GO-2026-4415 Alist vulnerable to Path Traversal in multiple file operation handlers in github.com/alist-org/alist

Alist vulnerable to Path Traversal in multiple file operation handlers in github.com/alist-org/alist...

GO-2026-4418 EVE: SSH as Root Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve

EVE: SSH as Root Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve...

CVE-2026-25546 Godot MCP is vulnerable to Command Injection via unsanitized projectPath

Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...

EUVD-2026-5327

Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...

CVE-2026-25546

Godot MCP vulnerability CVE-2026-25546: In godot-mcp prior to v0.1.1, executeOperation passed user-controlled input (e.g., projectPath) to exec(), spawning a shell and enabling command injection with shell metacharacters. This could allow remote code execution with MCP server privileges across to...

CVE-2026-25546 Godot MCP is vulnerable to Command Injection via unsanitized projectPath

Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which...

CVE-2025-27550

IBM Jazz Reporting Service could allow an authenticated user on the host network to obtain sensitive information about other projects that reside on the server...

CVE-2025-27550 IBM Jazz Reporting Service Information Disclosure

IBM Jazz Reporting Service could allow an authenticated user on the host network to obtain sensitive information about other projects that reside on the server...

CVE-2026-25157

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When th...

EUVD-2026-5350

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7...

GHSA-8JX2-RHFH-Q928 godot-mcp has Command Injection via unsanitized projectPath

Impact A Command Injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which spawns a shell. An attacker could inject shell metacharacters like $command or &calc to execute arbitrary comman...

godot-mcp has Command Injection via unsanitized projectPath

Impact A Command Injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input e.g., projectPath directly to exec, which spawns a shell. An attacker could inject shell metacharacters like $command or &calc to execute arbitrary comman...

EUVD-2026-5362

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When th...

CVE-2026-25157 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When th...

CVE-2026-25157 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When th...

CVE-2026-25157 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When th...

CVE-2026-25157

OpenClaw/OpenClaw-related CVEs (CVE-2026-25157) describe OS command injection in sshNodeCommand and related SSH parsing logic, affecting macOS OpenClaw components prior to version 2026.1.29. The root causes are: (1) sshNodeCommand builds a shell script and escapes user input for a project path on...

CVE-2026-0662

A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized...

CVE-2026-0662

A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized...

CVE-2026-0662 Untrusted Search Path Vulnerability when opening max Files

A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized...