EulerOS 2.0 SP11 : openssh (EulerOS-SA-2026-1614)

According to the versions of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to...

CVE-2025-69902

A command injection vulnerability in the minimalwrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters...

EulerOS 2.0 SP10 : curl (EulerOS-SA-2026-1305)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : When an OAuth2 bearer token is used for an HTTPS transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP,...

EulerOS Virtualization 2.12.0 : curl (EulerOS-SA-2026-1478)

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : When doing multi-threaded LDAPS transfers LDAP over TLS with libcurl,changing TLS options in one thread would inadvertently change th...

omrs-rce

OMRS — Online Marriage Registration System 1.0 — RCE & Auto Re...

CVE-2025-14287 Command Injection in mlflow/mlflow

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the mlflow/sagemaker/init.py file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, whic...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the --container parameter. An attacker can execute unauthorized commands by supplying specially crafted input that is not properly sanitized. Note: This is only exploitable if the attacker has shell access to the...

CVE-2025-14287

Summary: CVE-2025-14287 is a command-injection in mlflow/mlflow prior to v3.7.0. The flaw resides in mlflow/sagemaker/init .py (lines 161–167) where user-supplied container image names are directly interpolated into shell commands and executed with os.system(), enabling arbitrary command executio...

Command Injection

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Command Injection via the --container parameter. An attacker can...

Unity Linux 20.1070e Security Update: openssh (UTSA-2026-006162)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006162 advisory. ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. Tenable has extracted the...

CVE-2026-32724 PX4 autopilot has a heap Use-After-Free in MavlinkShell::available() via SERIAL_CONTROL Race Condition

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available function. The issue is caused by a race condition between the MAVLink receiver thread which handles shell creation/destruction and the telemetry sender thre...

EUVD-2026-12179

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available function. The issue is caused by a race condition between the MAVLink receiver thread which handles shell creation/destruction and the telemetry sender thre...

CVE-2026-32724 PX4 autopilot has a heap Use-After-Free in MavlinkShell::available() via SERIAL_CONTROL Race Condition

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available function. The issue is caused by a race condition between the MAVLink receiver thread which handles shell creation/destruction and the telemetry sender thre...

CVE-2026-32724

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available function. The issue is caused by a race condition between the MAVLink receiver thread which handles shell creation/destruction and the telemetry sender thre...

CVE-2026-32724

The CVE-2026-32724 vulnerability affects PX4 Autopilot: a heap-use-after-free in MavlinkShell::available() caused by a race between the MAVLink receiver thread (shell creation/destruction) and the telemetry sender thread (polling output). It is triggerable remotely via MAVLink SERIAL_CONTROL mess...

Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process

Summary A command injection vulnerability exists in Deno's node:childprocess polyfill shell: true mode that bypasses the fix for CVE-2026-27190 GHSA-hmh4-3xvx-q5hr. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's...

EUVD-2026-11694

Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:childprocess...

GHSA-4C96-W8V2-P28J Deno vulnerable to command Injection via incomplete shell metacharacter blocklist in node:child_process

Summary A command injection vulnerability exists in Deno's node:childprocess polyfill shell: true mode that bypasses the fix for CVE-2026-27190 GHSA-hmh4-3xvx-q5hr. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno's...

DEBIAN-CVE-2026-23943

Improper Handling of Highly Compressed Data Compression Bomb vulnerability in Erlang OTP ssh sshtransport modules allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication...

FreePBX filestore authenticated command injection

This module exploits an authenticated command injection vulnerability CVE-2025-64328 in the FreePBX filestore module. The filestore module allows administrators to configure remote file storage backends SSH, FTP, etc. for backup and file management purposes. The vulnerability exists in the SSH...