Incomplete List of Disallowed Inputs

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs inadequate input validation in the validateCommandFlags and validateArgsForLocalFileAccess functions. An attacker can execute arbitrary commands on the server by bypassi...

EUVD-2026-30300

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on...

CVE-2026-44482

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on...

CVE-2025-68421

Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server. This issue has been fixed in...

CVE-2025-68421 Hardcoded credentials in Comarch ERP Optima

Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server. This issue has been fixed in...

CVE-2025-68421

Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server. This issue has been fixed in...

soundcloud-rpc 输入验证错误漏洞

soundcloud-rpc is a music client developed by Richard Habitzreuter, which supports Discord state synchronization and ad blocking. Versions of soundcloud-rpc prior to 0.1.8 had a vulnerability related to input validation errors. This vulnerability stemmed from the execution of song titles containi...

CVE-2025-69443

Remote Code Execution in coleam00 Archon 0.1.0. A crafted HTML page, when accessed by a victim, can execute commands, run prompts on behalf of the user, control the Archon UI features, and steal all Archon information available on the UI including API keys...

PT-2026-41031

Name of the Vulnerable Software and Affected Versions Crabbox versions prior to 0.12.0 Description An environment variable exposure issue allows attackers with access to a malicious or compromised repository to forward local secrets, such as API tokens, cloud credentials, and broker tokens, into...

Archon 安全漏洞

Archon is a content management system CMS specifically designed for archival information management. Version 0.1.0 of Archon contains a security vulnerability. This vulnerability stems from a specially crafted HTML page, which may allow victims to execute commands when accessing the system, run...

PT-2026-41016

Name of the Vulnerable Software and Affected Versions mdserver-web versions 0.18.0 through 0.18.4 Description mdserver-web contains a front-end unauthorized remote command execution RCE issue. The lack of authentication on the ' /modify crond' and '/start task' endpoints allows an attacker to...

ROS-20260514-73-0001

A vulnerability in the phpreadstreamallchunks function of the PHP programming language is related to speculative command execution. Exploitation of the vulnerability could allow a remote attacker to gain access to sensitive data...

TencentOS Server 4: cups (TSSA-2026:0276)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0276 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

GestioIP 3.5.7 Remote Command Execution

This Metasploit module exploits a command execution via file upload. If GestioIP is configured to use no authentication for admin account, no password is required to exploit the vulnerability. Otherwise, an authenticated user with admin right on the web site is required to exploit...

Apache HertzBeat 1.8.0 - Remote Code Execution

Exploit Title: Apache HertzBeat 1.8.0 - Remote Code Execution Google Dork: N/A Date: 2026-03-09 Exploit Author: Brett Gervasoni Vendor Homepage: https://hertzbeat.apache.org/ Software Link: https://github.com/apache/hertzbeat/releases Version: 1.8.0 Tested on: Linux Docker; official HertzBeat...

Apache HertzBeat 1.8.0 Remote Command Execution

Apache HertzBeat version 1.8.0 suffers from a remote command execution vulnerability via the scriptCommand parameter in a monitoring template definition...

PT-2026-41135

Name of the Vulnerable Software and Affected Versions @apostrophecms/cli versions prior to 3.6.1 Description The @apostrophecms/cli package contains a command injection issue within the apos create command. User-supplied input provided during the password prompt is embedded directly into a shell...

CVE-2026-45714

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection SSTI vulnerability exists in multiple modules of CubeCart including Email Templates, Invoices, Documents, and Contact Forms. The application unsafely evaluates user-supplied input using the...

Malicious code in ethers-json-wallet (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis f3f9028ba781f40a017e081a311983ae2834cdce93583e629952f1f7e29a0677 The OpenSSF Package Analysis project identified 'ethers-json-wallet' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

CVE-2026-44860

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into...