Pallets Click contains a command injection via Unsanitized Filename "click.edit()"

...

Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag

...

PT-2026-41543

Name of the Vulnerable Software and Affected Versions kalcaddle Kodbox versions prior to 1.65 Description Command injection is possible via remote attack in the fileThumb Plugin. The issue exists within the parseVideoInfo function located in the...

Kalcaddle Kodbox 注入漏洞

Kalcaddle Kodbox is a private cloud storage and online collaborative office platform developed by Kalcaddle. Versions of Kalcaddle Kodbox prior to 1.64 have a injection vulnerability. This vulnerability stems from the improper handling of the parameter fmpegBin in the parseVideoInfo function of t...

AI SDK 命令注入漏洞

AI SDK is a TypeScript AI toolkit open-sourced by Vercel. Versions of AI SDK 3.0.97 and earlier have a command injection vulnerability. This vulnerability stems from the run function in the PR Branch Name Interpolation component, where operating system commands can be injected, potentially allowi...

PT-2026-41570

Name of the Vulnerable Software and Affected Versions vercel ai versions prior to 3.0.98 Description An OS command injection issue exists in the PR Branch Name Interpolation component. The flaw is located within the run function of the .github/workflows/prettier-on-automerge.yml file. This allows...

Command Injection

uniget is vulnerable to Command Injection. The vulnerability is due to unsafe execution of the untrusted check field from metadata files through /bin/bash -c without proper validation or sanitization, which allows an attacker to execute arbitrary shell commands on the victim's system...

Command Injection

Arcane is vulnerable to Command Injection. The vulnerability is due to lifecycle label values such as com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update being passed directly to /bin/sh -c without sanitization, allowing authenticated users to inject...

OS Command Injection

Fleet is vulnerable to Command Injection. The vulnerability is due to improper sanitization of software package metadata used in auto-generated uninstall scripts, allowing specially crafted package metadata to inject and execute arbitrary commands with elevated privileges root on macOS/Linux or...

OS Command Injection

github.com/kubeai-project/kubeai is vulnerable to OS Command Injection. The vulnerability is due to the ollamaStartupProbeScript function constructing a shell command with unsanitized model URL components ref and modelParam and executing it via bash -c, which allows an attacker with permission to...

Arbitrary Code Execution

GitHub Copilot CLI is vulnerable to Command Injection. The vulnerability is due to improper safety assessment of shell commands in the shell tool, where dangerous Bash parameter expansion patterns such as $var@P, $!var, $var:=value, and nested $cmd expressions are incorrectly classified as...

Command Injection

mcp-server-semgrep is vulnerable to Command Injection. The vulnerability is due to improper sanitization of the ID argument in multiple MCP interface functions, which allows an attacker to inject and execute arbitrary OS commands remotely...

OS Command Injection

@siteboon/claude-code-ui is vulnerable to OS Command Injection. The vulnerability is due to the use of execAsync with string interpolation of user-controlled Git parameters such as file, branch, message, and commit, which allows an authenticated attacker to execute arbitrary OS commands...

Command Injection

Godot MCP is vulnerable to Command Injection. The vulnerability is due to passing user-controlled input directly to exec without sanitization, which allows an attacker to inject shell commands and achieve remote code execution...

CVE-2026-45369

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix o...

SUSE CVE-2026-46483

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tarVimuntar in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescapetartail without the...

Updated samba packages fix security vulnerabilities

An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store. CVE-2018-14628 Command injection in wins server hook...

Linux Distros Unpatched Vulnerability : CVE-2026-46483

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tarVimuntar in runtime/autoload/tar.vim when...

SUSE SLES15 Security Update : python39 (SUSE-SU-2026:1818-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1818-1 advisory. Security issues fixed: - CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF bsc1261969. - CVE-2026-3446: base6...

Improper Input Validation

zabbix is vulnerable to Improper Input Validation. The vulnerability is due to improper regex validation running in multiline mode, which allows an authenticated attacker to bypass ^ and $ anchor checks using injected newline characters and execute shell command injection...