CVE-2026-0855

Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device...

CVE-2023-54329 Inbit Messenger 4.9.0 - Unauthenticated Remote Command Execution (RCE)

Inbit Messenger 4.6.0 - 4.9.0 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by exploiting a stack overflow in the messenger's protocol. Attackers can send specially crafted XML packets to port 10883 with a malicious payload t...

CVE-2023-54329 Inbit Messenger 4.9.0 - Unauthenticated Remote Command Execution (RCE)

Inbit Messenger 4.6.0 - 4.9.0 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by exploiting a stack overflow in the messenger's protocol. Attackers can send specially crafted XML packets to port 10883 with a malicious payload t...

CVE-2023-54329

Inbit Messenger 4.6.0–4.9.0 is affected by an unauthenticated remote command execution via a stack overflow in the messenger’s protocol. The vulnerability allows attackers to send specially crafted XML packets to TCP port 10883 to trigger execution of arbitrary commands with system privileges. Th...

CVE-2022-50806 4images 1.9 - Remote Command Execution (RCE)

4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php...

CVE-2022-50806

CVE-2022-50806 affects 4images 1.9. The vulnerability is a remote command execution where authenticated administrators can inject reverse shell code through the template editing feature and execute commands via categories.php with a crafted cat_id parameter. Exploitation details and affected comp...

Malicious website can execute commands on the local system through XSS in the OpenCode web UI

Summary A malicious website can abuse the server URL override feature of the OpenCode web UI to achieve cross-site scripting on http://localhost:4096. From there, it is possible to run arbitrary commands on the local system using the /pty/ endpoints provided by the OpenCode API. Code execution vi...

EUVD-2026-2092

OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution...

GHSA-VXW4-WV6M-9HHH OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution

Previously reported via email to [email protected] on 2025-11-17 per the security policy in opencode-sdk-js/SECURITY.md. No response received. Summary OpenCode automatically starts an unauthenticated HTTP server that allows any local process—or any website via permissive CORS—to execute arbitrary...

Arbitrary Command Injection

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Arbitrary Command Injection due to the improper sanitazation of user-supplied repository in the Chart.yaml file in the helmv3 manager. An attacker can execute arbitrary commands on the host system by...

CVE-2025-37175

Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary comman...

CVE-2025-37171

Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating...

CVE-2025-37175

Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary comman...

CVE-2025-37175 Authenticated Arbitrary File Upload Vulnerability in AOS-10 or AOS-8 Web-Based Management Interface

Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary comman...

CVE-2025-37175

The CVE-2025-37175 entry concerns Aruba Networks ArubaOS (AOS-8 and AOS-10) web-based management interfaces. The connected NCSC advisory confirms that vulnerabilities in AOS-8/AOS-10 include arbitrary file deletion, stack overflow, command injection, and improper input handling, which could allow...

CVE-2025-37174 Authenticated Arbitrary File Write Vulnerability in AOS 10 and AOS-8 Web-Based Management Interface

Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary...

CVE-2025-37174 Authenticated Arbitrary File Write Vulnerability in AOS 10 and AOS-8 Web-Based Management Interface

Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary...

CVE-2025-37174

ArubaOS AOS-8 and AOS-10 web management interfaces are affected by vulnerabilities fixed by Aruba Networks. The NCSC advisory notes issues including arbitrary file deletion, stack overflow, command injection, and improper input handling that could allow unauthorized access, file manipulation, or ...

GHSA-XV56-3WQ5-9997 Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository

Summary The user-provided chart name in the kustomize manager is appended to the helm pull --untar command without proper sanitization. Details Adversaries can provide a maliciously crafted kustomization.yaml in conjunction with a Helm repo's index.yaml file to trick Renovate to execute arbitrary...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the EnvoyExtensionPolicy resource. An attacker can execute arbitrary commands and access sensitive credentials by injecting malicious Lua scripts. This can lead to privilege escalation, theft of secrets, and...