CVE-2026-24844

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses $vars. or $inputs. substitutions in...

CVE-2026-25143

melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds...

CVE-2025-58381

A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands “source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structure or to traverse to different directories...

USN-8011-1: Emacs vulnerabilities

It was discovered that Emacs could trigger unsafe Lisp macro expansion, when a user invoked elisp-completion-at-point on untrusted Emacs Lisp source code. An attacker could possibly use this issue to execute arbitrary code. CVE-2024-53920 It was discovered that Emacs did not properly sanitize inp...

melange affected by potential host command execution via license-check YAML mode patch pipeline

An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values series paths, patch filenames, and numeric parameters into shell scripts without proper quoting or...

PT-2026-6475

An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values series paths, patch filenames, and numeric parameters into shell scripts without proper quoting or...

PT-2026-6271

Name of the Vulnerable Software and Affected Versions melange versions 0.10.0 through 0.40.2 Description melange enables users to construct APK packages utilizing declarative pipelines. A flaw exists in versions 0.10.0 up to, but not including, 0.40.3 where an attacker capable of manipulating...

CVE-2025-58381

A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands “source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structure or to traverse to different directories...

CVE-2025-58381

A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands “source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structure or to traverse to different directories...

CVE-2025-58381

CVE-2025-58381 affects Brocade Fabric OS prior to 9.2.1c2. An authenticated admin can use shell commands (source, ping6, sleep, disown, wait) to modify path variables and traverse directories (directory transversal). Public docs consistently name Brocade Fabric OS and versions up to 9.2.1c2 as af...

CVE-2025-58381 Directory transversal vulnerability in Brocade Fabric OS before 9.2.1c2 and 9.2.2 through 9.2.2a using various shell commands

A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands “source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structure or to traverse to different directories...

PT-2026-6488

An attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses $vars. or $inputs. substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. Fix: Fixed with e51ca30c,...

PT-2026-5921

Name of the Vulnerable Software and Affected Versions Brocade Fabric OS versions prior to 9.2.1c2 Brocade Fabric OS versions 9.2.2 through 9.2.2a Description A flaw exists within Brocade Fabric OS that may allow an authenticated attacker possessing administrative privileges to manipulate path...

Arbitrary Command Injection

cai-framework is vulnerable to Arbitrary Command Injection. The vulnerability is due to passing user-controlled input directly to shell commands via subprocess.Popen with shell=True, which allows an attacker to inject malicious arguments for example -exec in the findfile tool and execute arbitrar...

PT-2026-5713

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 1.5.0 Signal K Set-System-Time plugin versions prior to 1.5.0 Description A command injection issue exists in the Signal K Server and its Set-System-Time plugin. Authenticated users with write permissions can...

CVE-2026-25130

Cybersecurity AI CAI is a framework for AI Security. In versions up to and including 0.5.10, the CAI Cybersecurity AI framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via subprocess.Popen with...

CVE-2020-37012

Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API...

Kimi Agent SDK command injection vulnerability

Kimi Agent SDK is a multilingual library developed by Moonshot AI that allows for the integration of Kimi Code agents into applications. Versions of Kimi Agent SDK prior to 0.1.6 contained a command injection vulnerability. This vulnerability stemmed from the development script passing file names...

PT-2026-5314

Name of the Vulnerable Software and Affected Versions versions prior to 2.3 Description The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of...

PT-2026-5287

Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API...