Arbitrary Command Injection

Overview metagpt is a The Multi-Agent Framework Affected versions of this package are vulnerable to Arbitrary Command Injection via the getmimetype function. An attacker can execute arbitrary operating system commands by supplying crafted input remotely. Remediation A fix was pushed into the mast...

Incomplete List of Disallowed Inputs

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the handling of environment variables in the exec env denylist. An attacker can execute arbitrary commands by injecting malicious values into...

CVE-2024-1490 Wago: Vulnerability in WBM through Open VPN

An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on t...

Arbitrary Command Injection

Overview taskflow-ai is a TaskFlow AI - 智能PRD文档解析与任务管理助手，支持多模型AI协同、MCP编辑器集成，专为开发团队设计的CLI工具 Affected versions of this package are vulnerable to Arbitrary Command Injection via the terminalexecute process in src/mcp/server/handlers.ts. An attacker can execute arbitrary operating system commands by...

CVE-2026-31170

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi...

CVE-2026-31170

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi...

WAGO PLC 代码注入漏洞

WAGO PLC is a programmable logic controller developed by the German company WAGO. WAGO PLC has a code injection vulnerability, which stems from improper OpenVPN configuration. This vulnerability may lead to the execution of arbitrary commands...

TOTOLINK A3300R 安全漏洞

TOTOLINK A3300R is a wireless router produced by TOTOLINK Corporation. The TOTOLINK A3300R v17.0.0cu.557B20221024 version contains a security vulnerability. This vulnerability stems from insufficient validation of stun-pass parameter inputs, which may allow attackers to execute arbitrary commands...

CVE-2026-31170

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi...

CVE-2026-31170

The CVE-2026-31170 entry covers ToToLink A3300R firmware 17.0.0cu.557_B20221024 with a vulnerability in /cgi-bin/cstecgi.cgi where the stun-pass parameter allows an attacker to execute arbitrary commands. Reported impact is arbitrary command execution with a high/critical risk posture and potenti...

CVE-2026-40032 UAC < 3.3.0-rc1 Command Injection via Placeholder Substitution

UAC Unix-like Artifacts Collector before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the runcommand function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell...

Arbitrary Command Injection

Overview @idachev/mcp-javadc is a Model Context Protocol MCP server for Java decompilation Affected versions of this package are vulnerable to Arbitrary Command Injection via the HTTP Interface component when processing the jarFilePath argument. An attacker can execute arbitrary operating system...

Arbitrary Argument Injection

Overview Affected versions of this package are vulnerable to Arbitrary Argument Injection through the Runner.exec process. An attacker can execute arbitrary OS commands on the server by uploading or renaming a file with a crafted filename containing shell metacharacters, which are unsafely...

CVE-2026-35021

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $ or backtick expressions in...

vim: Vim: Arbitrary code execution via command injection in glob() function

A flaw was found in Vim. By including a newline character in a pattern passed to Vim's glob function, an attacker may be able to execute arbitrary shell commands. This command injection vulnerability allows for arbitrary code execution, depending on the user's shell settings...

EUVD-2026-19438

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject shell...

CVE-2026-34982

A flaw was found in Vim. A modeline is used to set specific editor options directly from a text file. However, the complete, guitabtooltip, printheader options and the mapset function lack proper security checks, allowing an attacker to bypass restrictions and cause arbitrary OS command execution...

CVE-2026-35020

...

Malicious code in frontend-backoffice (npm)

Malicious package due to arbitrary command execution, data exfiltration to Telegram, and a suspicious preinstall script executing code on installation. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f06949fafe41d4b38a42b1c5573750638b411c02b6edcb1958f3f5aad933d...

MAL-2026-2525 Malicious code in frontend-backoffice (npm)

Malicious package due to arbitrary command execution, data exfiltration to Telegram, and a suspicious preinstall script executing code on installation. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f06949fafe41d4b38a42b1c5573750638b411c02b6edcb1958f3f5aad933d...