CVE-2026-33140 PySpector: Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution

PySpector is a static analysis security testing SAST Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting XSS vulnerability in the HTML report generator. When PySpector scans a Python file containing...

GHSA-2GMV-2R3V-JXJ2 Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution

Summary PySpector versions = 0.1.6 are affected by a stored Cross-Site Scripting XSS vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads i.e. inside a string passed to eval , the flagged code snippet is interpolated into the HTML report...

CVE-2025-50881

The flow/admin/moniteur.php script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the action URL parameter, performs insufficient validation, and incorporates this input into a strin...

MAL-2026-1483 Malicious code in @jaime9008/math-service (npm)

Package classified as malware due to code obfuscation, use of eval for code execution, and a low number of published versions. The file lib/lib.js contains same obfuscated malware dropler as malicious react-refresh-update package, the author is same for both pacakge. --- -= Per source details. Do...

Malicious code in @jaime9008/math-service (npm)

Package classified as malware due to code obfuscation, use of eval for code execution, and a low number of published versions. The file lib/lib.js contains same obfuscated malware dropler as malicious react-refresh-update package, the author is same for both pacakge. --- -= Per source details. Do...

CVE-2025-50881

CVE-2025-50881 involves the Use It Flow admin page flow/admin/moniteur.php, vulnerable before version 10.0.0. The GET parameter action is unsafely incorporated into a string and evaluated via PHP eval(), after a flawed method_exists check that only validates the portion before the first parenthes...

Malicious Package

Overview @aifabrix/miso-client is a malicious package. This package was affected by the 'GlassWorm' supply chain attack. It includes a hidden malicious payload embedded with invisible Unicode characters. These characters hide a decoder that retrieves and executes a concealed payload through eval...

NiceGUI 跨站脚本漏洞

NiceGUI is an easy-to-use, Python-based UI framework developed under the open source license. Versions of NiceGUI prior to 3.8.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of eval in multiple client APIs, and incorrect escaping of method names, which...

Node Version Manager security vulnerability

Node Version Manager is an open-source node version manager developed by nvm.sh. Versions of Node Version Manager prior to 0.40.3 contain security vulnerabilities. These vulnerabilities stem from the nvmdownload function using eval to execute the wget command, and the NVMAUTHHEADER environment...

Dioxus Components security vulnerabilities

Dioxus Components is a basic component open-sourced by Dioxus Labs. Version 41e4242ecb1062d04ae42a5215363c1d9fd4e23a of Dioxus Components had a security vulnerability. This vulnerability stemmed from the useofanimatedopen function, which used the user-provided ID to format eval strings, potential...

openc3-api Vulnerable to Unauthenticated Remote Code Execution

Summary OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using Stringconverttovalue. For array-like inputs, converttovalu...

CVE-2025-14509

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization...

CVE-2025-13307

CVE-2025-13307 affects the Ocean Modal Window WordPress plugin (versions before 2.3.3). The vulnerability arises from modal display logic that can be triggered by user-controlled conditions set by Editors/Administrators (edit_pages capability). These conditions are evaluated in an eval statement ...

TorchGeo Remote Code Execution Vulnerability

Impact TorchGeo 0.4–0.6.0 used an ""eval"" https://docs.python.org/3/library/functions.htmleval statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose ""torchgeo.models.getweight""...

CVE-2011-10033 WordPress Plugin is-human <= v1.4.2 Eval Injection RCE

The WordPress plugin is-human = v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval on user-controlled input, which can lead to execution of...

EUVD-2013-7270

Malware in sbrugna...

CVE-2025-48868 Horilla vulnerable to authenticated RCE via eval() in project_bulk_archive

Horilla is a free and open source Human Resource Management System HRMS. An authenticated Remote Code Execution RCE vulnerability exists in Horilla 1.3.0 due to the unsafe use of Python’s eval function on a user-controlled query parameter in the projectbulkarchive view. This allows privileged use...

WordPress plugin Catalog Importer Scraper Crawler 代码注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code injection vulnerability exists in...

PT-2025-34260 · Unknown +1 · Qwen3 Coder +1

Name of the Vulnerable Software and Affected Versions: vLLM affected versions not specified Description: An unsafe deserialization allows any authenticated user to execute arbitrary code on the server if they are able to get the model to pass the code as an argument to a tool call. The issue...

CVE-2013-10051

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote...