CVE-2026-27635 Manyfold vulnerable to OS command injection via ZIP filename in f3d render

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter ...

CVE-2026-27635

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter ...

OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()

Summary An OS command injection vulnerability in NetworkPathMonitor.performTraceroute allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. Details The vulnerability exists in...

GHSA-JMHP-5558-QXH5 OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()

Summary An OS command injection vulnerability in NetworkPathMonitor.performTraceroute allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. Details The vulnerability exists in...

Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries

Google on Wednesday disclosed that it worked with industry partners to disrupt the infrastructure of a suspected China-nexus cyber espionage group tracked as UNC2814 that breached at least 53 organizations across 42 countries. "This prolific, elusive actor has a long history of targeting...

CLSA-2026-1772038463 python: Fix of CVE-2015-20107

CVE-2015-20107: fix shell command injection vulnerability in the mailcap module...

CLSA-2026-1772037700 python: Fix of CVE-2015-20107

CVE-2015-20107: fix shell command injection vulnerability in the mailcap module...

EUVD-2026-8600

OliveTin: OS Command Injection via password argument type and webhook JSON extraction bypasses shell safety checks...

GHSA-49GM-HH7W-WFVF OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks

Summary OliveTin's shell mode safety check checkShellArgumentSafety blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via...

OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks

Summary OliveTin's shell mode safety check checkShellArgumentSafety blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via...

CVE-2026-27626

A flaw was found in OliveTin. This vulnerability allows an authenticated user to inject shell metacharacters through password-typed arguments, leading to arbitrary operating system command execution. Additionally, an unauthenticated attacker can achieve Remote Code Execution RCE by sending...

CVE-2026-27626

OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check checkShellArgumentSafety blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the CreateNewDAG API endpoint when the DAG name is not properly validated before being passed to the file store. An attacker can write arbitrary YAML files outside the intended directory, potentially overwriting...

CVE-2026-27626 OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks

OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check checkShellArgumentSafety blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell...

CVE-2026-27626

OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check checkShellArgumentSafety blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell...

OliveTin 操作系统命令注入漏洞

OliveTin is an open-source web application developed by OliveTin. Versions of OliveTin 300.10.0 and earlier have a vulnerability related to operating system command injection. This vulnerability stems from insufficient shell mode security checks, which may allow unvalidated remote code execution...

PT-2026-21844

Name of the Vulnerable Software and Affected Versions OliveTin versions up to and including 3000.10.0 Description OliveTin, a tool designed to simplify shell command execution, has flaws in its shell command execution mechanism. The checkShellArgumentSafety function does not block the password...

CVE-2026-25603

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Linksys MR9600, Linksys MX4200 allows that contents of a USB drive partition can be mounted in an arbitrary location of the file system. This may result in the execution of shell scripts in the context o...

CVE-2026-25603

The CVE-2026-25603 issue is a path traversal vulnerability in Linksys MR9600 and MX4200. Affected products and versions are MR9600 1.0.4.205530 and MX4200 1.0.13.210200. The underlying flaw is improper limitation of a pathname to a restricted directory, allowing contents of a USB drive partition ...

CVE-2026-25603 Path Traversal vulnerability in Linksys MR9600, Linksys MX4200

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Linksys MR9600, Linksys MX4200 allows that contents of a USB drive partition can be mounted in an arbitrary location of the file system. This may result in the execution of shell scripts in the context o...