CVE-2026-10796

Vulnerability summary (CVE-2026-10796) : nvm (Node Version Manager)

EUVD-2026-27009

Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the extractLLM function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to...

CVE-2026-42076

CVE-2026-42076 affects Evolver, a GEP-powered self-evolving engine for AI agents. A command injection flaw exists in the _extractLLM() function prior to version 1.69.3: the code builds a curl command via string concatenation and passes it to execSync() without proper sanitization, enabling remote...

Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution

Summary A command injection vulnerability in the extractLLM function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync without proper sanitization, enabling remote code execution when the...

GHSA-J5W5-568X-RQ53 Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution

Summary A command injection vulnerability in the extractLLM function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync without proper sanitization, enabling remote code execution when the...

Advisory ROSA-SA-2026-3138

Software: curl 7.61.1 OS: ROSA Virtualization 3.0 unaffected versions = curl-7.61.1-34.0.2.rv30.9 affected versions curl-7.61.1-34.0.2.rv30.9 CVE-ID: CVE-2025-9086 BDU-ID: 2025-12599 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the cURL command line utility is related to reading data beyond buffe...

curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object

Summary: curl supports -Q or --quote and libcurl CURLOPTQUOTE to specify "commands" to execute for ftp and SFTP connections. The SFTP supports commands that perform operations on filesystem objects. When the object path has a filename, the caller is supposed to quote the parameter example: -Q...

Command Injection

figma-developer-mcp is vulnerable to Command Injection. The vulnerability is due to unsanitized input to shell metacharacters in a POST being passed to a fetchWithRetry curl command, and an unauthenticated attacker with network access can inject and execute arbitrary OS commands as the MCP proces...

EUVD-2021-20335

Malware in sbrugna...

EUVD-2019-19166

Malware in sbrugna...

EUVD-2021-15592

Malware in sbrugna...

EUVD-2024-26974

Malicious code in bioql PyPI...

EUVD-2022-4541

Malicious code in bioql PyPI...

RLSA-2025:11797 Important: firefox security update

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox: thunderbird: Large branch table could lead to truncated instruction CVE-2025-8028 firefox: thunderbird: Memory safety bugs CVE-2025-8035 firefox: thunderbird:...

CVE-2025-5265

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.. Th...

CVE-2025-5265

CVE-2025-5265 concerns Firefox on Windows where the Copy as cURL feature improperly escapes the ampersand, enabling a crafted command to trigger local code execution. The impact is described as potentially allowing arbitrary code execution on the user’s system when the user runs the affected curl...

CVE-2025-5264

CVE-2025-5264 involves insufficient escaping of the newline character in Firefox/Thunderbird Copy as cURL functionality, enabling a user to be tricked into executing a crafted command locally. Affected: Firefox < 139, Firefox ESR < 115.24/128.11, Thunderbird

Mozilla Thunderbird < 128.11

The version of Thunderbird installed on the remote Windows host is prior to 128.11. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-46 advisory. - Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory...

curl: curl -OJ allows creating custom .curlrc file which allows exfiltrating private data, among other things

Summary: If someone convinces someone to use curl -OJ http://example.com/somefile.txt, the Content-Disposition header can be used to create a .curlrc file if one doesn't exist and one is running curl from the home directory. From that point on, the attack controls any argument to all curl...

CVE-2025-4084

Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.. Thi...