61 matches found
Dokploy 命令注入漏洞
Dokploy is an open-source software developed by Dokploy itself. Versions of Dokploy 0.29.2 and earlier contained a command injection vulnerability. This vulnerability stemmed from the use of JavaScript template literal expressions to construct shell commands, which were executed via...
CVE-2026-5029
A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and...
EUVD-2026-22118
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function childprocess.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly...
CVE-2026-6219 aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function childprocess.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly...
CVE-2026-6219
CVE-2026-6219 affects aandrew-me ytDownloader up to 3.20.2, specifically the Compressor Feature’s compressor.js where the function child_process.exec can be abused. The underlying issue is command injection via a local attack vector; exploitation is possible where an attacker can run arbitrary co...
ytDownloader 命令注入漏洞
ytDownloader is a multi-platform audio and video download tool developed by Andrew. Versions of ytDownloader 3.20.2 and earlier had a command injection vulnerability, which originated from the function childprocess.exec in the Compressor Feature component’s file src/compressor.js...
PT-2026-32530
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicl...
CVE-2026-26832
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...
thumbler allows OS Command Injection
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...
CVE-2026-26831
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...
EUVD-2026-15457
pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...
CVE-2026-26830
pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...
CVE-2026-26831
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...
EUVD-2026-13768
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function childprocess.exec of the file src/gitUtils.ts of the component showmergediff/quickmergesummary/showfilediff. The manipulation results in os command...
CVE-2026-4496 sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function childprocess.exec of the file src/gitUtils.ts of the component showmergediff/quickmergesummary/showfilediff. The manipulation results in os command...
CVE-2026-4496
Sigmade Git-MCP-Server (up to commit 785aa159f262a02d5791a5d8a8e13c507ac42880) is affected. The vulnerability resides in the function child_process.exec in src/gitUtils.ts (component show_merge_diff/quick_merge_summary/show_file_diff) and allows local OS command injection. The attack requires loc...
PT-2026-26662
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child process.exec of the file src/gitUtils.ts of the component show merge diff/quick merge summary/show file diff. The manipulation results in os...
CVE-2026-3484
A vulnerability was detected in PhialsBasement nmap-mcp-server up to bee6d23547d57ae02460022f7c78ac0893092e38. Affected by this issue is the function childprocess.exec of the file src/index.ts of the component Nmap CLI Command Handler. The manipulation results in command injection. The attack may...
CVE-2026-3484
A vulnerability was detected in PhialsBasement nmap-mcp-server up to bee6d23547d57ae02460022f7c78ac0893092e38. Affected by this issue is the function childprocess.exec of the file src/index.ts of the component Nmap CLI Command Handler. The manipulation results in command injection. The attack may...
CVE-2026-3484
A vulnerability was detected in PhialsBasement nmap-mcp-server up to bee6d23547d57ae02460022f7c78ac0893092e38. Affected by this issue is the function childprocess.exec of the file src/index.ts of the component Nmap CLI Command Handler. The manipulation results in command injection. The attack may...