CVE-2026-41010

ReleaseJobunpack builds jobdir = File.join@releasedir, 'jobs', name and jobtgz = File.join@releasedir, 'jobs', "name.tgz" where name returns @jobmeta'name', a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolat...

CVE-2026-45578

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling...

EUVD-2026-33310

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling...

EUVD-2026-24547

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as httpproxy. Exploitation o...

CVE-2026-4821

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as httpproxy. Exploitation o...

CVE-2026-4821

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an authenticated Management Console administrator to execute arbitrary OS commands via shell metacharacter injection in proxy configuration fields such as httpproxy. Exploitation o...

PT-2026-34210

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21 Description An improper neutralization of special elements allows an authenticated Management Console administrator to execute arbitrary OS commands. This occurs via shell metacharacter injection...

EUVD-2018-8400

Malware in sbrugna...

EUVD-2019-2435

Malware in sbrugna...

EUVD-2025-22152

Malicious code in bioql PyPI...

EUVD-2025-21894

Malicious code in bioql PyPI...

CVE-2025-53832

CVE-2025-53832 affects the Lara Translate MCP Server package (@translated/lara-mcp). Versions ≤0.0.11 are vulnerable due to unsanitized user input passed to child_process.exec, enabling shell metacharacter injection and potential remote code execution under the MCP server process. Connected advis...

CVE-2025-53832 @translated/lara-mcp vulnerable to command injection in import_tmx tool

Lara Translate MCP Server is a Model Context Protocol MCP Server for Lara Translate API. Versions 0.0.11 and below contain a command injection vulnerability which exists in the @translated/lara-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to...

GHSA-XJ5P-8H7G-76M7 @translated/lara-mcp vulnerable to command injection in import_tmx tool

Summary A command injection vulnerability exists in the @translated/lara-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to childprocess.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote...

CVE-2025-53107

@cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to childprocess.exec, enabling an attacker to inject arbitrary system commands...

CVE-2021-35062

A Shell Metacharacter Injection vulnerability in result.php in DRK Odenwaldkreis Testerfassung March-2021 allow an attacker with a valid token of a COVID-19 test result to execute shell commands with the permissions of the web server...

CVE-2021-26747

Netis WF2780 2.3.40404 and WF2411 1.1.29629 devices allow Shell Metacharacter Injection into the ping command, leading to remote code execution...

CVE-2019-10631

Shell Metacharacter Injection in the package installer on Zyxel NAS 326 version 5.21 and below allows an authenticated attacker to execute arbitrary code via multiple different requests...

CVE-2018-16593

The Photo Sharing Plus component on Sony Bravia TV through 8.587 devices allows Shell Metacharacter Injection...

CVE-2017-1000203

ROOT version 6.9.03 and below is vulnerable to an authenticated shell metacharacter injection in the rootd daemon resulting in remote code execution...