lodash vulnerable to Code Injection via `_.template` imports key names

Impact The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. When an application passes untrusted input as options.imports key names, an attacker...

Arbitrary Code Injection

Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Arbitrary Code Injection via the executecode method. An attacker can execute arbitrary operating system commands by passing a crafted str...

EUVD-2026-17875

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...

CVE-2026-29014

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...

CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...

CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...

CVE-2026-29014

CVE-2026-29014 affects MetInfo CMS versions 7.9, 8.0, and 8.1 with an unauthenticated PHP code injection that enables remote code execution. The vulnerability arises from insufficient input neutralization in the execution path, allowing remote attackers to send crafted requests containing PHP cod...

CVE-2026-30309

InfCode's terminal auto-execution module contains a critical command filtering vulnerability that renders its blacklist security mechanism completely ineffective. The predefined blocklist fails to cover native high-risk commands in Windows PowerShell such as powershell, and the matching algorithm...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection through the escapeNodeAttributeValues process. An attacker can execute arbitrary operating system commands by crafting a malicious .sy.zip file containing specially formatted block attribute values, which, when...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection through the escapeNodeAttributeValues process. An attacker can execute arbitrary operating system commands by crafting a malicious .sy.zip file containing specially formatted block attribute values, which, when...

PT-2026-29514

Name of the Vulnerable Software and Affected Versions MetInfo CMS versions 7.9 through 8.1 Description An unauthenticated PHP code injection flaw allows remote attackers to execute arbitrary code and gain full control over the affected server by sending crafted requests containing malicious PHP...

MetInfo CMS 安全漏洞

MetInfo CMS is a content management system developed by MetInfo Corporation. Versions 7.9, 8.0, and 8.1 of MetInfo CMS have security vulnerabilities. These vulnerabilities stem from unvalidated PHP code injection, which could allow remote attackers to execute arbitrary code by sending specially...

Xenforo 代码注入漏洞

Xenforo is a forum software developed by the Xenforo company. Versions of XenForo prior to 2.3.7 had a code injection vulnerability. This vulnerability stemmed from improper restrictions on methods that could be called within templates, allowing unauthorized method calls to occur...

libinput 代码注入漏洞

libinput is an open-source library from freedesktop. It provides a complete input stack for applications that need to handle input devices provided by the kernel. There is a code injection vulnerability in libinput. This vulnerability allows local attackers to place specially crafted Lua bytecode...

📄 MetInfo CMS 8.1 Code Injection

MetInfo CMS versions 8.1 and below suffer from a PHP code injection vulnerability in weixinreply.class.php. --------------------------------------------------------------------------- MetInfo CMS = 8.1 weixinreply.class.php PHP Code Injection Vulnerability...

Code-Projects Simple Laundry System 代码注入漏洞

Code-Projects Simple Laundry System is an open-source system developed by Code-Projects, designed for managing laundry shop operations. It offers features such as order management, customer management, and inventory management. Version 1.0 of Code-Projects Simple Laundry System contains a code...

ffmate 代码注入漏洞

ffmate is an automated media processing engine open source by We Love Media. Versions of ffmate 2.0.15 and earlier contained a code injection vulnerability. This vulnerability stemmed from incorrect handling of files in the /ui/app/components/AppJsonTreeView.vue directory, which could lead to...

gougucms（勾股CMS） 代码注入漏洞

Gougucms is an open-source backend management framework developed by Gougu in China, based on ThinkPHP6, Layui, and MySql. Version 4.08.18 of Gougucms contains a code injection vulnerability. This vulnerability stems from incorrect handling of a parameter named "value.content" in the file...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the luaLloadfile plugin in configuration directories. An attacker can execute unauthorized code and access sensitive information by placing a specially crafted Lua bytecode file in a system or user...

admin 代码注入漏洞

“admin” is a chatroom software developed by Z-9527. Both the 1.0 and 2.0 versions of “admin” have code injection vulnerabilities. These vulnerabilities stem from incorrect operations on the file/server/routes/message.js, which may lead to cross-site scripting attacks...