GHSA-MGGX-P7JF-JGW4 jdbi3-freemarker Vulnerable to Improper Neutralization of Special Elements Used in FreeMarker Template Engine

Summary Description An Improper Neutralization of Special Elements Used in a Template Engine CWE-1336 vulnerability in Jdbi allows arbitrary command execution when an application using jdbi3-freemarker permits attacker-influenced text to reach FreemarkerEngine.parse as template source. This affec...

CVE-2026-42364

An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability...

CVE-2026-42364

CVE-2026-42364 concerns a command-injection in the GeoVision LPC2011/LPC2211 web interface. The vulnerability resides in the DdnsSetting.cgi endpoint of version 1.10, where a specially crafted DDNS configuration can trigger arbitrary command execution. The description notes an attacker can modify...

vim security update

An update is available for vim. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Vim Vi IMproved is an updated and improved version of the vi editor. Security...

CVE-2026-7466 AgentFlow Arbitrary Python Pipeline Execution via pipeline_path

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipelinepath parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to...

Important: Red Hat Security Advisory: vim security update

An update for vim is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the C...

RHEL 8 : vim (RHSA-2026:11509)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:11509 advisory. Vim Vi IMproved is an updated and improved version of the vi editor. Security Fixes: vim: arbitrary command execution via modeline sandbox bypass...

mathjs 安全漏洞

MathJS is an extension library for JavaScript and Node.js developed by Jos de Jong the individual developer. It includes a flexible expression parser, offering integrated solutions for handling numbers, large numbers, complex numbers, units, matrices, etc. Versions of MathJS from 13.1.1 to 15.2.0...

TOTOLINK A3300R stunEnable Parameter Command Injection Vulnerability

The TOTOLINK A3300R is a wireless router from China's Gion Electronics TOTOLINK. A command injection vulnerability exists in the TOTOLINK A3300R stunEnable parameter, which stems from the cstecgi.cgi file failing to properly handle the stunEnable parameter and can be exploited by an attacker to...

CVE-2026-38834

Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the dopingaction function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request...

Terrarium contains a vulnerability that allows arbitrary code execution

Overview Terrarium is a sandbox-based code execution platform that enables users to run and execute code in a controlled environment, providing a secure way to test and validate code. However, a vulnerability has been discovered in Terrarium that allows arbitrary code execution with root privileg...

CVE-2026-35682

The CVE-2026-35682 vulnerability affects Anviz CX2 Lite. An authenticated attacker can inject commands via a filename parameter, enabling arbitrary command execution and root-level access (example: starting telnetd). The available connected sources confirm the affected product and the root-level ...

PT-2026-33409

An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product...

SQL Injection

Overview @saltcorn/data is a Data models for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to SQL Injection via the getSyncRows and getDelRows functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database...

PT-2026-33071

Name of the Vulnerable Software and Affected Versions LangChain-ChatChat version 0.3.1 Description An issue exists in the MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface to configure an MCP STDIO server using...

Arbitrary Code Injection

Overview metagpt is a The Multi-Agent Framework Affected versions of this package are vulnerable to Arbitrary Code Injection via the xmlfill function of the XML Handler. An attacker can execute arbitrary code by injecting malicious input that is improperly neutralized in dynamically evaluated cod...

CVE-2026-33088

Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement...

CVE-2026-39624

CVE-2026-39624 affects the WordPress Kutethemes Biolife theme (

Six Apart Movable Type SQL注入漏洞

Six Apart Movable Type is an application system developed by the Six Apart company in the United States. It offers features such as multi-user support, comments, Trackbacks, and themes. Six Apart Movable Type has a SQL injection vulnerability; this vulnerability makes it susceptible to SQL...

CVE-2026-35021

...