51 matches found
PT-2026-50083
Name of the Vulnerable Software and Affected Versions TL-WR940N version 6 Description An authenticated OS command injection exists in the IPv6 PPPoE configuration handler due to improper sanitization of user input. An attacker with administrative access can exploit this to execute arbitrary syste...
EUVD-2026-33555
A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.30. Affected by this issue is the function sanitizeenvlines of the file hermescli/config.py. The manipulation results in injection. It is possible to launch the attack remotely. The attack requires a high level of...
CVE-2026-31254
The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...
OpenClaw 安全漏洞
OpenClaw is a command line tool for rights management. An improper access control vulnerability exists in OpenClaw versions prior to 2026.3.12, which stems from a lack of owner-level permission checking in the /config and /debug command handlers. An attacker can use this vulnerability to read or...
CVE-2026-4466 Comfast CF-AC100 mbox-config command injection
A vulnerability has been found in Comfast CF-AC100 2.6.0.8. This affects an unknown function of the file /cgi-bin/mbox-config?method=SET§ion=ntptimezone. The manipulation leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public an...
CVE-2026-22323 Cross‑Site Request Forgery in Link Aggregation Configuration
A CSRF vulnerability in the Link Aggregation configuration interface allows an unauthenticated remote attacker to trick authenticated users into sending unauthorized POST requests to the device by luring them to a malicious webpage. This can silently alter the device’s configuration without the...
EUVD-2026-11659
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the setconfig function. This vulnerability allows attackers to execute arbitrary commands via a crafted input...
OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading
Summary OpenClaw hook mapping transforms could be loaded via absolute paths or .. traversal, allowing arbitrary JavaScript module loading/execution in the gateway process when an attacker can modify hooks configuration. Affected Versions - Affected: = 2.0.0-beta3 and = 2026.2.13 - Fixed: 2026.2.1...
CVE-2026-28515
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this...
@n8n/ai-workflow-builder (>=1.0.2 <=1.1.1), @n8n/backend-common (>=1.0.2 <=1.1.1) +6 more potentially affected by CVE-2026-27498 via @n8n/config (>=2.0.0 <=2.0.1)
@n8n/config NPM version =2.0.0, =1.0.2, =1.0.2, =1.0.3, =1.0.3, =2.0.2, =2.0.2, =0.1.0, =0.11.0 Source cves: CVE-2026-27498 Source advisory: SNYK:JS-N8NCONFIG-15357607...
CVE-2026-2535
The CVE-2026-2535 entry affects Comfast CF-N1 V2 2.6.0.2. The vulnerability exists in the function sub_44AB9C within /cgi-bin/mbox-config?method=SET§ion=ptest_channel; manipulating the channel argument leads to command injection. Exploitation can be performed remotely, and public proof of con...
PT-2026-8311
A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub 44AB9C of the file /cgi-bin/mbox-config?method=SET§ion=ptest channel. The manipulation of the argument channel results in command injection. The attack can be launched remotely. The exploit has bee...
PT-2026-6396
Summary The application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle MitM attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations,...
Huawei EulerOS: Security Advisory for pam (EulerOS-SA-2026-1016)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
CVE-2022-27218
Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
@klardaten/n8n-nodes-datevconnect (>=1.0.1 <=1.0.2), @n8n/ai-workflow-builder (>=0.2.0 <=0.28.0) +15 more potentially affected by CVE-2025-65964 via @n8n/config (>=1.15.0 <=1.60.0)
@n8n/config NPM version =1.15.0, =1.0.1, =0.2.0, =1.3.0, =0.23.8, =1.51.0, =1.65.0, =1.65.0, =1.0.1, =0.3.3, =0.1.3, =0.2.0, =0.2.0, =0.1.0, =0.1.1 - n8n-nodes-tiny-request =0.1.0 and more Source cves: CVE-2025-65964 Source advisory: SNYK:JS-N8NCONFIG-14222433...
@n8n/ai-workflow-builder (=1.0.0-rc.0), @n8n/backend-common (=1.0.0-rc.0) +5 more potentially affected by CVE-2025-68668 via @n8n/config (=2.0.0-rc.0)
@n8n/config NPM version =2.0.0-rc.0 is affected by a known vulnerability. The following packages have a transitive dependency on @n8n/config and may be impacted: - @n8n/ai-workflow-builder =1.0.0-rc.0 - @n8n/backend-common =1.0.0-rc.0 - @n8n/backend-test-utils =1.0.0-rc.0 - @n8n/db =1.0.0-rc.0 -...
CVE-2025-62363
yt-grabber-tui is a terminal user interface application for downloading videos. In versions before 1.0-rc, the application allows users to configure the path to the yt-dlp executable via the pathtoytdlp configuration setting. An attacker with write access to the configuration file or the filesyst...
EUVD-2012-0102
Malware in sbrugna...
EUVD-2024-32203
Malicious code in bioql PyPI...