EUVD-2026-15463

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...

EUVD-2026-15429

A vulnerability in the Secure Copy Protocol SCP server feature of Cisco IOS XE Software could allow an authenticated, local attacker with low privileges to cause a denial of service DoS condition on an affected device. This vulnerability is due to improper handling of a malformed SCP request. An...

CVE-2026-33724 n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no

n8n is an open source workflow automation platform. Prior to version 2.5.0, when the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server...

CVE-2026-33724

n8n is an open source workflow automation platform. Prior to version 2.5.0, when the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server...

EUVD-2026-14484

AVideo Vulnerable to OS Command Injection via Unsanitized usersid and liveTransmitionHistoryid in Restreamer Log File Path...

CVE-2026-32524

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through = 6.4.9...

CVE-2026-32482

Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through 1.24...

GHSA-WWV8-CQPR-VX3M Modoboa has OS Command Injection

Summary execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server...

SUSE CVE-2026-23920

Host and event action script input is validated with a regex set by the administrator, but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands...

CVE-2026-26832

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

CVE-2026-32524

CVE-2026-32524 : WordPress Photo Engine (WPLR-Sync) suffers an Unrestricted Upload of File with Dangerous Type vulnerability. The Wordfence report confirms the issue as an Arbitrary File Upload in Photo Engine (Media Organizer & Lightroom) <= 6.4.9, exploitable by authenticated users with Auth...

CVE-2026-32524 WordPress Photo Engine plugin <= 6.4.9 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through = 6.4.9...

CVE-2026-32524 WordPress Photo Engine plugin <= 6.4.9 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through = 6.4.9...

CVE-2026-32524

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through = 6.4.9...

CVE-2026-32482 WordPress Ona theme < 1.24 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through 1.24...

CVE-2026-32482

CVE-2026-32482 affects WordPress Ona theme versions prior to 1.24. The issue is Unrestricted Upload of File with Dangerous Type, allowing an attacker to upload a web shell to the web server via the Ona plugin/theme. Relevant sources report a high-severity CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR...

CVE-2026-32482

Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through 1.24...

CVE-2026-32482 WordPress Ona theme < 1.24 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through 1.24...

CVE-2026-20083

CVE-2026-20083 describes a DoS vulnerability in the SCP server feature of Cisco IOS XE. An authenticated, low-privilege local attacker can trigger a reload via a crafted SCP command issued over SSH due to improper handling of a malformed request. The practical impact is a device DoS from unexpect...

GHSA-Q5MH-72XG-628W pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via...