GHSA-265W-RF2W-CJH4 Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution

Summary Paperclip contains a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The...

PT-2026-6965

Name of the Vulnerable Software and Affected Versions OpenCode affected versions not specified Description The software contains a remote code execution RCE issue. The RCE is triggered through command injection within JSON data sent to the AI agent. This allows for the execution of arbitrary...

EUVD-2021-8708

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2023-6254

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response...

CVE-2025-9681 O2OA Personal Profile agent cross site scripting

A flaw has been found in O2OA up to 10.0-410. Affected is an unknown function of the file /xprogramcenter/jaxrs/agent of the component Personal Profile Page. Executing manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be use...

CVE-2025-34160 AnyShare ServiceAgent API Unauthenticated RCE

AnyShare contains a critical unauthenticated remote code execution vulnerability in the ServiceAgent API exposed on port 10250. The endpoint /api/ServiceAgent/startservice accepts user-supplied input via POST and fails to sanitize command-like payloads. An attacker can inject shell syntax that is...

Linux Distros Unpatched Vulnerability : CVE-2023-38058

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket...

CVE-2025-24388

A vulnerability in the OTRS Admin Interface and Agent Interface versions before OTRS 8 allow parameter injection due to for an autheniticated agent or admin user. This issue affects: OTRS 7.0.X OTRS 8.0.X OTRS 2023.X OTRS 2024.X OTRS 2025.X OTRS Community Edition: 6.0.x Products based on the OTRS...

CVE-2025-24388

A vulnerability in the OTRS Admin Interface and Agent Interface versions before OTRS 8 allow parameter injection due to for an autheniticated agent or admin user. This issue affects: OTRS 7.0.X OTRS 8.0.X OTRS 2023.X OTRS 2024.X OTRS 2025.X OTRS Community Edition: 6.0.x Products based on the OTRS...

PT-2025-25548 · Otrs +1 · Otrs +1

Name of the Vulnerable Software and Affected Versions: OTRS versions prior to 8 OTRS Community Edition version 6.0.x Description: A vulnerability in the OTRS Admin Interface and Agent Interface allows parameter injection for an authenticated agent or admin user. This issue affects several version...

CVE-2023-6254

A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response- This issue affects OTRS: from 8.0.X through 8.0.37...

UBUNTU-CVE-2023-6254

A Vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords which are send back to the client in the server response- This issue affects OTRS: from 8.0.X through 8.0.37...

PT-2023-32579 · Otrs · Otrs

Name of the Vulnerable Software and Affected Versions: OTRS versions 8.0.X through 8.0.37 Description: A vulnerability in OTRS AgentInterface and ExternalInterface allows the reading of plain text passwords, which are sent back to the client in the server response. Recommendations: For OTRS...

SUSE CVE-2023-38058

An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35...

CVE-2023-38058

An improper privilege check in the OTRS ticket move action in the agent interface allows any as agent authenticated attacker to to perform a move of an ticket without the needed permission. This issue affects OTRS: from 8.0.X before 8.0.35...

CVE-2023-2719

The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the id parameter for an Agent in the REST API before using it in an SQL statement, leading to an SQL Injection exploitable by users with a role as low as Subscriber...

CVE-2022-0473

OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions...

UBUNTU-CVE-2021-21434

Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface i.e. another agent who wants to make changes in the survey. This issue affects: OTRS AG Survey 6.0.x version 6.0.20 and prior versions; 7.0.x version 7.0.19 and prior versions...

CVE-2021-21434

Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface i.e. another agent who wants to make changes in the survey. This issue affects: OTRS AG Survey 6.0.x version 6.0.20 and prior versions; 7.0.x version 7.0.19 and prior versions...

Code injection

Survey administrator can craft a survey in such way that malicious code can be executed in the agent interface i.e. another agent who wants to make changes in the survey. This issue affects: OTRS AG Survey 6.0.x version 6.0.20 and prior versions; 7.0.x version 7.0.19 and prior versions...