6 matches found
CVE-2026-23879
CVE-2026-23879 relates to py7zr, a Python library for 7z archives. Versions ≤1.1.2 contain an arbitrary file write vulnerability in extractall, where crafted symbolic link chains can bypass destination-directory checks and re-create links to arbitrary system paths. This allows writing files via s...
CVE-2026-45370
python-utcp is the python implementation of UTCP. Prior to 1.1.3, prepareenvironment in clicommunicationprotocol.py passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, an attacker can exfiltrate all process-level secrets in a single tool call. This...
CVE-2026-45369 python-utcp: Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol
python-utcp is the python implementation of UTCP. Prior to 1.1.3, the substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix o...
CVE-2026-27189
OpenSift: A race-prone local persistence issue in versions ≤ 1.1.2-alpha due to non-atomic and insufficiently synchronized JSON persistence flows. This can cause concurrent operations to lose updates or corrupt local state across sessions (study/quiz/flashcard/wellness/auth stores). The vulnerabi...
WordPress aThemes Addons for Elementor Lite plugin <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Countdown Widget vulnerability discovered by zer0gh0st in WordPress Plugin aThemes Addons for Elementor versions = 1.1.2...
GHSA-XG77-XQHQ-CRPR Stored XSS vulnerability in Code Coverage API Plugin
Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration. Code Coverage API Plugin 1.1.3 escapes the filename of...