EUVD-2026-30475

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix o...

CVE-2026-45370

CVE-2026-45370 affects the python-utcp project. The vulnerability resides in _prepare_environment() in cli_communication_protocol.py, which before version 1.1.3 passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, this can allow an attacker to exfiltrate al...

CVE-2026-45370 python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection

python-utcp is the python implementation of UTCP. Prior to 1.1.3, prepareenvironment in clicommunicationprotocol.py passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, an attacker can exfiltrate all process-level secrets in a single tool call. This...

EUVD-2026-30477

python-utcp is the python implementation of UTCP. Prior to 1.1.3, prepareenvironment in clicommunicationprotocol.py passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, an attacker can exfiltrate all process-level secrets in a single tool call. This...

CVE-2026-36741

U-SPEED AC1200 Gigabit Wi-Fi Router Model: T18-21K V1.0 is vulnerable to Command Injection. The Network Time Protocol NTP configuration interface does not properly sanitize user-supplied input. An authenticated user with permission to configure NTP settings can inject arbitrary system commands...

CVE-2026-44867

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system...

CVE-2026-44868

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system...

CVE-2026-26191 Fleet vulnerable to OS command injection in software packages

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root macOS/Linux or SYSTEM Windows on managed endpoints when an uninstall is triggered. When a...

EUVD-2026-30376

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root macOS/Linux or SYSTEM Windows on managed endpoints when an uninstall is triggered. When a...

CVE-2026-26191 Fleet vulnerable to OS command injection in software packages

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root macOS/Linux or SYSTEM Windows on managed endpoints when an uninstall is triggered. When a...

CVE-2026-26191

Fleet prior to version 4.81.0 is affected by a vulnerability in the software installer pipeline where metadata from uploaded packages (pkg, deb, rpm, exe, msi) is used to generate uninstall scripts without proper sanitization. A crafted package could cause arbitrary commands to run with root priv...

CVE-2026-41315 mdserver-web: Missing Authorization and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modifycrond and /starttask interfaces, it is possible to modify the default built-in scheduled tasks and start...

CVE-2026-41315 mdserver-web: Missing Authorization and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modifycrond and /starttask interfaces, it is possible to modify the default built-in scheduled tasks and start...

Command Injection

Overview @apostrophecms/cli is a Commandline generator and configurator for Apostrophe CMS Affected versions of this package are vulnerable to Command Injection via the apos create command when user-supplied input from the password prompt is embedded directly into a shell command without proper...

@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Summary The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host...

CVE-2026-24712

Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection...

DEBIAN-CVE-2026-24712

Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection...

python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API

A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...

GHSA-9VCR-G537-3W5V Fleet vulnerable to OS command injection in software packages

Summary A vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root macOS/Linux or SYSTEM Windows on managed endpoints when an uninstall is triggered. Impact When a software package .pkg, .deb, .rpm, .exe, or .msi is uploaded...

Fleet vulnerable to OS command injection in software packages

Summary A vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root macOS/Linux or SYSTEM Windows on managed endpoints when an uninstall is triggered. Impact When a software package .pkg, .deb, .rpm, .exe, or .msi is uploaded...