CVE-2026-30916

...

CVE-2026-30916

...

CVE-2026-30916

CVE-2026-30916 relates to the Shescape JavaScript library. Prior to version 2.1.9, an attacker could bypass shell escaping when the configured shell pointed to a file that is a chain of symlinks, potentially exposing sensitive information depending on the shell used. A fix is available in 2.1.9. ...

PT-2026-24092

Name of the Vulnerable Software and Affected Versions Shescape versions prior to 2.1.9 Description Shescape is a JavaScript shell escape library. A flaw exists where an attacker may be able to bypass escaping for the shell being used, potentially leading to exposure of sensitive information. This...

PT-2026-23005

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 7.0 Description AVideo is a video-sharing Platform software susceptible to unauthenticated Remote Code Execution RCE. An attacker can inject shell command substitution into the base64Url GET parameter, potentially...

CVE-2026-26189

Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in aquasecurity/trivy-action versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes...

CVE-2026-26189 Trivy Action has a script injection via sourced env file in composite action

Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in aquasecurity/trivy-action versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes...

CVE-2026-26189 Trivy Action has a script injection via sourced env file in composite action

Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in aquasecurity/trivy-action versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes...

PT-2026-20567

Name of the Vulnerable Software and Affected Versions aquasecurity/trivy-action versions 0.31.0 through 0.33.1 Description A command injection issue exists in aquasecurity/trivy-action due to insufficient handling of action inputs when exporting environment variables. The action creates export VA...

httpd: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=...

A server side include handling flaw has been discovered in the Apache HTTP server. When Server Side Includes SSI areenabled and modcgid but not modcgi passes the shell-escaped query string to exec cmd="..." directives an attacker may be able to inject commands executed by the server...

Peplink Smart Reader 信任管理问题漏洞

Peplink Smart Reader is a smart card reader from Peplink Inc. It is used for employee time and attendance. A command injection vulnerability exists in Peplink Smart Reader v1.2.0, which stems from the presence of an elevation-of-privilege vulnerability, where an attacker can cause limited shell...

shescape 安全漏洞

Shescape is open source a simple shell escaping program package for JavaScript . Use it to escape user-controlled input to shell commands to prevent shell injection. A security vulnerability exists in versions of shescape prior to 1.7.4 that stems from escaping or referencing the wrong shell,...

PT-2023-27313 · Shescape · Shescape

Name of the Vulnerable Software and Affected Versions: Shescape versions prior to 1.7.4 Description: The issue affects users of Shescape on Windows in a threaded context, allowing attackers to bypass protections by exploiting Shescape's failure to correctly escape for the expected shell. This can...

Shescape 安全漏洞

Shescape is open source a simple shell escaping program package for JavaScript . Use it to escape user-controlled input to shell commands to prevent shell injection. A security vulnerability exists in Shescape versions prior to 1.7.1, which stems from allowing an attacker to gain read-only access...

Shescape 安全漏洞

Shescape is open source a simple shell escaping program package for JavaScript . Use it to escape user-controlled input to shell commands to prevent shell injection. A security vulnerability exists in Shescape version 1.5.10 through versions prior to 1.6.1, which stems from the vulnerability of t...

CVE-2021-4041

A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansiblerunner.interface.runcommand, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual...

PT-2022-11235 · Unknown · Ansible-Runner

Name of the Vulnerable Software and Affected Versions: ansible-runner affected versions not specified Description: A flaw was found in ansible-runner, where an improper escaping of the shell command, while calling the ansible runner.interface.run command, can lead to parameters getting executed a...

shescape 注入漏洞

shescape is open source a simple shell escaping program package for JavaScript . Use it to escape user-controlled input to shell commands to prevent shell injection. An injection vulnerability exists in versions prior to Shescape 1.5.8, which can be exploited by an attacker to omit all arguments...

NodePDF 命令注入漏洞

NodePDF is a PDF rendering tool based on Node.js. A security vulnerability exists in NodePDF version 1.3.0, which stems from the fact that during PDF rendering, input passed to the Pdf function is escaped by the shell and passed to childprocess.exec. However, shell escaping does not correctly...

Ansible: Improper shell escaping in ansible-runner

A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansiblerunner.interface.runcommand, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual...