HCL Aftermarket DPC 安全漏洞

HCL Aftermarket DPC is a digital spare parts and aftermarket management platform for HCL India. A security vulnerability exists in HCL Aftermarket DPC, which can be exploited by an attacker to execute arbitrary commands or inject harmful content based on the way the web application handles split...

PT-2026-28296

Name of the Vulnerable Software and Affected Versions HCL Aftermarket DPC affected versions not specified Description HCL Aftermarket DPC is susceptible to an HTTP Response Splitting issue. The impact of this issue depends on how the web application processes split responses, potentially allowing...

OpenClaw OS Command Injection Vulnerability (CNVD-2026-16043)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an operating system command injection vulnerability. The vulnerability stems from the safeBins configuration failing to properly filter constructed command special characters, commands, etc., which can...

OneUptime 安全漏洞

OneUptime is a comprehensive open-source solution developed by OneUptime. It is used to monitor and manage your online services. Versions of OneUptime prior to 10.0.35 contained security vulnerabilities; these vulnerabilities stemmed from an incomplete sandbox blocklist, which could lead to remot...

OpenClaw Approves Bypass Vulnerability

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an approval bypass vulnerability that can be exploited by an attacker to execute commands from an unexpected file system location by rebinding a writable parent symbolic link...

OpenClaw Command Execution Vulnerability (CNVD-2026-16054)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a command execution vulnerability that can be exploited by an attacker to bypass expected execution limits...

OpenClaw Command Execution Vulnerability (CNVD-2026-16046)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a command execution vulnerability that can be exploited by an attacker to cause an authenticated operator to execute arbitrary parameters...

Command Injection

Overview textract is an Extracting text from files of various type including html, pdf, doc, docx, xls, xlsx, csv, pptx, png, jpg, gif, rtf, text/, and various open office. Affected versions of this package are vulnerable to Command Injection via the filePath parameter in multiple extractors. An...

MAL-2026-2197 Malicious code in allergan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b647cee7f2efba83a3acb7f2a6216150570618d386d85a162caf08b4fabaeb1d The package allergan was found to contain malicious code. Source: ghsa-malware 39db4e96e2f99167f5914eb406fd2fe8d3adab2598b4872dbe5f0e228cad37e7 Any...

EUVD-2026-14960

A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges...

CVE-2026-32948

A flaw was found in sbt, a build tool for Scala and Java. On Windows, sbt uses the cmd /c command interpreter to execute version control system VCS commands. A remote attacker can exploit this by providing a specially crafted URI fragment such as a branch, tag, or revision name in the build...

CVE-2026-23920

A flaw was found in Zabbix. Authenticated users can bypass input validation in host and event action scripts by injecting a newline character. This bypass occurs because the validation regex, which uses start-of-line ^ and end-of-line $ anchors, operates in multiline mode. Successful exploitation...

CVE-2026-32948

sbt is a build tool for Scala, Java, and others. From version 0.9.5 to before version 1.12.7, on Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without...

PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution

Summary PinchTab v0.8.4 contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell -Command string using a needle derived from the profile path. In v0.8.4, that string interpolation escapes...

CVE-2026-32948

CVE-2026-32948 affects sbt on Windows: when resolving VCS dependencies, sbt uses Process("cmd", "/c", ...), passing a user-controlled URI fragment (branch/tag/revision) without validation. Because cmd /c treats special characters (&, |, ;) as separators, a crafted fragment can inject and execute ...

EUVD-2025-208962

Vulnerable endpoints accept user-controlled input through a URL in JSON format which enables command execution. The commands allowed to execute can open executables. However, the commands cannot pass parameters or arguments. To successfully execute this attack, the attacker needs to be on the sam...

CVE-2025-11571

Vulnerable endpoints accept user-controlled input through a URL in JSON format which enables command execution. The commands allowed to execute can open executables. However, the commands cannot pass parameters or arguments. To successfully execute this attack, the attacker needs to be on the sam...

CVE-2025-11571

CVE-2025-11571 relates to command execution via vulnerable endpoints in Simplicity Installer. Description indicates endpoints accept user-controlled input through a URL in JSON format, allowing execution of commands that can open executables, but commands cannot pass parameters. Attack requires t...

CVE-2025-11571 Command Execution vulnerability in Simplicity Installer

Vulnerable endpoints accept user-controlled input through a URL in JSON format which enables command execution. The commands allowed to execute can open executables. However, the commands cannot pass parameters or arguments. To successfully execute this attack, the attacker needs to be on the sam...

CVE-2025-11571 Command Execution vulnerability in Simplicity Installer

Vulnerable endpoints accept user-controlled input through a URL in JSON format which enables command execution. The commands allowed to execute can open executables. However, the commands cannot pass parameters or arguments. To successfully execute this attack, the attacker needs to be on the sam...