CVE-2026-42589

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded i...

Incomplete List of Disallowed Inputs

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs inadequate input validation in the validateCommandFlags and validateArgsForLocalFileAccess functions. An attacker can execute arbitrary commands on the server by bypassi...

EUVD-2026-30300

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on...

CVE-2026-44482

soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on...

CVE-2025-68421

Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server. This issue has been fixed in...

CVE-2025-68421 Hardcoded credentials in Comarch ERP Optima

Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server. This issue has been fixed in...

CVE-2025-68421

Comarch ERP Optima client makes use of a hard-coded password for a database user. These credentials cannot be changed. It is possible for a remote attacker to gain an access to the database with elevated privileges including executing system commands on a server. This issue has been fixed in...

Archon 安全漏洞

Archon is a content management system CMS specifically designed for archival information management. Version 0.1.0 of Archon contains a security vulnerability. This vulnerability stems from a specially crafted HTML page, which may allow victims to execute commands when accessing the system, run...

Apache HertzBeat 1.8.0 Remote Command Execution

Apache HertzBeat version 1.8.0 suffers from a remote command execution vulnerability via the scriptCommand parameter in a monitoring template definition...

PT-2026-41016

Name of the Vulnerable Software and Affected Versions mdserver-web versions 0.18.0 through 0.18.4 Description mdserver-web contains a front-end unauthorized remote command execution RCE issue. The lack of authentication on the ' /modify crond' and '/start task' endpoints allows an attacker to...

CVE-2025-69443

Remote Code Execution in coleam00 Archon 0.1.0. A crafted HTML page, when accessed by a victim, can execute commands, run prompts on behalf of the user, control the Archon UI features, and steal all Archon information available on the UI including API keys...

soundcloud-rpc 输入验证错误漏洞

soundcloud-rpc is a music client developed by Richard Habitzreuter, which supports Discord state synchronization and ad blocking. Versions of soundcloud-rpc prior to 0.1.8 had a vulnerability related to input validation errors. This vulnerability stemmed from the execution of song titles containi...

TencentOS Server 4: cups (TSSA-2026:0276)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0276 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

PT-2026-41135

Summary The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host...

PT-2026-41031

Name of the Vulnerable Software and Affected Versions Crabbox versions prior to 0.12.0 Description An environment variable exposure issue allows attackers with access to a malicious or compromised repository to forward local secrets, such as API tokens, cloud credentials, and broker tokens, into...

GestioIP 3.5.7 Remote Command Execution

This Metasploit module exploits a command execution via file upload. If GestioIP is configured to use no authentication for admin account, no password is required to exploit the vulnerability. Otherwise, an authenticated user with admin right on the web site is required to exploit...

ROS-20260514-73-0001

A vulnerability in the phpreadstreamallchunks function of the PHP programming language is related to speculative command execution. Exploitation of the vulnerability could allow a remote attacker to gain access to sensitive data...

Apache HertzBeat 1.8.0 - Remote Code Execution

Exploit Title: Apache HertzBeat 1.8.0 - Remote Code Execution Google Dork: N/A Date: 2026-03-09 Exploit Author: Brett Gervasoni Vendor Homepage: https://hertzbeat.apache.org/ Software Link: https://github.com/apache/hertzbeat/releases Version: 1.8.0 Tested on: Linux Docker; official HertzBeat...

CVE-2026-45714

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection SSTI vulnerability exists in multiple modules of CubeCart including Email Templates, Invoices, Documents, and Contact Forms. The application unsafely evaluates user-supplied input using the...

Malicious code in ethers-json-wallet (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis f3f9028ba781f40a017e081a311983ae2834cdce93583e629952f1f7e29a0677 The OpenSSF Package Analysis project identified 'ethers-json-wallet' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...