Code-Projects BloodBank Managing System 代码注入漏洞

The Code-Projects BloodBank Managing System is an open-source blood bank management system developed by Code-Projects. Version 1.0 of the code-projects BloodBank Managing System contains a code injection vulnerability. This vulnerability stems from incorrect handling of the parameter statename in...

HotGo-V2 代码注入漏洞

HotGo-V2 is a secondary development framework developed by Meng Shuai as an individual project. Both the HotGo 1.0 and 2.0 versions contained code injection vulnerabilities. These vulnerabilities stemmed from incorrect operations on files located at...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the process that renders the Gallery or Kanban view when a malicious URL is stored in the mAsset field and used as a cover image. An attacker can execute arbitrary operating system commands under the victim's...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the process that renders the Gallery or Kanban view when a malicious URL is stored in the mAsset field and used as a cover image. An attacker can execute arbitrary operating system commands under the victim's...

Arbitrary Code Injection

Overview lodash.template is a The Lodash method .template exported as a Node.js module. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at template compilatio...

Arbitrary Code Injection

Overview org.webjars.npm:lodash.template is a The Lodash method .template exported as a Node.js module. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been pollute...

Arbitrary Code Injection

Overview lodash-rails is a lodash for the Rails asset pipeline. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at template compilation time by injecting...

Arbitrary Code Injection

Overview org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrar...

Arbitrary Code Injection

Overview lodash-amd is a Lodash exported as AMD modules. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at template compilation time by injecting malicious...

CVE-2026-4800

CVE-2026-4800 is a lodash code-injection issue: when untrusted input is supplied in options.imports to _.template, default-parameter expressions can run at template compilation time. The root cause is that validation existed for the variable option but not for imports key names; lodash’s merge vi...

CVE-2026-4800

Impact: The fix for CVE-2021-23337 https://github.com/advisories/GHSA-35jh-r3h4-6jhm added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. When an application passes...

CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names

Impact: The fix for CVE-2021-23337 https://github.com/advisories/GHSA-35jh-r3h4-6jhm added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. When an application passes...

CVE-2026-4800 lodash vulnerable to Code Injection via `_.template` imports key names

Impact: The fix for CVE-2021-23337 https://github.com/advisories/GHSA-35jh-r3h4-6jhm added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. When an application passes...

CVE-2026-3300

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...

CVE-2026-3300

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...

CVE-2026-3300 Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...

HCL Aftermarket DPC Input Validation Error Vulnerability

HCL Aftermarket DPC is a digital spare parts and aftermarket management platform for HCL India. HCL Aftermarket DPC suffers from an input validation error vulnerability that can be exploited by an attacker to inject executable code and perform cross-site scripting, SQL injection, command injectio...

SiYuan 代码注入漏洞

SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan itself. Versions of SiYuan prior to 3.6.2 contained a code injection vulnerability. This vulnerability stemmed from the possibility that custom block attribute values could bypass server-side attribute escaping,...

Code-Projects Online Food Ordering System 代码注入漏洞

The Code-Projects Online Food Ordering System is an open-source online ordering system developed by Code-Projects. Version 1.0 of the Code-Projects Online Food Ordering System contains a code injection vulnerability. This vulnerability arises from incorrect handling of the custid parameter in the...