Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address

Description Symfony Mailer selects a transport via the MAILERDSN environment variable / configuration e.g. smtp://..., sendmail://..., native://default. SendmailTransport invokes the local sendmail binary and supports two modes: -bs speak SMTP over stdin: the default and -t read the message on...

CVE-2026-25157

OpenClaw/OpenClaw-related CVEs (CVE-2026-25157) describe OS command injection in sshNodeCommand and related SSH parsing logic, affecting macOS OpenClaw components prior to version 2026.1.29. The root causes are: (1) sshNodeCommand builds a shell script and escapes user input for a project path on...

PT-2026-5742

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.1.29 Description OpenClaw is a personal AI assistant with an OS command injection issue. The sshNodeCommand function improperly escapes user-supplied project paths, leading to potential arbitrary command executi...

UBUNTU-CVE-2025-14946

A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier URI. This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell SSH process,...

EUVD-2025-34079

tracexec has env command argument injection via environment variables starting with dash in traced exec events...

GHSA-6FGX-X7M2-74QM tracexec has `env` command argument injection via environment variables starting with dash in traced exec events

Impact For tracexec's command line reconstruction feature, when a traced process executes another process with a environment variable where the key starts with a dash, tracexec incorrectly shows its commandline where such environment variables could cause argument injection for the env command...

SUSE CVE-2018-17456

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character...

The vulnerability of the “git clone” function in a distributed version control system like Git allows a perpetrator to execute arbitrary code.

The vulnerability of the “git clone” function in a distributed version control system like Git is related to the improper handling of the recursive “git clone” command applied to a supersource project where the .gitmodules file contains an field with a URL starting with the symbol “-”. Exploiting...

The vulnerability of the Evince document viewing software lies in its inability to eliminate special elements, allowing a perpetrator to execute arbitrary commands.

The vulnerability of the Evince document viewing software backend/comics/comics-document.c is related to the failure to eliminate special elements used in commands. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands using a specially prepared a.cbt file, which is...

ALPINE-CVE-2017-8386

git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with...

CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address

More info at https://symfony.com/cve-2026-45068...

CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address

More info at https://symfony.com/cve-2026-45068...