MAL-2026-2439 Malicious code in expeewas (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcb3aafc860058ba4e9a64c6fa7dba85b7df72d68971ef7c673245e4ac02820f The package expeewas was found to contain malicious code. Source: ossf-package-analysis...

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Cisco has released updates to address a critical security flaw in the Integrated Management Controller IMC that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked a...

Malicious code in expirs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 86105842d926ee95e61ae8adf0d4506cbc55c9510189208ee33d511806f2c5ef The package expirs was found to contain malicious code. Source: ossf-package-analysis d82cf6807fa6c011a17d3f4e8bf8af1e3e935a3d79ab1420356fd87d3f2567d...

Malicious code in expeedsxs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5cf76a69bccb5c0ce57cbf0552aaec481569fbfe1081d47aaf945567059ed4b The package expeedsxs was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-34796

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logsopenvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplete...

CVE-2026-3692

In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server...

CVE-2026-3692 Unintended command execution during report generation in Progress Flowmon

In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server...

CVE-2026-3692

Progress Flowmon

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview fast-filesystem-mcp is a Fast Filesystem MCP Server - Advanced file operations with Auto-Chunking, Sequential Reading, complex file operations copy, move, delete, batch, compress, optimized for Claude Desktop Affected versions of this package are vulnerable to Improper Neutralization of...

Malicious code in bytefrontier-partner (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6b7c067c478263090ed1c2af69f93fb08ed460a91f5e70203c0de2037710507 The package bytefrontier-partner was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2422 Malicious code in bytefrontier-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 454ed598382f4741fd508b6e967cfbf60629e200716dd52a83502bc7d9bdd487 The package bytefrontier-api was found to contain malicious code. Source: ghsa-malware fe062cefc7bc337f97aa697a47d972ab881c8000714a3d5161ebb68c811b37...

PT-2026-29794

An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute shell commands on the underlying operating system...

PT-2026-29738

In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server...

OpenSSH 安全漏洞

OpenSSH OpenBSD Secure Shell is a set of open-source tools developed by OpenBSD in Canada for secure access to remote computers. This tool is an open-source implementation of the SSH protocol, supporting encryption of all transmissions. It effectively prevents eavesdropping, connection hijacking,...

PT-2026-29833

Name of the Vulnerable Software and Affected Versions OpenSSH versions prior to 10.3 Description OpenSSH versions before 10.3 may allow command execution through shell metacharacters present in a username specified within a command line. This requires an untrusted username on the command line and...

glances 安全漏洞

Glances is a system monitoring tool developed by Nicolas Hennion. Versions of Glances prior to 4.5.3 contained security vulnerabilities; these vulnerabilities stemmed from the dynamic execution of system commands based on configuration values, which could lead to privilege escalation...

CVE-2026-25212

CVE-2026-25212 affects Percona PMM prior to 3.7. An internal database user with superuser privileges can abuse the Add data source feature to break out of the database context and execute shell commands on the underlying OS, as described in Percona PMM release notes for 3.7.0. Exploitation detail...

PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()

Summary The --mcp CLI argument is passed directly to shlex.split and forwarded through the call chain to anyio.openprocess with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. Details cli/features/mcp.py:61 source -...

GHSA-W37C-QQFP-C67F PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution

Summary runpython in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "" and passing it to subprocess.run..., shell=True. The escaping logic only handles \ and ", leaving $ and backtick substitutions unescaped, allowing arbitrary OS command executi...

PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution

Summary runpython in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "" and passing it to subprocess.run..., shell=True. The escaping logic only handles \ and ", leaving $ and backtick substitutions unescaped, allowing arbitrary OS command executi...