PT-2026-24223

A vulnerability has been identified in SICAM SIAPP SDK All versions V2.1.7. The affected application builds shell commands with caller-provided strings and executes them. An attacker could influence the executed command, potentially resulting in command injection and full system compromise...

CVE-2026-25041 Budibase has a Command Injection in PostgreSQL Dump Command

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values database name, host, password, etc. without proper sanitization. The password and other...

EUVD-2026-10353

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values database name, host, password, etc. without proper sanitization. The password and other...

CVE-2026-30224

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry default ≈ 1 year...

CVE-2026-30233

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution exec may be...

CVE-2026-30223

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" local RSA public key or "authJwtHmacSecret" HMAC secret, the configured audience value authJwtAud is not enforced during toke...

CVE-2026-30224

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry default ≈ 1 year...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization through a mismatch in wrapper-depth parsing in system.run. An attacker can bypass approval gating by crafting nested transparent dispatch wrappers, allowing...

CVE-2025-52365

A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system. The vulnerability arises from improper input handling where command-line arguments are directly...

PT-2026-22690

Name of the Vulnerable Software and Affected Versions theshit versions prior to 0.2.0 Description theshit is a command-line utility designed to detect and correct common errors in shell commands. A flaw in privilege handling prior to version 0.2.0 allows for local privilege escalation through...

CVE-2026-28417

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL e.g., using the scp:// protocol handler, an attacker can execute arbitrary shell command...

CVE-2026-28417

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL e.g., using the scp:// protocol handler, an attacker can execute arbitrary shell command...

CVE-2026-28417

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL e.g., using the scp:// protocol handler, an attacker can execute arbitrary shell command...

PT-2026-22416

Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0073 Description Vim is a command line text editor. A flaw exists in the netrw standard plugin bundled with Vim. An attacker can potentially execute arbitrary shell commands with the privileges of the Vim process by...

CVE-2025-70329

TOTOLink X5000R v9.1.0cu2415B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 and other vlanVidLanX parameters are retrieved via UciGetStr and passed to the CsteSystem function without adequate validation or...

TOTOLINK X6000R 安全漏洞

The TOTOLINK X6000R is a wireless router produced by TOTOLINK, a Chinese company. The TOTOLINK X6000R v9.4.0cu.1498B20250826 version contains a security vulnerability. This vulnerability stems from improper cleanup of the hosttime parameter in the NTPSyncWithHost handler, which may allow...

CVE-2025-70328

TOTOLINK X6000R v9.4.0cu.1498B20250826 contains an OS command injection vulnerability in the NTPSyncWithHost handler of the /usr/sbin/shttpd executable. The hosttime parameter is retrieved via sub40C404 and passed to a date -s shell command through CsteSystem. While the first two tokens of the...

CVE-2019-25441

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the runcommand endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on...

CVE-2019-25441

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the runcommand endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on...

PT-2026-21316

🚨 CVE-2019-25441 thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute...