Lucene search
K

23 matches found

OSV
OSV
added 2026/04/22 10:6 p.m.6 views

GHSA-J5W5-568X-RQ53 Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution

Summary A command injection vulnerability in the extractLLM function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync without proper sanitization, enabling remote code execution when the...

9.8CVSS6.8AI score0.01305EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/07 3:56 p.m.1 views

CVE-2026-35581 Emissary has a Command Injection via PLACE_NAME Configuration in Executrix

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing she...

7.2CVSS5.9AI score0.00563EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/31 1:24 a.m.5 views

CVE-2026-3300

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...

9.8CVSS6.3AI score0.40992EPSS
Exploits1References4
NVD
NVD
added 2026/01/12 11:15 p.m.15 views

CVE-2026-22213

RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen function, which constructs a device path using unbounded user-controlled input. The utility...

9.8CVSS0.00362EPSS
Exploits1References4
EUVD
EUVD
added 2025/12/09 6:30 p.m.4 views

EUVD-2025-201950

SQL Injection in Frappe HelpDesk in the dashboard getdashboarddata due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0...

8.6CVSS7.4AI score0.00468EPSS
Exploits1References4
NVD
NVD
added 2025/12/09 4:17 p.m.5 views

CVE-2025-10655

SQL Injection in Frappe HelpDesk in the dashboard getdashboarddata due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0...

8.8CVSS0.00468EPSS
Exploits1References3
CVE
CVE
added 2025/12/09 2:49 p.m.14 views

CVE-2025-10655

CVE-2025-10655 concerns a SQL injection in the Frappe HelpDesk dashboard: get_dashboard_data, caused by unsafe concatenation of user-controlled parameters into dynamic SQL. Affected product/version: Frappe HelpDesk 1.14.0. Reported impact is limited to what the sources describe; no exploitation d...

8.8CVSS7.6AI score0.00468EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2025/12/09 2:49 p.m.3 views

CVE-2025-10655 Frappe Helpdesk 1.14.0 — SQL Injection in dashboard get_dashboard_data

SQL Injection in Frappe HelpDesk in the dashboard getdashboarddata due to unsafe concatenation of user-controlled parameters into dynamic SQL statements.This issue affects Frappe HelpDesk: 1.14.0...

8.6CVSS7.6AI score0.00468EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2025/12/09 12:0 a.m.8 views

PT-2025-49978

Name of the Vulnerable Software and Affected Versions Frappe HelpDesk version 1.14.0 Description A SQL injection issue exists in Frappe HelpDesk within the get dashboard data function of the dashboard component. This is due to the unsafe combination of user-supplied data directly into SQL queries...

8.6CVSS7.6AI score0.00468EPSS
Exploits1References5
EUVD
EUVD
added 2025/11/26 6:31 p.m.4 views

EUVD-2025-199743

Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1...

7.1CVSS7AI score0.00305EPSS
Exploits1References4
NVD
NVD
added 2025/11/26 6:15 p.m.4 views

CVE-2025-11461

Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1...

8.8CVSS0.00305EPSS
Exploits1References3
OSV
OSV
added 2025/11/26 6:15 p.m.7 views

CVE-2025-11461

Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1...

8.8CVSS7.5AI score
Exploits0References3
Cvelist
Cvelist
added 2025/11/26 5:45 p.m.14 views

CVE-2025-11461 Frappe CRM 1.53.1 — Multiple SQL Injections in Dashboard Controller

Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1...

7.1CVSS0.00305EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2025/11/26 5:45 p.m.3 views

CVE-2025-11461 Frappe CRM 1.53.1 — Multiple SQL Injections in Dashboard Controller

Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1...

7.1CVSS7.2AI score0.00305EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2025/10/29 6:55 p.m.2 views

CVE-2025-64104 LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB both sync and async, via aiosqlite. Prior to 2.0.11, LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization,...

7.3CVSS7.7AI score0.00178EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2022-5987

Malicious code in bioql PyPI...

9.3CVSS8AI score0.01924EPSS
Exploits1References5
OSV
OSV
added 2024/05/07 3:30 p.m.18 views

GHSA-XFJJ-F699-RC79 tiagorlampert CHAOS vulnerable to arbitrary code execution

An issue in tiagorlampert CHAOS before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the filename argument into the buildStr string without any sanitization or filtering...

9.8CVSS8.8AI score0.80454EPSS
Exploits6References8
Github Security Blog
Github Security Blog
added 2024/05/07 3:30 p.m.43 views

tiagorlampert CHAOS vulnerable to arbitrary code execution

An issue in tiagorlampert CHAOS before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the filename argument into the buildStr string without any sanitization or filtering...

9.8CVSS7.6AI score0.01365EPSS
Exploits0References8Affected Software1
NVD
NVD
added 2024/05/07 2:15 p.m.13 views

CVE-2024-33434

An issue in tiagorlampert CHAOS v5.0.1 before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the filename argument into the buildStr string without any sanitization or filteri...

9.8CVSS7.5AI score0.01365EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2024/05/07 12:0 a.m.8 views

CVE-2024-33434

An issue in tiagorlampert CHAOS v5.0.1 before 1b451cf62582295b7225caf5a7b506f0bad56f6b and 24c9e109b5be34df7b2bce8368eae669c481ed5e allows a remote attacker to execute arbitrary code via the unsafe concatenation of the filename argument into the buildStr string without any sanitization or filteri...

7.6AI score0.01365EPSS
Exploits0References3
Rows per page
Query Builder