GHSA-GC9W-CC93-RJV8 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)

Summary PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, the privilegeduser parameter which has no input validation is written...

Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)

Summary PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, the privilegeduser parameter which has no input validation is written...

PT-2026-33256

Due to improper input validation in one of the Eaton Intelligent Power Protector IPP XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version...

SAP NetWeaver AS Java Code Injection (3719397)

The version of SAP NetWeaver Application Server Java detected on the remote host is affected by a code injection vulnerability as disclosed in the SAP Security Patch Day April 2026: - Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java Web Dynpro Java, an unauthenticate...

Apache ActiveMQ Improper Input Validation Vulnerability

Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection...

CVE-2026-27674

Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java Web Dynpro Java, an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, th...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the multiple writer sinks such as serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission. An attacker can execute arbitra...

Arbitrary Code Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Arbitrary Code Injection via the msg and callback fields in relayed WebSocket messages, which are processed by client-side eval sinks. An attacker can execute...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the INI settings parser when environment variable interpolation is processed via the parseinistring function. An attacker with Editor permissions can retrieve sensitive environment variables by injecting...

CVE-2026-39640

Cross-Site Request Forgery CSRF vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through = 3.2...

CVE-2026-39628

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through = 1.3.0...

CVE-2026-39626

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through = 1.4.8...

CVE-2026-5973

A vulnerability was found in FoundationAgents MetaGPT up to 0.8.1. Impacted is the function getmimetype of the file metagpt/utils/common.py. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. The project was...

org.apache.avro/avro: Apache Avro Java SDK: Code injection on Java generated code

A code injection flaw has been discovered in Apache Avro. This vulnerability manifests when generating specific records from untrusted Avro schemas...

Exploit for Code Injection in Langflow

No d...

Arbitrary Code Injection

Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Arbitrary Code Injection via the /admin/tinymce/uplo...

Arbitrary Code Injection

Overview @openai/codex is a OpenAI Codex CLI Lightweight coding agent that runs in your terminal Affected versions of this package are vulnerable to Arbitrary Code Injection via the automatic loading of .env and .codex/config.toml files when executing the CLI in a compromised repository. An...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to code injection in NLTK [CVE-2025-14009]

Summary IBM Watson Speech Services Cartridge is vulnerable to code injection in NLTK, due to an issue in in the NLTK downloader component of nltk/nltk that causes the unzipiter function in nltk/downloader.py to fail to perform path validation or security checks CVE-2025-14009. NLTK is used in our...

Important: Red Hat Security Advisory: Red Hat build of Quarkus 3.27.3 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more informatio...

org.apache.avro/avro: Apache Avro Java SDK: Code injection on Java generated code

A code injection flaw has been discovered in Apache Avro. This vulnerability manifests when generating specific records from untrusted Avro schemas...