CVE-2026-44055

A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code...

CVE-2026-44076 Shell injection via volume path

Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path...

CVE-2026-44076

CVE-2026-44076 affects Netatalk versions 3.1.0 through 4.4.2, with shell injection via volume path. The issue arises from insufficient sanitization of volume paths and is fixed in 4.4.3. Impact is described as local, with potential for arbitrary code execution by a local privileged user through a...

CVE-2026-44076

Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path...

EUVD-2026-31219

Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path...

CVE-2026-44076 Shell injection via volume path

Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path...

CVE-2026-44055

Netatalk 3.1.4–4.4.2 contains a bitwise OR/logic bug that permits shell injection. The issue affects Netatalk’s AFP implementation and can lead to remote command execution (high impact). Fixed in version 4.4.3. Affected: Netatalk 3.1.4–4.4.2; Remediation: upgrade to 4.4.3 or later. Exploitation s...

CVE-2026-44055 Bitwise OR logic bug enables shell injection

A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code...

EUVD-2026-31230

A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code...

PT-2026-42412

Name of the Vulnerable Software and Affected Versions Netatalk versions 3.1.4 through 4.4.2 Description A logic error involving bitwise OR operations allows a remote authenticated attacker to perform shell injection, enabling the execution of arbitrary OS commands. Recommendations Update to versi...

PT-2026-42693

Name of the Vulnerable Software and Affected Versions KnpLabs Snappy versions prior to 1.7.1 Description A shell injection issue exists on POSIX systems where the escapeshellarg function returns a string containing single-quote characters. This causes the is executable check to fail, as it search...

Astra Linux - уязвимость в jruby

In versions of Ruby from 2.4.7, 2.5.x up to 2.5.6, and 2.6.x up to 2.6.4, code injection is possible if the first argument also known as the “command” argument passed to Shell or Shelltest in lib/shell.rb is untrusted data. An attacker can exploit this vulnerability to call arbitrary Ruby methods...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path,...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path,...

CVE-2026-25244

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...

PT-2026-41693

Name of the Vulnerable Software and Affected Versions Arcane versions 1.18.1 and earlier Description An issue exists where the endpoint "GET /environments/id/volumes/volumeName/browse" accepts a path query parameter that is passed to a shell command sh -c "find … | while …" inside a helper...

PT-2026-43460

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description A shell-metacharacter injection exists in the YPTSocket notification branch within the plugin/Live/on publish.php file. The application constructs a command line for the execAsync function usin...

CVE-2026-45369

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix o...

GHSA-HCWQ-X9FW-8CFQ @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Summary The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host...

PT-2026-41120

HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString function in convertCore.php is missing backtick and tab t from its strip list. User input then reaches shell exec, where the shell interprets these characters and commands...