CVE-2026-40938

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation...

CVE-2020-37216

CVE-2020-37216 affects Hirschmann Industrial HiVision, specifically versions 08.1.03 before 08.1.04 and 08.2.00 . The issue is an untrusted search path vulnerability that lets local attackers execute arbitrary binaries by placing a malicious binary in the path of a configured external application...

CVE-2020-12847

Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console” that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the application’s mailer configuration. It is...

EUVD-2021-15450

Malware in sbrugna...

EUVD-2018-10571

Malware in sbrugna...

EUVD-2021-16132

Malware in sbrugna...

EUVD-2022-50909

Malicious code in bioql PyPI...

EUVD-2024-1115

Malicious code in bioql PyPI...

CVE-2022-48199

SoftPerfect NetWorx 7.1.1 on Windows allows an attacker to execute a malicious binary with potentially higher privileges via a low-privileged user account that abuses the Notifications function. The Notifications function allows for arbitrary binary execution and can be modified by any user. The...

CVE-2021-28956

The unofficial vscode-sass-lint aka Sass Lint extension through 1.0.7 for Visual Studio Code allows attackers to execute arbitrary binaries if the user opens a crafted workspace. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...

CVE-2021-28953

The unofficial C/C++ Advanced Lint extension before 1.9.0 for Visual Studio Code allows attackers to execute arbitrary binaries if the user opens a crafted repository...

CVE-2019-11200

Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. Malicious binaries can be...

FreeBSD : age -- age vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution (d9b0fea0-d564-11ef-b9bc-d05099c0ae8c)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the d9b0fea0-d564-11ef-b9bc-d05099c0ae8c advisory. Filippo Valsorda reports: A plugin name containing a path separator may allow an attacker to execute an...

CVE-2024-56327 Malicious plugin names, recipients, or identities can cause arbitrary binary execution in pyrage

pyrage is a set of Python bindings for the rage file encryption library age in Rust. pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. S...

CVE-2024-56327

CVE-2024-56327 concerns pyrage (Python bindings for age). The underlying age crate is affected per GHSA-4fg7-vxc8-qx5w; pyrage versions before 1.2.0 lack plugin support and are stated as not affected. The advisory notes that the issue is addressed in pyrage 1.2.3; update to 1.2.3 or later. No pub...

GHSA-47H8-JMP3-9F28 pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details. Versions of pyrage before 1.2.0 lack plugin...

age vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs. ...

GHSA-32GQ-X56H-299C age vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs. ...

rage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the rage CLI through an attacker-controlled recipient or identity string, or to the following age APIs when the plugin feature flag is enabled: -...

GHSA-4FG7-VXC8-QX5W rage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the rage CLI through an attacker-controlled recipient or identity string, or to the following age APIs when the plugin feature flag is enabled: -...