Malicious code in xorma-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260 On require'xorma-js', a top-level IIFE in dist/index.js synchronously executes npm uninstall clsx-js && npm install clsx-js via childprocess.execSync...

MAL-2026-4734 Malicious code in xorma-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260 On require'xorma-js', a top-level IIFE in dist/index.js synchronously executes npm uninstall clsx-js && npm install clsx-js via childprocess.execSync...

CVE-2026-6219 aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function childprocess.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly...

CVE-2026-5125

The vulnerability CVE-2026-5125 affects raine consult-llm-mcp up to 2.5.3, specifically the function child_process.execSync in src/server.ts. Manipulating git_diff.base_ref/git_diff.files can lead to OS command injection with local access. A public exploit exists and upgrading to 2.5.4 (patch 4ab...

GHSA-9PCJ-M5RR-P28G textract is vulnerable to OS Command Injection

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

GHSA-Q5MH-72XG-628W pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via...

Git MCP Server 操作系统命令注入漏洞

Git MCP Server is an MCP server developed by Casey Hand individually. Git MCP Server has a vulnerability related to operating system command injection. This vulnerability stems from the use of the childprocess.exec function in the file gitUtils.ts, which contains commands like...

CVE-2026-3484

CVE-2026-3484 affects PhialsBasement nmap-mcp-server (Nmap CLI Command Handler). The vulnerability is in the function child_process.exec in src/index.ts, enabling remote command injection . Affected versions are up to bee6d23547d57ae02460022f7c78ac0893092e38 (rolling release; no specific version ...

CVE-2026-26029 sf-mcp-server has a Command Injection in query_records tool due to unsafe use of child_process.exec

sf-mcp-server is an implementation of Salesforce MCP server for Claude for Desktop. A command injection vulnerability exists in sf-mcp-server due to unsafe use of childprocess.exec when constructing Salesforce CLI commands with user-controlled input. Successful exploitation allows attackers to...

CVE-2025-56803

CVE-2025-56803 affects Figma Desktop for Windows v125.6.5. The vulnerability is a command injection in the local plugin loader: if a plugin manifest.json includes a string in the build field, it is passed to Node.js child_process.exec without validation, enabling arbitrary OS command execution wh...

Exploit for CVE-2025-56803

CVE-2025-56803 Command Injection Vulnerability via Plugin...

Command Injection

node-code-sandbox-mcp is vulnerable to command injection. The vulnerability is due to the unsanitized use of input parameters within a call to childprocess.execSync, which allows an attacker to inject arbitrary system commands and achieve remote code execution, bypassing sandbox protections...

GHSA-5W57-2CCQ-8W95 Node.js Sandbox MCP Server vulnerability can lead to Sandbox Escape via Command Injection

Summary A command injection vulnerability exists in the node-code-sandbox-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to childprocess.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to...

CVE-2022-21165

All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the childprocess.exec function...

CVE-2022-21165

All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the childprocess.exec function...

GHSA-XFXF-QW26-HR33 Arbitrary command execution in roar-pidusage

This affects all current versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without inpu...

CVE-2021-23381

This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...

CVE-2021-23375

This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...

CVE-2021-23374

This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...

CVE-2021-23359

This affects all versions of package port-killer. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization. Running this PoC will cause the command touch success to be...