CVE-2026-36044

@pensar/apex = 0.0.58 is vulnerable to OS command injection via the smartenumerate tool. The createSmartEnumerateTool function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js...

PT-2026-43702

@pensar/apex = 0.0.58 is vulnerable to OS command injection via the smart enumerate tool. The createSmartEnumerateTool function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js chi...

GHSA-4XQG-GF5C-GHWQ MCP Server Kubernetes has an Argument Injection in port_forward tool via space-splitting

Summary The portforward tool in mcp-server-kubernetes constructs a kubectl command as a string and splits it on spaces before passing to spawn. Unlike all other tools in the codebase which correctly use execFileSync"kubectl", argsArray, portforward uses string concatenation with user-controlled...

PT-2026-5713

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 1.5.0 Signal K Set-System-Time plugin versions prior to 1.5.0 Description A command injection issue exists in the Signal K Server and its Set-System-Time plugin. Authenticated users with write permissions can...

CVE-2018-25122

Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inje...

CVE-2018-25122

Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inje...

CVE-2018-25122

Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inje...

CVE-2018-25122

Nagios XI

PT-2025-44545

Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inje...

EUVD-2009-3460

Malware in sbrugna...

OS Command Injection

@wong2/mcp-cli is vulnerable to OS command injection. The vulnerability is due to unsafe command construction/execution because redirectToAuthorization in /src/oauth/provider.js uses attacker-controlled input in an OS command context, allowing remote command execution...

Command Injection

Thor is vulnerable to Command Injection. The vulnerability is due to unsafe command construction caused by the library forming shell commands directly from user-controlled input...

CVE-2024-3924

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

Exploit for Command Injection in Mjdm Majordomo

Deep Dive: CVE-2023-50917 - Unmasking an Unauthenticated Remo...

Thecodingmachine Gotenberg 跨站脚本漏洞

Thecodingmachine Gotenberg is Victornpb Thecodingmachine individual developers of a Go-based HTML, Markdown and Office documents can be converted to PDF applications. The application is based on Docker's stateless API can be used to support the construction of Web applications. A cross-site...

Less-openui5 Injection Vulnerability

An injection vulnerability exists in Less-openui5, which arises when a network system or product lacks proper validation of user input during the course of an operation to construct a command, data structure, or record, and fails to filter, or fails to correctly filter out, specific elements of t...

Is-user-valid Injection Vulnerability

An injection vulnerability exists in Is-user-valid, which arises when, during the course of a user input operation to construct a command, data structure, or record, the network system or product lacks proper validation of the user input data, and fails to filter, or fails to correctly filter out...

NETGEAR D3600, D6000 and XR500 OS Command Injection Vulnerability (CNVD-2020-27258)

NETGEAR D3600 and others are products of NETGEAR Corporation.NETGEAR D3600 is a wireless modem.NETGEAR D6000 is a wireless modem.NETGEAR XR500 is a wireless router.NETGEAR XR500 is a wireless router. An operating system command injection vulnerability exists in the NETGEAR D3600 prior to version...

Mobatek MobaXterm Command Injection Vulnerability

Mobatek MobaXterm is a terminal software package from the French company Mobatek that integrates an enhanced terminal, an X server and a Unix command set GNU/Cygwin. A command injection vulnerability exists in MobaXterm version 11.1, which can be exploited by an attacker to execute an illegal...