GHSA-G6V3-WV4J-X9HG October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the INI settings parser when environment variable interpolation is processed via the parseinistring function. An attacker with Editor permissions can retrieve sensitive environment variables by injecting...

EUVD-2026-22704

October Rain has Environment Variable Exfiltration via INI Parser Interpolation...

CVE-2026-25125

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

CVE-2026-25125

CVE-2026-25125 affects October CMS versions prior to 3.7.14 and 4.1.10. The issue is a server-side information disclosure in the INI settings parser: if cms.safe_mode is enabled, an Editor user can inject patterns like ${APP_KEY} or ${DB_PASSWORD} via parse_ini_string() through page settings, cau...

CVE-2026-25125 October CMS: Environment Variable Exfiltration via INI Parser Interpolation

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

JLSEC-2026-110 Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables

Summary The Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read. PoC export...

Exploit for CVE-2026-35585

CVE-2026-35585: File Browser OS Command Injection PoC Desc...

CVE-2026-33092

Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM macOS before build 42571, Acronis True Image macOS before build 42902...

CVE-2026-39420 MaxKB: Sandbox escape via LD_PRELOAD bypass

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LDPRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop...

CVE-2026-39420

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LDPRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop...

EUVD-2026-22178

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LDPRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop...

PT-2026-32574

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LD PRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop...

PT-2026-32911

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parse ini string function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APP KEY, $DB PASSWORD, or similar patterns into CMS page settings...

October 信息泄露漏洞

October is an open-source content management system CMS and online platform developed by October. Versions prior to October 3.7.14 and 4.1.10 contained a vulnerability related to information leakage. This vulnerability stemmed from the INI configuration parser’s server-side information leakage,...

CVE-2026-40153

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the executecommand function in shelltools.py calls os.path.expandvars on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False line 88 for security. This...

[SECURITY] [DLA 4527-1] inetutils security update

Debian LTS Advisory DLA-4527-1 [email protected] https://www.debian.org/lts/security/ Andreas Henriksson April 11, 2026 https://wiki.debian.org/LTS Package : inetutils Version : 2:2.0-1+deb11u4 CVE ID : CVE-2026-28372 CVE-2026-32746 CVE-2026-32772 Debian Bug : 1130741 1130742 Several...

CVE-2026-5053

NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to...

CVE-2026-5053 NoMachine External Control of File Path Arbitrary File Deletion Vulnerability

NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to...