Guardrails AI contains a code injection vulnerability in its Hub package installation mechanism

Guardrails AI thru 0.6.7 contains a code injection vulnerability CWE-94 in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the postinstall...

CVE-2026-42898

Improper control of generation of code 'code injection' in Microsoft Dynamics 365 on-premises allows an authorized attacker to execute code over a network...

CVE-2026-41094

Improper control of generation of code 'code injection' in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network...

CVE-2026-31233

Guardrails AI thru 0.6.7 contains a code injection vulnerability CWE-94 in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the postinstall...

CVE-2026-31236

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

DEBIAN-CVE-2026-31236

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

UBUNTU-CVE-2026-31236

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

CVE-2026-43892 AntSword: Incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection

AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16...

EUVD-2026-29721

AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16...

CVE-2026-42898

Improper control of generation of code 'code injection' in Microsoft Dynamics 365 on-premises allows an authorized attacker to execute code over a network...

CVE-2026-41094

Improper control of generation of code 'code injection' in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network...

protobuf.js: Code injection in pbjs static output from crafted schema names

Summary pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated JavaScript output, which is then executed or imported by the...

NPM: protobuf.js: Code injection in pbjs static output from crafted schema names

NPM: protobuf.js: Code injection in pbjs static output from crafted schema names vulnerability discovered by ? in WordPress Npm protobufjs-cli versions = 1.2.0...

GHSA-66FF-XGX4-VCHM protobuf.js: Code injection through bytes field defaults in generated toObject code

Summary protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generat...

NPM: protobuf.js: Code injection through bytes field defaults in generated toObject code

NPM: protobuf.js: Code injection through bytes field defaults in generated toObject code vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

protobuf.js: Code injection through bytes field defaults in generated toObject code

Summary protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generat...

Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

Improper control of generation of code 'code injection' in Microsoft Dynamics 365 on-premises allows an authorized attacker to execute code over a network...

Microsoft Data Formulator Remote Code Execution Vulnerability

Improper control of generation of code 'code injection' in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network...

EUVD-2026-29430

A vulnerability has been identified in Teamcenter V2312 All versions V2312.0014, Teamcenter V2406 All versions V2406.0012, Teamcenter V2412 All versions V2412.0009, Teamcenter V2506 All versions V2506.0005, Teamcenter V2512 All versions. The affected application does not properly encode or filter...