026-35021

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $ or backtick expressions in...

PT-2026-30896

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev97 Description pyLoad, a download manager written in Python, had an authorization issue in the set config value function. The ADMIN ONLY CORE OPTIONS check used incorrect option names ssl cert and ssl key...

CVE-2026-5690

A flaw has been found in Totolink A7100RU 7.4cu.2313b20191024. The impacted element is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been published...

CVE-2026-35021

The CVE-2026-35021 entry is rejected by the CNA and does not represent an active vulnerability.