117 matches found
GHSA-X6JC-PHWX-HP32 Incus container environment configuration newline injection
Summary A user with the ability to launch a container with a custom YAML configuration e.g a member of the ‘incus’ group can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to the newline injection. This c...
Command Injection
Overview blackboard-core is an A Python SDK implementing the Blackboard Pattern for LLM-powered multi-agent systems Affected versions of this package are vulnerable to Command Injection due to unsafe host-level execution being reachable without a hard security gate or explicit acknowledgment. An...
PT-2026-4281
Name of the Vulnerable Software and Affected Versions Incus versions 6.20.0 and below Description Incus is a system container and virtual machine manager. A user with the ability to launch a container with a custom YAML configuration can create an environment variable containing newlines. This ca...
CVE-2025-41238
VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI Paravirtualized SCSI controller that leads to an out of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine'...
Incorrect Default Permissions
Vagrant is vulnerable to Incorrect Default Permissions. The vulnerability is due to the Vagrantfile being writable from within the guest VM and executed by the host, allowing a low-privileged attacker to achieve guest-to-host code execution...
HashiCorp Vagrant has code injection vulnerability through default synced folders
An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant versions 2.4.6 and below when using the default synced folder configuration. By design, Vagrant automatically mounts the host system’s project directory into the guest VM under /vagrant or C:\vagrant on Windows. Thi...
happy-dom 代码注入漏洞
happy-dom is a JavaScript implementation of a web browser without a graphical user interface by the individual developer David Ortner. A code injection vulnerability exists in happy-dom versions prior to 15.10.2, which originates from code execution on the host via script tags, leading to code...
RWS WorldServer Security Vulnerability
RWS WorldServer is a flexible, enterprise-class translation management system from RWS UK. A security vulnerability exists in RWS WorldServer prior to version 11.7.3 that stems from the ability to deserialize Java objects without authentication, which could lead to the execution of commands on th...
IBM Observability with Instana Security Vulnerability
IBM Observability with Instana is a powerful application performance monitoring solution from International Business Machines IBM that enables faster performance tracking and incident resolution. A security vulnerability exists in IBM Observability with Instana that originates from a successful D...
PT-2023-21675 · Ubiquiti · Unifi
Name of the Vulnerable Software and Affected Versions: UniFi versions 7.3.83 and earlier Description: A backup file vulnerability found in UniFi applications running on Linux operating systems allows application administrators to execute malicious commands on the host device being restored...
Elastic Kibana 代码注入漏洞
Elastic Kibana is an application from the Dutch company Elastic. A free and open user interface that enables you to visualize Elasticsearch data and lets you navigate through the Elastic Stack. A security vulnerability exists in Elastic Kibana version 8.7.0. An attacker can exploit this...
SUSE CVE-2014-0049
Buffer overflow in the completeemulatedmmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancelworkitem data...
SUSE CVE-2021-4041
A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansiblerunner.interface.runcommand, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual...
CVE-2023-24493
A formula injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated attacker could leverage the reporting system to export reports containing formulas, which would then require a victim to approve and execute on a...
CVE-2021-4041
A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansiblerunner.interface.runcommand, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual...
DEBIAN-CVE-2021-4041
A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansiblerunner.interface.runcommand, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual...
CVE-2021-4041
A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansiblerunner.interface.runcommand, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual...
PYSEC-2022-253
A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansiblerunner.interface.runcommand, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual...
PT-2022-11235 · Unknown · Ansible-Runner
Name of the Vulnerable Software and Affected Versions: ansible-runner affected versions not specified Description: A flaw was found in ansible-runner, where an improper escaping of the shell command, while calling the ansible runner.interface.run command, can lead to parameters getting executed a...
[SECURITY] Fedora 36 Update: golang-github-appc-spec-0.8.11-15.fc36
This package contains schema definitions and tools for the App Container app c specification. These include technical details on how an appc image is downloaded over a network, cryptographically verified, and executed on a host. See SPEC.md for details of the specification itself...