PT-2026-2419

Name of the Vulnerable Software and Affected Versions Inbit Messenger versions 4.6.0 through 4.9.0 Description Inbit Messenger versions 4.6.0 through 4.9.0 have a remote command execution issue. Unauthenticated attackers can execute arbitrary commands by exploiting a stack overflow in the...

HPE AOS 安全漏洞

HPE AOS is an operating system from HPE, USA. A security vulnerability exists in HPE AOS that stems from a packet header that can be injected with shell commands, which could lead to the execution of arbitrary commands...

Algo 8028 Control Panel 操作系统命令注入漏洞

The Algo 8028 Control Panel is a web configuration interface for an access control intercom system from Algo. An operating system command injection vulnerability exists in Algo 8028 Control Panel version 3.3.3, which stems from the presence of command injection in the fm-data.lua endpoint, which...

HPE AOS 安全漏洞

HPE AOS is an operating system from HPE Corporation in the United States. A security vulnerability exists in HPE AOS that stems from a command injection vulnerability in the web-based management interface that could lead to the execution of arbitrary commands...

SAP Wily Introscope Enterprise Manager 代码注入漏洞

SAP Wily Introscope Enterprise Manager is an application performance management component from SAP, Germany. A code injection vulnerability exists in SAP Wily Introscope Enterprise Manager, which stems from the use of a vulnerable third-party component, and could allow an unauthenticated attacker...

PT-2026-2627

An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default...

SAP Application Server for ABAP 操作系统命令注入漏洞

SAP Application Server for ABAP is a load balancing, memory management platform from SAP, Germany. SAP Application Server for ABAP suffers from an operating system command injection vulnerability that stems from OS command injection, which could lead to an authenticated attacker uploading special...

PT-2026-2441

Name of the Vulnerable Software and Affected Versions Eclipse Che versions affected versions not specified Description A flaw exists in Eclipse Che che-machine-exec that permits unauthenticated remote arbitrary command execution and secret exfiltration, including SSH keys and tokens, from other...

PT-2026-2429

Name of the Vulnerable Software and Affected Versions Webgrind version 1.1 Description Webgrind version 1.1 contains a remote command execution issue. Unauthenticated attackers can inject OS commands through the dataFile parameter in the ''index.php'' file. Attackers can execute arbitrary system...

eXtplorer 访问控制错误漏洞

eXtplorer is a PHP-based file manager by soerennb individual developer. An access control error vulnerability exists in eXtplorer version 2.1.14, which stems from an authentication bypass that could allow an attacker to upload malicious PHP files and execute remote commands...

Progress LoadMaster 安全漏洞

Progress LoadMaster is a high performance Application Delivery Controller ADC and load balancer from Progress, Inc. A security vulnerability exists in Progress LoadMaster that stems from an uncleaned API input parameter, which could lead to the execution of arbitrary commands by an authenticated...

HPE AOS 安全漏洞

HPE AOS is an operating system from HPE, USA. A security vulnerability exists in HPE AOS 8 that stems from a command injection vulnerability in the web-based management interface that could lead to the execution of arbitrary commands...

PT-2026-2363

Name of the Vulnerable Software and Affected Versions 4images version 1.9 Description The software contains a remote command execution issue. Authenticated administrators can inject reverse shell code through template editing functionality. Attackers can save malicious code in a template and...

Progress LoadMaster 安全漏洞

Progress LoadMaster is a high performance Application Delivery Controller ADC and load balancer from Progress, Inc. A security vulnerability exists in Progress LoadMaster that stems from an uncleaned API input parameter, which could lead to the execution of arbitrary commands by an authenticated...

PT-2026-2425

Name of the Vulnerable Software and Affected Versions eXtplorer version 2.1.14 Description eXtplorer version 2.1.14 contains an authentication bypass that allows attackers to log in without a password by manipulating the login request. Successful exploitation enables attackers to upload malicious...

HPE AOS 安全漏洞

HPE AOS is an operating system from HPE Corporation in the United States. A security vulnerability exists in HPE AOS 10 and HPE AOS 8 that stems from an arbitrary file write vulnerability in the web-based management interface that could lead to the execution of arbitrary commands...

CVE-2026-22812

OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process or any website via permissive CORS to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216...

CVE-2026-22813 Malicious website can execute commands on the local system through XSS in the OpenCode web UI

OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response...

CVE-2026-22813 Malicious website can execute commands on the local system through XSS in the OpenCode web UI

OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response...

CVE-2026-22813

The CVE-2026-22813 issue affects OpenCode, where the markdown renderer for LLM responses does not sanitize HTML, allowing arbitrary HTML/JavaScript to run in the OpenCode web UI at http://localhost:4096. The root cause is lack of DOM sanitization and CSP, enabling XSS that can leverage the localh...