CVE-2026-8135 Concrete CMS 9.5.0 and below is vulnerable to RCE due to insecure deserialization occurring in the ExpressEntryList block controller.

Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism fromCIF === true, which normally...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the Plugins::add process. An attacker can execute arbitrary code, overwrite sensitive files, and gain full control of the server by uploading a specially crafted ZIP archive containing file paths with directory...

CVE-2025-15559

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on t...

CVE-2025-15559

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on t...

CVE-2025-15559 Unauthenticated OS Command Injection in NesterSoft WorkTime

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on t...

MCP Run Python has a Sandbox Escape & Server Takeover Vulnerability

Impact Critical Sandbox Escape & Server Takeover: A critical security vulnerability exists in mcp-run-python due to a lack of isolation between the Python runtime Pyodide and the host JavaScript environment. The runPython and runPythonAsync functions execute Python code using Pyodide without...

GHSA-PFV4-WMPH-5GC6 MCP Run Python has a Sandbox Escape & Server Takeover Vulnerability

Impact Critical Sandbox Escape & Server Takeover: A critical security vulnerability exists in mcp-run-python due to a lack of isolation between the Python runtime Pyodide and the host JavaScript environment. The runPython and runPythonAsync functions execute Python code using Pyodide without...

CVE-2026-25905 Lack of isolation in mcp-run-python leads to MCP server takeover

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing...

CVE-2026-25905 Lack of isolation in mcp-run-python leads to MCP server takeover

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing...

CVE-2019-2658

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware subcomponent: WLS Core Components. Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Orac...

CVE-2019-2646

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware subcomponent: EJB Container. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise...

CVE-2019-2725

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware subcomponent: Web Services. Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle...

EUVD-2025-203917

ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...

CVE-2025-63721

HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server...

EUVD-2025-201789

HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component allowing attackers to achieve RCE and take over the server...

CVE-2025-63721

HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server...

PT-2025-49569

Name of the Vulnerable Software and Affected Versions HummerRisk versions through 1.5.0 Description HummerRisk is affected by an issue stemming from a vulnerable Snakeyaml component, potentially allowing attackers to achieve Remote Code Execution RCE and gain control of the server. Recommendation...

CVE-2025-63721

CVE-2025-63721 affects HummerRisk through v1.5.0, where a vulnerable SnakeYAML component enables remote code execution via the /rule/add API by attackers with normal user privileges. Documented across NVD/Red Hat/ENISA/CVE lists, with PoC reported and guidance to update beyond 1.5.0. No exploit d...

CVE-2025-63721

HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server...

Meta React Server Components Remote Code Execution Vulnerability

React Server Components is a new component model in the React Framework that allows components to run and render on the server and not execute in the client browser. Meta React Server Components has a remote code execution vulnerability that stems from a lack of security checks when parsing...