Command Injection

mcp-server-semgrep is vulnerable to Command Injection. The vulnerability is due to improper sanitization of the ID argument in multiple MCP interface functions, which allows an attacker to inject and execute arbitrary OS commands remotely...

CVE-2025-69443

Remote Code Execution in coleam00 Archon 0.1.0. A crafted HTML page, when accessed by a victim, can execute commands, run prompts on behalf of the user, control the Archon UI features, and steal all Archon information available on the UI including API keys...

CVE-2026-8518

Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Critical...

CVE-2026-41315

mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modifycrond and /starttask interfaces, it is possible to modify the default built-in scheduled tasks and start...

MAL-2026-3747 Malicious code in @aiscene/aiserver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5afe7de709fb18909451ff49a02f133f248fb0dc0688709251c924038effc6dc On load, dist/index.js unconditionally instantiates new AIServer and calls server.start at module top level no require.main === module guard, so simp...

CVE-2026-42555

Valtimo CVE-2026-42555 (SpEL injection in StandardEvaluationContext) affects com.ritense.valtimo:document (12.0.0–12.31.0), com.ritense.valtimo:case (13.0.0–13.22.0), and com.ritense.valtimo:contract (13.4.0–13.22.0). An authenticated ADMIN user can achieve Remote Code Execution and credential ex...

CVE-2025-69443

Remote Code Execution in coleam00 Archon 0.1.0. A crafted HTML page, when accessed by a victim, can execute commands, run prompts on behalf of the user, control the Archon UI features, and steal all Archon information available on the UI including API keys...

NPM: FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape

NPM: FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

Yordam Library Automation System 代码注入漏洞

Yordam Library Automation System is an application developed by Yordam Corporation. Versions of Yordam Library Automation System from v.19.5 to v.22.1 had a code injection vulnerability. This vulnerability stemmed from improper control over code generation, which could allow remote code to be...

CVE-2025-69443

Remote Code Execution in coleam00 Archon 0.1.0. A crafted HTML page, when accessed by a victim, can execute commands, run prompts on behalf of the user, control the Archon UI features, and steal all Archon information available on the UI including API keys...

CVE-2026-44865

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system...

CVE-2026-42898

Improper control of generation of code 'code injection' in Microsoft Dynamics 365 on-premises allows an authorized attacker to execute code over a network...

CVE-2026-33112

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network...

CVE-2026-23827

A heap-based buffer overflow vulnerability exists in a Network management service of AOS-8 and AOS-10 that could allow an unauthenticated remote attacker to achieve remote code execution. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code as a privileged use...

UBUNTU-CVE-2026-8496

A cross-site scripting XSS vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS...

CVE-2026-6281

A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device...

CVE-2026-34176

CVE-2026-34176 affects BIG-IP in Appliance mode and is described in F5 advisories K000160857/K000160857 (appliance-mode iControl REST vulnerability). An authenticated attacker with administrator privileges and network access can trigger an OS command injection via an undisclosed iControl REST end...

CVE-2026-41957

CVE-2026-41957 affects the BIG-IP and BIG-IQ Configuration utility. The connected advisory confirms an authenticated remote code execution vulnerability via undisclosed vectors in the Configuration utility (control plane access), with CWE-502 deserialization noted in the security advisory details...

SUSE CVE-2026-4802

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface UI. An attacker can inject shell metacharacters and command...

Patch Tuesday - May 2026

Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday. Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the...