Vulnerabilities found in various SAP products

SAP has identified vulnerabilities in the following SAP products: SAP S/4HANA, SAP Commerce Cloud, SAP Forecasting & Replenishment, SAP NetWeaver Application Server for ABAP, SAP Business Server Pages, SAP BusinessObjects Business Intelligence Platform, SAP Strategic Enterprise Management Scoreca...

CVE-2026-7256

UNSUPPORTED WHEN ASSIGNED A command injection vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00ABDV.3C0 could allow an adjacent attacker on the LAN to execute operating system OS commands on a vulnerable device by sending a crafted HTTP request...

CVE-2026-34259

Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modif...

CVE-2026-40135

This CVE concerns SAP NetWeaver Application Server for ABAP and ABAP Platform. An OS Command Injection allows an authenticated attacker with administrative privileges to execute arbitrary shell commands on the server, bypassing the logging mechanism and potentially impacting integrity and availab...

CVE-2026-34259 OS Command Injection Vulnerability in SAP Forecasting & Replenishment

Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modif...

SAP Forecasting and Replenishment 命令注入漏洞

SAP Forecasting and Replenishment is a demand forecasting and inventory replenishment management system developed by SAP, a German company, for retail and supply chain scenarios. SAP Forecasting and Replenishment has a command injection vulnerability. This vulnerability stems from OS command...

Claris FileMaker Cloud 安全漏洞

Claris FileMaker Cloud is a cloud platform provided by the American company Claris, designed for enterprise-level low-code database application development and hosting scenarios. Versions of Claris FileMaker Cloud prior to 2.22.0.5 contained security vulnerabilities. These vulnerabilities stemmed...

PT-2026-40370

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into...

PT-2026-40372

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into...

PT-2026-40376

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system...

Zyxel WRE6505 操作系统命令注入漏洞

The Zyxel WRE6505 is a wireless signal expansion device produced by the Chinese company Zyxel. The Zyxel WRE6505 v2 V1.00ABDV.3C0 version contains a vulnerability related to operating system command injection. This vulnerability stems from CGI programs that allow command injection, potentially...

PT-2026-39920

Name of the Vulnerable Software and Affected Versions SAP Forecasting & Replenishment affected versions not specified Description An OS Command Execution issue exists where an authenticated attacker with administrative authorizations can abuse a non-remote-enabled function to execute arbitrary...

SQL Injection

Overview pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to SQL Injection via the Maintenance Tool. An attacker can execute arbitrary SQL commands and potentially escalate to operating-system command execution on the database host by supplying crafted input to the...

Command Injection

github.com/gotenberg/gotenberg is vulnerable to Command Injection. The vulnerability is due to lack of validation of JSON metadata keys passed to ExifTool, which allows an attacker to inject arbitrary ExifTool arguments and execute operating system commands...

Command Injection

Click is vulnerable to Command Injection. The vulnerability is due to improper handling of user-controlled input in the click.edit function, allowing attackers to inject and execute arbitrary operating system commands from an unprivileged account...

CVE-2025-67888

Control Web Panel (CWP) before 0.9.8.1209 is affected by an unauthenticated OS command injection flaw. User input passed in the GET parameter “key” to /admin/index.php (when the “api” parameter is set) is not properly sanitized, allowing an attacker to inject and execute arbitrary commands with r...

CVE-2026-33587

Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code and subsequently OS commands on the docker container via Server-Side Template Injection SSTI for user-created transformations...

NPM: vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution

NPM: vm2 NodeVM nesting: true bypasses require: false allowing sandbox escape and arbitrary OS command execution vulnerability discovered by ? in WordPress Npm vm2 versions = 3.11.0...

open-notebook 安全漏洞

Open-Notebook is a privacy-oriented multi-model AI note-taking tool developed by Luis Novo. Version 1.8.3 of Open-Notebook contains a security vulnerability. This vulnerability stems from a lack of input validation, which may allow users to execute Python code and operating system commands on...

PT-2026-38418

Name of the Vulnerable Software and Affected Versions Open Notebook version 1.8.3 Description Insufficient user input sanitization allows an application user to perform Server-Side Template Injection SSTI, a flaw where an attacker can inject malicious templates into a server-side engine. This...