Vanna - SQL injection

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents . This can lead to...

CMSimple 3.1 - Local File Inclusion

CMSimple 3.1 is susceptible to local file inclusion via cmsimple/cms.php when registerglobals is enabled which allows remote attackers to include and execute arbitrary local files via a .. dot dot in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including...

vim: zip.vim: Vim zip.vim plugin: Arbitrary file overwrite via path traversal bypass

A flaw was found in Vim's zip.vim plugin. A local user could be tricked into opening a specially crafted zip archive, which would allow a path traversal bypass. This vulnerability enables an attacker to overwrite arbitrary files on the system, potentially leading to data integrity issues or furth...

CVE-2026-44932

A flaw was found in the wicked DHCP client. A remote attacker, by operating a malicious Dynamic Host Configuration Protocol DHCP server, could send specially crafted DHCP replies containing unsanitized strings. This vulnerability allows the attacker to execute arbitrary code on the local machine,...

EUVD-2026-38245

IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute arbitrary code on the host system, resulting in complete compromise...

Fastjson Insecure Deserialization - Remote Code Execution

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

Landray EKP - Path Traversal

A vulnerability, which was classified as critical, was found in Landray EKP up to 16.0. This affects the function delPreviewFile of the file /sys/ui/sysuicomponent/sysUiComponent.do?method=delPreviewFile. The manipulation of the argument directoryPath leads to path traversal. It is possible to...

BIQS IT Biqs-drive v1.83 Local File Inclusion

A local file inclusion vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user. id: CVE-2021-394...

MKdocs 1.2.2 - Directory Traversal

The MKdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information. Note the vendor has disputed the vulnerability see references because the dev server must be used in an unsafe way namely public to have this...

11in1 CMS 1.2.1 - Local File Inclusion (LFI)

Multiple directory traversal vulnerabilities in 11in1 1.2.1 stable 12-31-2011 allow remote attackers to read arbitrary files via a .. dot dot in the class parameter to 1 index.php or 2 admin/index.php. id: CVE-2012-0996 info: name: 11in1 CMS 1.2.1 - Local File Inclusion LFI author: daffainfo...

Lansweeper Unauthenticated SQL Injection

Lansweeper before 7.1.117.4 allows unauthenticated SQL injection. id: CVE-2019-13462 info: name: Lansweeper Unauthenticated SQL Injection author: divyamudgal severity: critical description: Lansweeper before 7.1.117.4 allows unauthenticated SQL injection. impact: | This vulnerability can lead to...

Malicious code in @mastra/datadog (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 419bbaa0a59a504f999013baee0011006c5cc6326045c0424705d91d3ac10c75 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in mastra (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 177b60c8d45a21867d69c269f21c334505b8c0298b497cbed321d403be4311f7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2026-5416 Command Injection via name parameter

Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resulting in full system compromise...

CVE-2026-5416

The CVE-2026-5416 entry describes a command injection in a Managed Ethernet Switch caused by improper neutralization of special elements in a name parameter. It results in full system compromise with network-based, low-privilege, no-user-interaction exploitation (per CVSS 4.0/3.1 vectors). Connec...

EUVD-2026-37042

Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resulting in full system compromise...

WAGO - Remote Command Execution

In multiple products of WAGO, a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behavior, Denial of Service, and full system compromise. id: CVE-2023-1698 info: name: WAGO - Remote Command Execution...

Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution

Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of filegetcontents and fileputcontents. This is exploitable on sites using debug mode with Laravel before 8.4.2. id: CVE-2021-3129 info: name:...

D-Link Routers - Remote Code Execution

D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who...

Malicious code in lucide-next (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ad695524e214e6208603f864daa0b5680a55247a5eb1d5aa0dfc75713490019b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...