715 matches found
EUVD-2026-22118
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function childprocess.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly...
CVE-2026-6219 aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function childprocess.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly...
CVE-2026-6219 aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function childprocess.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly...
CVE-2026-6219
CVE-2026-6219 affects aandrew-me ytDownloader up to 3.20.2, specifically the Compressor Feature’s compressor.js where the function child_process.exec can be abused. The underlying issue is command injection via a local attack vector; exploitation is possible where an attacker can run arbitrary co...
PT-2026-32530
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicl...
ytDownloader 命令注入漏洞
ytDownloader is a multi-platform audio and video download tool developed by Andrew. Versions of ytDownloader 3.20.2 and earlier had a command injection vulnerability, which originated from the function childprocess.exec in the Compressor Feature component’s file src/compressor.js...
Malicious code in request-js-validator (npm)
Copy of 'request' library with injected payload. Spawns detached child process that fetches stage-2 and executes via new Function.constructor'require', payload. Same pattern as express-session-js. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...
GHSA-PX3P-VGH9-M57C NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
Summary NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist controlled by WORKFLOWSCRIPTMODULES env var. However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via...
CVE-2026-5125
The vulnerability CVE-2026-5125 affects raine consult-llm-mcp up to 2.5.3, specifically the function child_process.execSync in src/server.ts. Manipulating git_diff.base_ref/git_diff.files can lead to OS command injection with local access. A public exploit exists and upgrading to 2.5.4 (patch 4ab...
PT-2026-29158
Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.0.28 Description NocoBase is an AI-powered no-code/low-code platform. Versions of NocoBase prior to 2.0.28 have a security flaw that allows an authenticated attacker to achieve Remote Code Execution RCE as root. Th...
CVE-2026-26832
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...
thumbler allows OS Command Injection
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail function because user input is concatenated into a shell command string passed to childprocess.exec without proper sanitization or escaping...
GHSA-9PCJ-M5RR-P28G textract is vulnerable to OS Command Injection
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...
CVE-2026-26831
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...
EUVD-2026-15457
pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...
GHSA-Q5MH-72XG-628W pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter
pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via...
CVE-2026-26831
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to childprocess.exec in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequat...
CVE-2026-26832
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to childprocess.exec...
PT-2026-27802
Name of the Vulnerable Software and Affected Versions thumbler versions prior to 1.1.3 Description The software contains a flaw that allows for the injection of operating system commands. This occurs through the input, output, time, or size parameters within the thumbnail function. The issue aris...
CVE-2026-26830
pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...