GO-2026-4823 PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution in github.com/pinchtab/pinchtab

PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution in github.com/pinchtab/pinchtab...

CVE-2026-4496

A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function childprocess.exec of the file src/gitUtils.ts of the component showmergediff/quickmergesummary/showfilediff. The manipulation results in os command...

CVE-2026-26830

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...

pdf-image 安全漏洞

pdf-image is a Node.js tool developed by Masafumi Oyamada for converting PDFs to PNG images. Versions of pdf-image 2.0.0 and earlier contain security vulnerabilities. These vulnerabilities stem from the fact that the pdfFilePath parameter is not verified, which may lead to OS command injection...

textract 安全漏洞

Textract is a text extraction tool developed by David Bashford, which supports multiple formats. Textract versions 2.5.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from unvalidated file path parameters, which could lead to OS command injection attacks...

CVE-2026-4611

A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360B20241207/9.4.0cu.1498B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely...

CVE-2026-4591 kalcaddle kodbox fileThumb Endpoint app.php checkBin os command injection

A weakness has been identified in kalcaddle kodbox 1.64. This affects the function checkBin of the file /workspace/source-code/plugins/fileThumb/app.php of the component fileThumb Endpoint. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit...

CVE-2026-33482 AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the sanitizeFFmpegCommand function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters &&, ;, |, , . However, it fails ...

Kalcaddle Kodbox 操作系统命令注入漏洞

Kalcaddle Kodbox is a private cloud storage and online collaborative office platform developed by Kalcaddle Corporation. Version 1.64 of Kalcaddle Kodbox contains a vulnerability related to operating system command injection. This vulnerability stems from incorrect operations on the...

WWBN AVideo 操作系统命令注入漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the fact that the restreamer endpoint directly concatenated user inp...

PT-2026-27220

A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360 B20241207/9.4.0cu.1498 B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely...

CVE-2026-33319

Summary: CVE-2026-33319 affects WWBN AVideo prior to 26.0 via the SocialMediaPublisher/SocialUploader.php. The vulnerability is an OS command injection because the code builds a shell command by concatenating an untrusted upload URL from LinkedIn’s API with a file path and passes it to exec(), wi...

Microsoft Bing 操作系统命令注入漏洞

Microsoft Bing is a web search engine developed by Microsoft Corporation in the United States. Microsoft Bing has a vulnerability related to operating system command injection. This vulnerability stems from issues with command injection in the operating system, which may allow unauthorized...

WireMCP 操作系统命令注入漏洞

WireMCP is a real-time network traffic analysis tool developed by Koda’s individual developers. WireMCP has a vulnerability related to operating system command injection. This vulnerability stems from incorrect operations on the server.tool function in the Tshark CLI Command Handler component,...

PT-2026-24236

A improper neutralization of special elements used in an os command 'os command injection' vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.11, FortiWeb 7.2.0 through 7.2.12, FortiWeb 7.0.0 through 7.0.12 may allow an authenticated...

CVE-2026-3696

CVE-2026-3696 affects Totolink N300RH (CGI Handler, /cgi-bin/cstecgi.cgi) where the setWiFiWpsConfig function can be manipulated to trigger OS command injection. Public exploit details indicate remote exploitaton with high impact across confidentiality, integrity, and availability. Affected versi...

EUVD-2026-9322

A flaw has been found in D-Link DIR-868L 110b03. This affects the function sub1BF84 of the component SSDP Service. This manipulation of the argument ST causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This vulnerability...

CVE-2025-50195

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. This issue has been patched in version 1.11.30...

CVE-2025-50195 Chamilo: OS Command Injection in /plugin/vchamilo/views/manage.controller.php

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. This issue has been patched in version 1.11.30...

EUVD-2025-208162

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST tomaindatabase parameter. This issue has been patched in version 1.11.30...