45048 matches found
MAL-2026-3069 Malicious code in @tochka-ui/foundation (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9575f5fa03036022a473218e67ec437c95aa1e3c0768e1006762695c772705c8 The package @tochka-ui/foundation was found to contain malicious code. Source: ghsa-malware...
MAL-2026-3060 Malicious code in @frengki0707/google-cloud-clone (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a278202a1e4a54c185b707e1eeed0b0df0438168bcec4a2a5b5741bcbd8a5e5c The package @frengki0707/google-cloud-clone was found to contain malicious code. Source: ossf-package-analysis...
electerm has Command Injection via runLinux funtion
Impact What kind of vulnerability is it? Who is impacted? Command Injection vulnerabilities in electerm: A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux function appends attacker-controlled remote version strings directly into an exec"rm -r...
CVE-2026-41411
Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filena...
CVE-2026-39920
BridgeHead FileStore versions prior to 24A released in early 2024 expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console...
EUVD-2026-25569
BridgeHead FileStore versions prior to 24A released in early 2024 expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console...
CVE-2026-39920
BridgeHead FileStore before version 24A exposes the Apache Axis2 administration module on network endpoints with default credentials, allowing unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate using default credentials, upload a malicious Java archive a...
CVE-2026-6349
The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server...
Security update for vim
This update for vim fixes the following issues: Update to version 9.2.0280. CVE-2026-34982: missing input validation allows for a modeline sandbox bypass and can lead to arbitrary OS command execution bsc1261271. CVE-2026-34714: missing checks allow for a tabpanel modeline escape and can lead to...
BIT-RCLONE-2026-41179 RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the compilePipeline process. An attacker can execute arbitrary shell commands during the build process by supplying a crafted configuration file that sets pipeline.uses to a value containing directory traversal...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the compilePipeline process. An attacker can execute arbitrary shell commands during the build process by supplying a crafted configuration file that sets pipeline.uses to a value containing directory traversal...
CVE-2026-31166
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi...
TOTOLINK A3300R pppoeMtu Parameter Command Injection Vulnerability
TOTOLINK A3300R is a wireless router from China's Gion Electronics TOTOLINK. The TOTOLINK A3300R pppoeMtu parameter suffers from a command injection vulnerability that stems from the firmware failing to properly validate user input for the pppoeMtu parameter in /cgi-bin/cstecgi.cgi, which can be...
TOTOLINK A3300R stunMaxAlive Parameter OS Command Injection Vulnerability
TOTOLINK A3300R is a wireless router from China's Gion Electronics TOTOLINK. An operating system command injection vulnerability exists in the TOTOLINK A3300R stunMaxAlive parameter, which originates from the cstecgi.cgi file failing to handle the stunMaxAlive parameter correctly, and can be...
TOTOLINK A3300R user parameter command injection vulnerability
TOTOLINK A3300R is a wireless router from China's Gion Electronics TOTOLINK. A command injection vulnerability exists in the TOTOLINK A3300R user parameter, which originates from the failure of the user parameter in cstecgi.cgi to properly filter special characters, and can be exploited by an...
TOTOLINK A3300R provider parameter command injection vulnerability
The TOTOLINK A3300R is a wireless router from China's Gion Electronics TOTOLINK. A command injection vulnerability exists in the TOTOLINK A3300R provider parameter, which can be exploited by an attacker to execute arbitrary commands by sending a malicious request to the parameter...
TOTOLINK A3300R hour parameter command injection vulnerability
TOTOLINK A3300R is a wireless router from China's Gion Electronics TOTOLINK. A command injection vulnerability exists in the TOTOLINK A3300R hour parameter, which originates from the cstecgi.cgi file failing to properly validate the hour parameter, and can be exploited by an attacker to execute...
BridgeHead FileStore 安全漏洞
BridgeHead FileStore is a medical data-oriented file storage and long-term archiving management system developed by BridgeHead Corporation in Canada. Previous versions of BridgeHead FileStore 24A contained security vulnerabilities. These vulnerabilities stemmed from the Apache Axis2 management...
PT-2026-34836
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a...