CVE-2025-37729

Elastic Cloud Enterprise (ECE) is affected by CVE-2025-37729 due to improper neutralization of Jinjava template elements. The issue allows a user with Admin access to exfiltrate sensitive information and issue commands through a specially crafted string that causes Jinjava variables to be evaluat...

CVE-2025-37729 Elastic Cloud Enterprise (ECE) Improper Neutralization of Special Elements Used in a Template Engine

Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise ECE can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated...

CVE-2025-37729 Elastic Cloud Enterprise (ECE) Improper Neutralization of Special Elements Used in a Template Engine

Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise ECE can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated...

Security update for bluez

This update for bluez fixes the following issues: CVE-2023-45866: keystroke injection and arbitrary command execution via HID device connections bsc1217877. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

SUSE-SU-2025:03590-1 Security update for bluez

This update for bluez fixes the following issues: - CVE-2023-45866: keystroke injection and arbitrary command execution via HID device connections bsc1217877...

Cross-site Scripting (XSS)

@modelcontextprotocol/inspector is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper handling of malicious redirect URIs when connecting to untrusted remote MCP servers, which allows an attacker to inject and execute arbitrary scripts that can interact with the inspecto...

PT-2025-41785

Name of the Vulnerable Software and Affected Versions Elastic Cloud Enterprise versions 2.5.0 through 3.8.1 Elastic Cloud Enterprise version 4.0.0 through 4.0.1 Description An issue exists in Elastic Cloud Enterprise ECE related to the improper handling of special elements within its template...

AndSoft e-TMS OS Command Injection Vulnerability (CNVD-2025-23544)

AndSoft e-TMS is a logistics management software from AndSoft Spain. AndSoft e-TMS suffers from an operating system command injection vulnerability that originates from a misuse of the parameter m in the file /clt/LOGINFRMCAT.ASP, which can be exploited by an attacker to execute operating system...

TOTOLINK X18 setEasyMeshAgentCfg function mac parameter command injection vulnerability

TOTOLINK X18 is a Mesh WiFi 6 router system from TOTOLINK Taiwan, which supports WiFi 6 technology and optimizes home network coverage through the mesh function. TOTOLINK X18 suffers from a command injection vulnerability that stems from the mac parameter in the setEasyMeshAgentCfg function faili...

CVE-2025-11188

The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database...

CVE-2025-61929 Cherry Studio allows one-click on a specific URL to cause a command to execute

Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called cherrystudio://. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files...

CVE-2025-61929 Cherry Studio allows one-click on a specific URL to cause a command to execute

Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called cherrystudio://. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files...

CVE-2025-61929

Cherry Studio is affected by a code-injection vulnerability where the cherrystudio://mcp protocol handler parses base64-encoded configuration data and directly executes the contained command. Affected component paths include src/main/services/ProtocolClient.ts and src/main/services/urlschema/mcp-...

CVE-2025-61929 Cherry Studio allows one-click on a specific URL to cause a command to execute

Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called cherrystudio://. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files...

Malicious code in superbet-icons (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 45a9d250491e6e1730c0d00d3f235091fccd078ad4ed75002897332819f9317d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2025-10283

BBOT's gitdumper module could be abused to execute commands through a malicious git repository...

CVE-2025-59988

An Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the Generate Report page that, when visited by another user, enables the attacker to execute commands with the target's...

MAL-2025-48402 Malicious code in wt-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e2d85a0a81bf32d87da2b57522113cf28e122344c75d7055ea5d5116d63f61e4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2025-30001

Apache StreamPark has a vulnerability described as an Incorrect Execution-Assigned Permissions issue that, in versions 2.1.4 up to but not including 2.1.6, can allow authenticated users to trigger remote command execution. PT-security and multiple CVE references converge on this issue, noting tha...

📄 MotionEye Frontend 0.43.1b4 Remote Code Execution

This Metasploit module exploits a template injection vulnerability in the MotionEye Frontend. MotionEye Frontend versions 0.43.1b4 and prior are vulnerable to OS command injection in configuration parameters such as imagefilename. Unsanitized user input is written to MotionEye Frontend...