2567 matches found
MAL-2026-10452 Malicious code in markdown-editable-table (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6b15669732f3eaec42e12c5f8d41a8f74d595fc04f709804de9768cb1719a94 The package's package.json declares a preinstall hook node index.d.js that runs automatically on npm install. The script in index.d.js base64-decodes...
MAL-2026-10444 Malicious code in markable-table (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd358271f202636f12507f09da4e8f00c900ba46c9dca25a5a0526d35b75bf1d [email protected] declares scripts.preinstall = 'node index.d.js'. index.d.js base64-decodes an embedded payload and invokes it through an...
Mongo-Express - Remote Code Execution
Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server. id: CVE-2020-24391 info: nam...
LotusCMS 3.0 - Remote Code Execution
LotusCMS 3.0 is susceptible to remote code execution via the Router function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call and allow remote code execution. id: CVE-2011-0518 info: name: LotusCMS 3.0 - Remote Code Execution author: pikpikcu...
PrestaShop - SQL Injection to Eval Injection
PrestaShop versions from 1.6.0.10 and before 1.7.8.7 contain an SQL injection caused by unsanitized user input, letting attackers chain the vulnerability to call PHP's Eval function, exploit requires attacker to send malicious input. id: CVE-2022-31181 info: name: PrestaShop - SQL Injection to Ev...
CVE-2026-13353
The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for installaddon,...
Malicious code in auth-next-gen (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe0926f0a2c1f47072efaac014be38bb00c8e9f31f59badf188b1ed74dd5c2ce On require of auth-next-gen, index.js loads lib/writer.js, which at module top level performs an axios GET against a base64-obfuscated URL...
EUVD-2025-210452
HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in...
CVE-2025-30007
HestiaCP prior to 1.9.5 is affected by an authenticated OS command injection via DNS record management. The vulnerability stems from insufficient input validation in is_dns_record_format_valid() and unsafe eval-based parsing in update_domain_zone(), which can allow a low-privilege authenticated u...
Malicious code in type-plint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37979cc60cff25e26406f3426f0dd7aeac12c13e55402c89f78228080cac0ad9 The package advertises itself as a pino-style logger but its exported middleware spawns lib/caller.js as a detached Node child process. lib/caller.js...
PT-2026-57246
Name of the Vulnerable Software and Affected Versions HestiaCP versions prior to 1.9.5 Description An authenticated OS command injection allows low-privilege users to execute arbitrary commands as root. The issue stems from insufficient input validation in the is dns record format valid function...
CVE-2026-54769
Langroid versions prior to 0.65.2 are affected by a critical Sandbox Escape leading to Remote Code Execution via incomplete mitigation in the TableChatAgent and VectorStore. The root cause is the use of eval() with an empty locals dict under full_eval=True, where builtins is not scrubbed from glo...
CVE-2026-54769 Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent
Langroid is a framework for building large-language-model-powered applications. Versions prior to 0.65.2 are vulnerable to a critical Sandbox Escape leading to Remote Code Execution RCE in its TableChatAgent and VectorStore capabilities. When these agents evaluate LLM-generated tool messages with...
Malicious code in fastify-addone (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 21b9e477cff478ab071039c18c3adb6577a07cc1d82687b9e7d7cd2594dc9ddf The package presents itself as fastify-plugin name fastify-addone, repository/homepage/bugs fields point at fastify/fastify-plugin and copies that...
Arbitrary Code Injection
Langroid is vulnerable to Arbitrary Code Injection. The vulnerability is due to improper sandboxing of Python eval that fails to remove builtins, which allows an attacker to execute arbitrary operating system commands through crafted LLM-generated tool messages...
CVE-2026-14158
The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widgetlogicvisualcheckvisibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action...
CVE-2026-14158
The Widget Logic Visual plugin for WordPress is affected by a Remote Code Execution vulnerability in all versions up to 1.52. The issue arises in the widget_logic_visual_check_visibility flow and the widget-logic-update-conditional-tags AJAX action due to missing capability check and nonce verifi...
PT-2026-56310
Name of the Vulnerable Software and Affected Versions Widget Logic Visual versions prior to 1.53 Description Authenticated attackers with subscriber-level access and above can achieve remote code execution on the server. The issue occurs during the widget-logic-update-conditional-tags AJAX action...
Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent
Advisory Details Title: Sandbox Escape to Remote Code Execution via Incomplete eval Mitigation in TableChatAgent Description: Summary Langroid is vulnerable to a critical Sandbox Escape leading to Remote Code Execution RCE in its TableChatAgent and VectorStore capabilities. When these agents...
Arbitrary Code Injection
Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to Arbitrary Code Injection in the eval process used by certain agent components when evaluating external input with fulleval=True. An attacker can execute arbitrary system commands b...