10 matches found
CVE-2026-27602
Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...
CVE-2026-27602 Modoboa has an OS Command Injection
Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...
Modoboa 操作系统命令注入漏洞
Modoboa is a mail hosting and management platform developed by the Modoboa team. Versions of Modoboa prior to 2.7.1 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the execcmd function always running child processes with shell=True, and it...
CVE-2026-29086 Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...
CVE-2026-29086 Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...
CVE-2026-29086 Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...
EUVD-2026-9508
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie...
GHSA-5PQ2-9X2X-5P6W Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Summary The setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if...
CVE-2025-21457
Information disclosure while opening a fastrpc session when domain is not sanitized...
CVE-2025-21457
Information disclosure while opening a fastrpc session when domain is not sanitized...