VulnCheck KEV: CVE-2022-31208

An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The webserver contains an endpoint that can execute arbitrary commands by manipulating the cmdstring URL parameter...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the poplib module. An attacker can manipulate mailbox state, such as deleting emails or reading metadata and specific email content, by injecting additional POP3 commands through malicious input containin...

NVIDIA CUDA toolkit 操作系统命令注入漏洞

NVIDIA CUDA toolkit is a toolkit from NVIDIA, Inc. It provides a development environment for creating high-performance GPU-accelerated applications. The NVIDIA CUDA toolkit suffers from an operating system command injection vulnerability that stems from the failure of the gfxhotspot module of...

MiracleLinux 8 : ctags-5.8-23.el8 (AXSA:2023-5722:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-5722:01 advisory. ctags: arbitrary command execution via a tag file with a crafted filename CVE-2022-4515 Tenable has extracted the preceding description block directly from t...

CVE-2026-23885

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...

Arbitrary Command Injection

@orval/mcp is vulnerable to Arbitrary Command Injection. The vulnerability is due to improper validation and escaping of the OpenAPI specification summary field during MCP server generation, which allows an attacker to break out of string literals and inject arbitrary code...

TRENDnet TEW-811DRU Operating System Command Injection Vulnerability

The TRENDnet TEW-811DRU is a wireless router from TRENDnet. The TRENDnet TEW-811DRU suffers from an operating system command injection vulnerability that stems from a misuse of the parameter DeviceURL in the file uapply.cgi of the component httpd, which can be exploited by an attacker to cause...

Missing Authentication for Critical Function

Overview @mcpjam/inspector is a MCPJam Inspector Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the connect route in the HTTP API. An attacker can execute arbitrary commands on the host system by sending a crafted HTTP request containing...

SAP NetWeaver Command Injection (January 2026)

The version of SAP NetWeaver Application Server for Java detected on the remote host is affected by an SAP NetWeaver is affected by a server-side request forgery SSRF vulnerabilityas disclosed in the SAP Security Patch Day January 2026: - Due to an OS Command Injection vulnerability in SAP...

MiracleLinux 4 : patch-2.6-8.AXS4 (AXSA:2018-2973:01)

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2018-2973:01 advisory. patch: Malicious patch files cause ed to execute arbitrary commands CVE-2018-1000156 Tenable has extracted the preceding description block directly from the...

MiracleLinux 7 : vim-7.4.160-6.el7 (AXSA:2019-3915:02)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2019-3915:02 advisory. vim/neovim: ':source!' command allows arbitrary command execution via modelines CVE-2019-12735 Tenable has extracted the preceding description block directly...

Dive code injection vulnerability

Dive is a desktop application for MCP hosts, open-sourced by OpenAgentPlatform. Versions of Dive prior to 0.13.0 contained a code injection vulnerability. This vulnerability stemmed from specially crafted deep links that allowed the installation of MCP server configurations controlled by attacker...

Blurams Flare Camera 安全漏洞

Blurams Flare Camera is a webcam from Blurams USA. A security vulnerability exists in Blurams Flare Camera 24.1114.151.929 and earlier versions, which stems from an insecure authentication mechanism that could lead to the execution of arbitrary commands...

GHSA-VXW4-WV6M-9HHH OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution

Previously reported via email to [email protected] on 2025-11-17 per the security policy in opencode-sdk-js/SECURITY.md. No response received. Summary OpenCode automatically starts an unauthenticated HTTP server that allows any local process—or any website via permissive CORS—to execute arbitrary...

EUVD-2026-2092

OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution...

Arbitrary Command Injection

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Arbitrary Command Injection due to the improper sanitazation of user-supplied repository in the Chart.yaml file in the helmv3 manager. An attacker can execute arbitrary commands on the host system by...

Renovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file

Summary The user-provided string depName in the gleam manager is appended to the gleam deps update command without proper sanitization. Details Adversaries can provide a maliciously crafted gleam.toml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrar...

Arbitrary Command Injection

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Arbitrary Command Injection due to the improper sanitazation of user-supplied depName in the packagesToUpdate functions of gleam manager. An attacker can execute arbitrary commands on the host system by...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via improper handling of the summary field during server generation logic. An attacker can execute arbitrary code by injecting malicious input into the OpenAPI specification, which is then incorporated withou...

CVE-2026-0507

Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables...