EUVD-2026-37737

picklescan before 1.0.4 fails to block pkgutil.resolvename, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote...

CVE-2026-3490

CVE-2026-3490 affects picklescan prior to version 1.0.4, where the blocklist of dangerous functions is bypassed via pkgutil.resolve_name. The underlying issue is an incomplete blocklist that allows indirect REDUCE calls to resolve dangerous functions, enabling remote code execution (e.g., os.syst...

Important: postgresql16

Issue Overview: Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use searchpath to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions...

CVE-2026-9009

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filtercontent function. This is due to passing the attacker-supplied 'callbackraw' shortcode attribute directly into calluserfunc with n...

EUVD-2026-24135

In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code...

CVE-2026-31019

In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code...

CVE-2021-41403

flatCore-CMS version 2.0.8 calls dangerous functions, causing server-side request forgery vulnerabilities...

RealDefense SUPERAntiSpyware 安全漏洞

RealDefense SUPERAntiSpyware is a security tool for detecting and removing malware from RealDefense USA. A security vulnerability exists in RealDefense SUPERAntiSpyware that stems from SAS Core Service exposing dangerous functions that could lead to local elevation of privilege...

GHSA-GJC5-8CFH-653X Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)

Summary Grav CMS is vulnerable to a Server-Side Template Injection SSTI that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Details Grav CMS uses a custom sandbox to protect the powerful Twig methods...

EUVD-2021-28431

Malicious code in bioql PyPI...

EUVD-2024-37326

Malicious code in bioql PyPI...

The vulnerability of the Swift Mailer module in the Drupal CMS system, related to the use of dangerous methods or functions, allows attackers to exploit it.

The vulnerability of the Swift Mailer module in the Drupal CMS system is related to the use of dangerous methods or functions. Exploiting this vulnerability could allow a malicious actor to execute a spear-phishing attack remotely...

Multiple vulnerabilities in Ricoh Streamline NX PC Client

Overview Ricoh Streamline NX PC Client provided by RICOH COMPANY, LTD. contains multiple vulnerabilities listed below. ricoh-2024-000004 Improper restriction of communication channel to intended endpoints CWE-923 - CVE-2024-36252 ricoh-2024-000005 Use of hard-coded credentials CWE-798 -...

PT-2023-6570 · Unknown · Eisbaer Scada

Name of the Vulnerable Software and Affected Versions: EisBaer Scada affected versions not specified Description: The issue is related to the use of dangerous methods or functions in the SCADA system. Exploitation of this issue may allow a remote attacker to execute arbitrary code. The estimated...

The vulnerability in the web server software for Inductive Automation Ignition allows a perpetrator to execute arbitrary code.

The vulnerability of Inductive Automation Ignition’s web server software-related to the use of dangerous methods or functions. Exploiting this vulnerability could allow a malicious actor to execute arbitrary code on the target system or cause service failures...

SUSE CVE-2007-2438

The sandbox for vim allows dangerous functions such as 1 writefile, 2 feedkeys, and 3 system, which might allow user-assisted attackers to execute shell commands and write files via modelines...

PT-2022-14839 · Unknown · Getgrav/Grav

Name of the Vulnerable Software and Affected Versions: getgrav/grav versions prior to 1.7.34 Description: The issue concerns Server Side Template Injection via Twig, where Twig should not render dangerous functions by default, such as system. This is related to Code Injection in the GitHub...

CVE-2021-41403

flatCore-CMS version 2.0.8 calls dangerous functions, causing server-side request forgery vulnerabilities...

CVE-2021-41403

flatCore-CMS version 2.0.8 calls dangerous functions, causing server-side request forgery vulnerabilities...

The vulnerability of the ColdFusion software platform, related to the use of initially dangerous functions, allows attackers to circumvent existing security restrictions and gain unauthorized access to protected information.

The vulnerability of the ColdFusion software platform is related to deficiencies in access control. Exploiting this vulnerability allows a malicious actor to bypass existing security restrictions and gain unauthorized access to protected information...