CVE-2026-3484

A vulnerability was detected in PhialsBasement nmap-mcp-server up to bee6d23547d57ae02460022f7c78ac0893092e38. Affected by this issue is the function childprocess.exec of the file src/index.ts of the component Nmap CLI Command Handler. The manipulation results in command injection. The attack may...

CVE-2026-2544

A security flaw has been discovered in yued-fe LuLu UI up to 3.0.0. This issue affects the function childprocess.exec of the file run.js. The manipulation results in os command injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond...

EUVD-2019-3701

Malware in sbrugna...

Arbitrary Command Injection

Overview figma-developer-mcp is a Give your coding agent access to your Figma data. Implement designs in any framework in one-shot. Affected versions of this package are vulnerable to Arbitrary Command Injection via the childprocess.exec call using unvalidated user input directly within...

Arbitrary Command Injection

Overview mcp-markdownify-server is a Model Context Protocol MCP server that converts various file types and web content to Markdown format. It provides a set of tools to transform PDFs, images, audio files, web pages, and more into easily readable and shareable Markdown text. Affected versions of...

CVE-2022-21165

All versions of package font-converter are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the childprocess.exec function...

CVE-2022-21165

The CVE-2022-21165 entry concerns the font-converter package (FontForge wrapper) where all versions are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into child_process.exec(). The core issue is input sanitization failure, enabling injection...

CVE-2016-4991

Input passed to the Pdf function is shell escaped and passed to childprocess.exec during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution. This problem affects nodepdf 1.3....

fs-git command injection vulnerability

fs-git is a file system like api for git repository. The fs-git version 1.0.1 module relies on childprocess.exec, however, the buildCommand method used to construct exec strings does not properly sanitize data and is vulnerable to command injection across all methods that use it and call exec...

PIDUsage Enables OS Command Injection

Overview Affected versions of pidusage pass unsanitized input to childprocess.exec, resulting in arbitrary code execution in the ps method. This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable. Proof of Concept js var pid =...

OS Command Injection

@ronomon/opened is vulnerable to OS command injection. A remote attacker can execute commands on the system because an untrusted input is not filtered and used as part of a string executed as a command by childprocess.exec...

Arbitrary Code Execution

picotts is vulnerable to arbitrary code execution. The vulnerability exists due to the lack of sanitization of user-provided input to the say function which is subsequently parsed in the childprocess.exec function...

Arbitrary Code Execution

roar-pidusage is vulnerable to arbitrary code execution. The vulnerability exists due to the lack of sanitization of user-provided input which is directly used in the childprocess.exec function...

Remote Code Execution (RCE)

ps-visitor is vulnerable to remote code execution. The vulnerability exists due to a usage of the childprocess.exec function without input sanitization of user input...

OS Command Injection

kill-by-port is vulnerable to OS command injection. An attacker is able to inject and execute arbitrary OS commands due to the passing of untrusted user input to the childprocess.exec function...

Arbitrary Code Execution

eslint-fixer is vulnerable to arbitrary code execution. The vulnerability exists through the lack of sanitization on the input to the childprocess.exec method...

Node.js third-party modules: [systeminformation] Command Injection via insecure command formatting

I would like to report a Command Injection vulnerability in the systeminformation package. It allows an attacker to inject arbitrary OS commands. Module Module name: systeminformation Version: 4.26.10 npm page: https://www.npmjs.com/package/systeminformation Module Description System and OS...

OS Command Injection

jison is vulnerable to OS Command Injection. The vulnerability exists as it does not properly handle the command argument which is used in childprocess.exec...

Node.js third-party modules: [extra-ffmpeg] Command Injection via insecure command formatting

I would like to report a Command Injection issue in the extra-ffmpeg module. It allows to execute arbitrary commands on the victim's PC. Module module name: extra-ffmpeg version: 4.0.3 npm page: https://www.npmjs.com/package/extra-ffmpeg Module Description Decode, encode, transcode, mux, demux,...

Node.js third-party modules: Several simple remote code execution in pdf-image

I would like to report "A simple remote code execution" in "pdf-image". It allows "a remote attacker to execute arbitrary code when several functions of the PDFImage class are called and the class loaded from user-input value". Module module name: pdf-image version: latest npm page:...