CVE-2026-45033

GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent...

EUVD-2026-28914

The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including, 3.3.6. This is due to a logic flaw in the verifyAuthorization method where requests without an...

CVE-2026-35582

Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The INFILEENDING and...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the getCommand process. An attacker can execute arbitrary operating system commands by supplying specially crafted values to the INFILEENDING or OUTFILEENDING configuration keys, which are...

Information Exposure

Overview @openclaw/nostr is an OpenClaw Nostr channel plugin for NIP-04 encrypted DMs Affected versions of this package are vulnerable to Information Exposure in the config.get process. An attacker can obtain sensitive plaintext signing keys by accessing configuration views that expose the secret...

EUVD-2024-0297

Malicious code in bioql PyPI...

EUVD-2022-3727

Malicious code in bioql PyPI...

LF Edge eKuiper Vulnerable to Stored XSS in Configuration Key Functionality

Summary Stored Cross-Site Scripting XSS vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware,...

CVE-2024-27894

The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will...

CVE-2024-27894 Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying

The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. The supported URL schemes include "file", "http", and "https". When a function is created using this method, the Functions Worker will...

CVE-2024-27894

The CVE describes a vulnerability in Apache Pulsar where the Functions Worker can create functions whose implementation is fetched from a URL (file, http, https). An authenticated attacker could read any file the worker process can access (including environment secrets) and use the worker as a pr...

Design/Logic Flaw

CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys...

CVE-2023-46741 CubeFS leaks magic secret key when starting Blobstore access service

CubeFS is an open-source cloud-native file storage system. A vulnerability was found in CubeFS prior to version 3.3.1 that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys...

CubeFS Security Vulnerability

CubeFS is a cloud-native file storage for CubeFS individual developers. A security vulnerability exists in CubeFS versions prior to 3.3.1, which stems from leaking configuration keys in plaintext format in logs. An attacker exploited the vulnerability to read sensitive data from logs to escalate...

ChuanhuChatGPT 访问控制错误漏洞

ChuanhuChatGPT is a light and easy-to-use Web GUI for ChatGPT/ChatGLM/LLaMA/StableLM/MOSS and many other LLMs. A security vulnerability exists in ChuanhuChatGPT 20230526 and earlier versions, which originates from allowing an unauthorized attacker to access the config.json file. The vulnerability...

Magento Filter extension bypass via crafted store configuration keys

A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in the malicious uploa...

Arbitrary File Upload

magento/community-edition is vulnerable to arbitrary file upload. The vulnerability exists as a file upload filter bypass exists that allows users with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in the malicious upload and execution of...

CVE-2019-7912

A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in the malicious uploa...