Lucene search
+L

715 matches found

EUVD
EUVD
added 2026/04/13 9:30 p.m.4 views

EUVD-2026-22118

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function childprocess.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly...

5.3CVSS5.4AI score0.00683EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/04/13 8:45 p.m.5 views

CVE-2026-6219 aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function childprocess.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly...

5.3CVSS5.4AI score0.00683EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/04/13 8:45 p.m.24 views

CVE-2026-6219 aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function childprocess.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly...

5.3CVSS0.00683EPSS
Exploits0References6
CVE
CVE
added 2026/04/13 8:45 p.m.11 views

CVE-2026-6219

CVE-2026-6219 affects aandrew-me ytDownloader up to 3.20.2, specifically the Compressor Feature’s compressor.js where the function child_process.exec can be abused. The underlying issue is command injection via a local attack vector; exploitation is possible where an attacker can run arbitrary co...

5.3CVSS5.7AI score0.00683EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.12 views

PT-2026-32530

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicl...

5.3CVSS5.4AI score0.00683EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/04/13 12:0 a.m.7 views

ytDownloader 命令注入漏洞

ytDownloader is a multi-platform audio and video download tool developed by Andrew. Versions of ytDownloader 3.20.2 and earlier had a command injection vulnerability, which originated from the function childprocess.exec in the Compressor Feature component’s file src/compressor.js...

5.3CVSS6.1AI score0.00683EPSS
Exploits0References7
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/06 4:7 p.m.8 views

Malicious code in request-js-validator (npm)

Copy of 'request' library with injected payload. Spawns detached child process that fetches stage-2 and executes via new Function.constructor'require', payload. Same pattern as express-session-js. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...

5.9AI score
Exploits0References2
OSV
OSV
added 2026/03/30 5:16 p.m.5 views

GHSA-PX3P-VGH9-M57C NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node

Summary NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist controlled by WORKFLOWSCRIPTMODULES env var. However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via...

9.9CVSS6AI score0.36503EPSS
Exploits7References5
CVE
CVE
added 2026/03/30 5:0 p.m.11 views

CVE-2026-5125

The vulnerability CVE-2026-5125 affects raine consult-llm-mcp up to 2.5.3, specifically the function child_process.execSync in src/server.ts. Manipulating git_diff.base_ref/git_diff.files can lead to OS command injection with local access. A public exploit exists and upgrading to 2.5.4 (patch 4ab...

5.3CVSS5.8AI score0.0083EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/03/30 12:0 a.m.5 views

PT-2026-29158

Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.0.28 Description NocoBase is an AI-powered no-code/low-code platform. Versions of NocoBase prior to 2.0.28 have a security flaw that allows an authenticated attacker to achieve Remote Code Execution RCE as root. Th...

9.9CVSS6.1AI score0.36503EPSS
Exploits7References22
RedhatCVE
RedhatCVE
added 2026/03/26 2:57 p.m.14 views

CVE-2026-26832

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

9.8CVSS5.9AI score0.01706EPSS
Exploits3References1
Github Security Blog
Github Security Blog
added 2026/03/25 6:31 p.m.11 views

thumbler allows OS Command Injection

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...

9.8CVSS5.9AI score0.02308EPSS
Exploits4References6Affected Software1
OSV
OSV
added 2026/03/25 6:31 p.m.4 views

GHSA-9PCJ-M5RR-P28G textract is vulnerable to OS Command Injection

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

9.8CVSS5.9AI score0.02421EPSS
Exploits4References7
NVD
NVD
added 2026/03/25 4:16 p.m.16 views

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

9.8CVSS0.02421EPSS
Exploits4References6
EUVD
EUVD
added 2026/03/25 3:31 p.m.4 views

EUVD-2026-15457

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...

9.8CVSS5.8AI score0.02493EPSS
Exploits4References4
OSV
OSV
added 2026/03/25 3:31 p.m.8 views

GHSA-Q5MH-72XG-628W pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via...

9.8CVSS5.9AI score0.02493EPSS
Exploits4References3
Cvelist
Cvelist
added 2026/03/25 12:0 a.m.28 views

CVE-2026-26831

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...

0.02421EPSS
Exploits4References6
Cvelist
Cvelist
added 2026/03/25 12:0 a.m.31 views

CVE-2026-26832

node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...

9.8CVSS0.01706EPSS
Exploits3References4
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.4 views

PT-2026-27802

Name of the Vulnerable Software and Affected Versions thumbler versions prior to 1.1.3 Description The software contains a flaw that allows for the injection of operating system commands. This occurs through the input, output, time, or size parameters within the thumbnail function. The issue aris...

9.8CVSS6.1AI score0.02308EPSS
Exploits4References7
ATTACKERKB
ATTACKERKB
added 2026/03/25 12:0 a.m.2 views

CVE-2026-26830

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...

9.8CVSS5.8AI score0.02493EPSS
Exploits4References4
Rows per page
Query Builder