JLSEC-2026-115 Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

Summary A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing for...

CVE-2025-68154

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the fsSize function in systeminformation is vulnerable to OS command injection on Windows systems. The optional drive parameter is directly concatenated into a PowerShell command without...

CVE-2025-68154 Command Injection in fsSize() on Windows

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the fsSize function in systeminformation is vulnerable to OS command injection on Windows systems. The optional drive parameter is directly concatenated into a PowerShell command without...

CVE-2025-12763 Command injection vulnerability allowing arbitrary command execution on Windows

pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True during backup and restore operations, enabling attackers to execute arbitrary system commands by providing specially crafted file path input...

CVE-2025-62801 FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name

FastMCP is the standard framework for building MCP applications. Versions prior to 2.13.0, a command-injection vulnerability lets any attacker who can influence the servername field of an MCP execute arbitrary OS commands on Windows hosts that run fastmcp install cursor. This vulnerability is fix...

PT-2025-41212

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.5.3 and 2.2.15 Description Deno, a JavaScript, TypeScript, and WebAssembly runtime, is susceptible to Command Line Injection attacks on Windows operating systems when batch files are executed. The Windows operating...

EUVD-2021-1990

Malware in sbrugna...

Fedora: Security Advisory (FEDORA-2024-6bc17db348)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2024-41052 · Unknown · Roundcube Webmail

Name of the Vulnerable Software and Affected Versions: Roundcube Webmail versions 1.6.x Description: The issue concerns several security problems, including cross-site scripting XSS vulnerabilities in handling SVG animate attributes and list columns from user preferences, as well as a command...

PT-2024-26606

Name of the Vulnerable Software and Affected Versions process versions prior to 1.6.19.0 GHC versions prior to 9.10.1-alpha3 GHC versions prior to 9.8.3 GHC versions prior to 9.6.5 Node.js versions up to 21.7.2 Description A command injection vulnerability allows an attacker to perform command...

PT-2023-14253 · Jitsi · Jitsi

Name of the Vulnerable Software and Affected Versions: Jitsi versions prior to commit 8aa7be58522f4264078d54752aae5483bfd854b2 Description: A command injection issue exists when launching browsers on Windows, allowing an attacker to insert an arbitrary URL, which could lead to remote execution...

CVE-2021-28927

The text-to-speech engine in libretro RetroArch for Windows 1.9.0 passes unsanitized input to PowerShell through platformwin32.c via the accessibilityspeakwindows function, which allows attackers who have write access on filesystems that are used by RetroArch to execute code via command injection...

Open-AudIT CSV Injection Vulnerability

Open-AudIT is a network discovery and auditing program. The program intelligently scans networks and network devices and provides status reports. A security vulnerability exists in the export function in versions prior to Open-AudIT 2.2. An attacker can exploit the vulnerability to inject Windows...

Google Finance was traced to reflected File Download(RFD)vulnerabilities-vulnerability warning-the black bar safety net

! A Portuguese network security expert David Sopas found the impact of Google Finance a reflected File DownloadRFDvulnerabilities. I'm in audits of other clients time to discover this vulnerability, through RFD, you need to establish a page to force the download. This Google JSON file of the...