Apache Struts2 S2-062 - Remote Code Execution

Apache Struts2 S2-062 is vulnerable to remote code execution. The fix issued for CVE-2020-17530 S2-061 was incomplete, meaning some of the tag's attributes could still perform a double evaluation if a developer applied forced OGNL evaluation by using the %... syntax. id: CVE-2021-31805 info: name...

Pretix Unsafely Evaluates Variables In Emails

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when "name" is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: - It was possible to exfiltrate...

CVE-2026-2415

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: It was possible to exfiltrate information...

GHSA-R8P8-QW9W-J9QV pretix unsafely evaluates variables in emails

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: - It was possible to exfiltrate informati...

PYSEC-2026-110

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: It was possible to exfiltrate information...

CVE-2026-2415

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: It was possible to exfiltrate information...

CVE-2026-2415

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: It was possible to exfiltrate information...

CVE-2026-2415

The CVE-2026-2415 affects pretix email templates where placeholders are rendered insecurely. Two issues are described: (1) information exfiltration via malicious placeholder names (e.g., {{event.init .code .co_filename}}) that can leak config data, including passwords or API keys, due to incomple...

CVE-2026-2415 Unsafe variable evaluation in email templates

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: It was possible to exfiltrate information...

PT-2026-8331

Name of the Vulnerable Software and Affected Versions pretix affected versions not specified Description The pretix software contains flaws in its email placeholder mechanism. This mechanism allows for the insertion of customer data into emails using placeholders. Two security issues were...

EUVD-2024-0183

Malicious code in bioql PyPI...

EUVD-2024-0184

Malicious code in bioql PyPI...

EUVD-2025-4282

Malicious code in bioql PyPI...

EUVD-2024-0185

Malicious code in bioql PyPI...

CVE-2024-32646

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or .code and either the start or length arguments have side-effects...

CVE-2024-32647

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the createfromblueprint builtin can result in a double eval vulnerability when rawargs=True and the args argument has side-effects. It can be seen that the buildcreateIR function of t...

CVE-2024-32649

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the sqrt builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the buildIR function of the sqrt builtin doesn't cache the argument to...

Vyper has a double eval in For List Iter

Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body e.g. read a storage variable updated in the loop body and thus lead to unexpected progra...

CVE-2025-27104 double eval in For List Iter in Vyper

vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body e.g. read a storage variable...

CVE-2025-27104

Vulnerability CVE-2025-27104 affects vyper (Pythonic Smart Contract Language for the EVM): a for-loop iterator target can cause multiple evaluations of the iterator expression, allowing side effects from the loop body to be consumed and interleaved with reads in the loop, leading to unexpected pr...