protobuf.js 代码注入漏洞

protobuf.js is an open-source implementation of the Protocol Buffers protocol, written entirely in JavaScript. It supports Node.js and browsers with TypeScript. It’s easy to use, extremely fast, and can be used out of the box through.proto files. Versions prior to 7.5.6 and 8.0.2 of protobuf.js h...

CubeCart 代码注入漏洞

CubeCart is an open-source e-commerce software developed by CubeCart. Prior to version 6.7.3, there was a code injection vulnerability in CubeCart. This vulnerability stemmed from administrators with document editing privileges being able to save raw PHP code in the invoice editor. As a result,...

Palo Alto Networks Prisma Browser 代码注入漏洞

Palo Alto Networks Prisma Browser is an enterprise-level security browser developed by Palo Alto Networks. The Prisma Browser has a code injection vulnerability, which stems from an inability to properly restrict access to the AppleScript interface. This vulnerability may allow unauthorized...

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox for Node.js developed by Czech developer Patrik Simek. It runs untrusted code using built-in Node modules listed in the allowlist. Versions of vm2 prior to 3.11.0 had a code injection vulnerability, which was due to the access to...

PT-2026-40748

Name of the Vulnerable Software and Affected Versions Prisma Browser on macOS affected versions not specified Description A code injection issue exists where the software fails to properly restrict access to its AppleScript interface. This allows a locally authenticated non-admin user to use an...

PT-2026-40814

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.7.3 Description An administrator with documents edit permission can save raw PHP code into the Invoice Editor. When any administrator clicks Print on an order, the rendered template is written to files/print..php...

PT-2026-40818

Name of the Vulnerable Software and Affected Versions CVAT versions 2.5.0 through 2.63.0 Description An attacker with permissions to create or edit an annotation guide on a task can inject malicious JavaScript code. This code executes in the browser of any user who opens the affected guide,...

protobuf.js 代码注入漏洞

protobuf.js is an open-source implementation of the Protocol Buffers format, written entirely in JavaScript. It supports Node.js and browsers running TypeScript. It’s easy to use, extremely fast, and can be used out of the box with.proto files! Versions of protobuf.js prior to 1.2.1 and 2.0.2 had...

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox for Node.js developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 had a code injection vulnerability; this vulnerability stemmed from the possibility of...

CVE-2026-44403

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session...

CVE-2026-44403

Wing FTP Server 8.1.2 is affected: an authenticated remote code execution due to unsafe session serialization that injects Lua via the domain admin mydirectory field, leading to code execution when a poisoned session is loaded with loadfile(). Root cause: unsafe serialization of session values in...

CVE-2026-44403 Wing FTP Server < 8.1.3 Authenticated Remote Code Execution via Session Serialization

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session...

EUVD-2026-29718

Improper control of generation of code 'code injection' in Microsoft Dynamics 365 on-premises allows an authorized attacker to execute code over a network...

EUVD-2026-29682

Improper control of generation of code 'code injection' in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network...

GHSA-G76P-4VG5-F4QH llm CLI tool contains a code injection vulnerability via `--functions` command-line argument

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

EUVD-2026-29559

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

llm CLI tool contains a code injection vulnerability via `--functions` command-line argument

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

EUVD-2026-29556

Guardrails AI thru 0.6.7 contains a code injection vulnerability CWE-94 in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the postinstall...

Arbitrary Code Injection

Overview guardrails-ai is an Adding guardrails to large language models. Affected versions of this package are vulnerable to Arbitrary Code Injection via the subprocess.checkoutput function. An attacker can execute arbitrary code by publishing a malicious package to the Hub, which is then install...

GHSA-R6HF-G5X6-7PV9 Guardrails AI contains a code injection vulnerability in its Hub package installation mechanism

Guardrails AI thru 0.6.7 contains a code injection vulnerability CWE-94 in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the postinstall...