CVE-2026-23920 Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection

Host and event action script input is validated with a regex set by the administrator, but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands...

CVE-2025-70146

CVE-2025-70146 affects ProjectWorlds Online Time Table Generator 1.0. Multiple administrative action scripts under /admin/ lack authentication, enabling remote attackers to perform unauthorized admin operations (e.g., add/delete records) via direct HTTP requests without a valid session. The vulne...

CVE-2025-70146

Missing authentication in multiple administrative action scripts under /admin/ in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to perform unauthorized administrative operations e.g.,adding records, deleting records via direct HTTP requests to affected endpoints without a...

VulnCheck KEV: CVE-2022-28054

Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...

EUVD-2022-32540

Malicious code in bioql PyPI...

CVE-2022-28054

Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...

SUSE CVE-2014-3686

wpasupplicant and hostapd 0.7.2 through 2.2, when running with certain configurations and using wpacli or hostapdcli with action scripts, allows remote attackers to execute arbitrary commands via a crafted frame...

CVE-2022-28054

Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...

CVE-2022-28054

Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...

CVE-2022-28054

Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...

CVE-2022-28054

CVE-2022-28054 concerns VanDyke Software VShell for Windows, version 4.6.2, with an underlying flaw in the handling of trigger action scripts. Multiple connected sources confirm the root cause as improper sanitization/cleanup of trigger action scripts, enabling an attacker to execute arbitrary co...

CVE-2022-28054

Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...

VanDyke Software VShell for Windows 安全漏洞

VanDyke Software VShell for Windows is used for multi-protocol secure file transfer by USA Vandyke Software. A security vulnerability exists in VanDyke Software VShell for Windows version 4.6.2, which originates from improper cleanup of trigger action scripts. An attacker could exploit the...

PT-2022-18781 · Vandyke · Vshell For Windows

Name of the Vulnerable Software and Affected Versions: VanDyke Software VShell for Windows version 4.6.2 Description: The issue is related to improper sanitization of trigger action scripts, allowing attackers to execute arbitrary code via a crafted value. Recommendations: For VanDyke Software...

Microsoft Windows Server Elevation of Privilege Vulnerability (CNVD-2015-04664)

Microsoft Windows Server is a series of servers based on the windows operating system launched by the U.S. Microsoft Microsoft. A security vulnerability exists in the Windows Installer service for Microsoft Windows. A local attacker can exploit the vulnerability to gain privileges via custom acti...

Debian DLA-147-1 : wpasupplicant security update

It was discovered that wpasupplicant could be tricked into executing arbitrary commands when calling action scripts. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as...

[SECURITY] [DLA 147-1] wpasupplicant security update

Package : wpasupplicant Version : 0.6.10-2.1+deb6u1 CVE ID : CVE-2014-3686 It was discovered that wpasupplicant could be tricked into executing arbitrary commands when calling action scripts...

hostapd: wpa_cli and hostapd_cli remote command execution issue

A command injection flaw was found in the way the wpacli utility executed action scripts. If wpacli was run in daemon mode to execute an action script specified using the -a command line option, and wpasupplicant was configured to connect to a P2P group, malicious P2P group parameters could cause...

Mandriva Linux Security Advisory : wpa_supplicant (MDVSA-2014:211)

Updated wpasupplicant packages fix security vulnerability : A vulnerability was found in the mechanism wpacli and hostapdcli use for executing action scripts. An unsanitized string received from a remote device can be passed to a system call resulting in arbitrary command execution under the...

openSUSE Security Update : wpa_supplicant (openSUSE-SU-2014:1313-1)

add 0001-Add-osexec-helper-to-run-external-programs.patch - add 0002-wpacli-Use-osexec-for-action-script-execution.pat ch - fixing CVE-2014-3686 bnc900611 trying to abuse the action scripts in wpacli %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in...