CVE-2026-40038 Pachno 1.0.6 Stored Cross-Site Scripting via Multiple Parameters

Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, commentbody, articlecontent, description, and message parameters...

CVE-2026-39382

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an...

CVE-2026-39382 dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an...

CVE-2026-39382

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an...

EUVD-2026-19918

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an...

CVE-2026-39382

In CVE-2026-39382, the vulnerability arises in a dbt workflow where the prep job uses peter-evans/find-comment to fetch a comment-body, which is then interpolated into a shell command without escaping. This allows attacker-controlled text to break out of quotes and inject arbitrary shell commands...

PT-2026-31009

Name of the Vulnerable Software and Affected Versions dbt affected versions not specified Description dbt allows data analysts and engineers to transform data using software engineering practices. A command injection issue exists in the workflow located at...

CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

CVE-2026-34243

CVE-2026-34243 affects the Wenxian tool (versions up to 0.3.1 and earlier) where a GitHub Actions workflow uses untrusted input from issue_comment.body directly inside a shell command, enabling command injection and potential arbitrary code execution on the runner. The vulnerability stems from in...

EUVD-2006-1147

Malware in sbrugna...

EUVD-2022-32465

Malicious code in bioql PyPI...

CVE-2024-56939

LearnDash v6.7.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the ld-comment-body class...

CVE-2024-56939

LearnDash v6.7.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the ld-comment-body class...

LearnDash 安全漏洞

LearnDash is a learning management system from LearnDash, Inc. A security vulnerability exists in LearnDash version v6.7.1, which stems from the ld-comment-body class containing a stored cross-site scripting vulnerability...

PT-2025-6731 · Learndash · Learndash

Name of the Vulnerable Software and Affected Versions: LearnDash version 6.7.1 Description: A stored Cross-Site Scripting XSS issue was found in the ld-comment-body class. This allows for malicious scripts to be stored and executed on the site, potentially affecting user sessions. Recommendations...

ONS Digital RAS Collection Instrument 操作系统命令注入漏洞

ONS Digital RAS Collection Instrument is an application from ONS Digital that is responsible for collection exercises and instrument uploads. An operating system command injection vulnerability exists in ONS Digital RAS Collection Instrument versions prior to 2.0.28, which stems from a security...

CVE-2022-27979

A cross-site scripting XSS vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component...

CVE-2022-27979

A cross-site scripting XSS vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component...

Cross site scripting

A cross-site scripting XSS vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component...

CVE-2022-27979

A cross-site scripting XSS vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component...