336 matches found
CVE-2026-2296
The Product Addons for Woocommerce – Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions...
CVE-2026-2019
The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval function. This makes it possible for authenticated...
CVE-2026-1977
The CVE-2026-1977 entry concerns isaacwasserman mcp-vegalite-server. The vulnerability affects the eval usage in the visualize_data component, where manipulating the vegalite_specification argument can cause code injection. A remote attacker could exploit this, and public PoC details are noted. T...
CVE-2026-1977 isaacwasserman mcp-vegalite-server visualize_data eval code injection
A security vulnerability has been detected in isaacwasserman mcp-vegalite-server up to 16aefed598b8cd897b78e99b907f6e2984572c61. Affected by this vulnerability is the function eval of the component visualizedata. Such manipulation of the argument vegalitespecification leads to code injection. The...
PT-2026-6671
Name of the Vulnerable Software and Affected Versions isaacwasserman mcp-vegalite-server versions prior to 16aefed598b8cd897b78e99b907f6e2984572c61 Description A security issue exists in the eval function of the visualize data component. Manipulation of the vegalite specification argument can lea...
CVE-2020-37137
PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'addpanelform' function that allows attackers to execute arbitrary code through an eval function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panelcontent POST parameters to the...
CVE-2026-0769
CVE-2026-0769 (Langflow) is a remote-code-execution vulnerability in the Langflow project related to the function that handles eval_custom_component_code. The flaw stems from improper validation of a user-supplied string before it is used to execute Python code, allowing an attacker to run arbitr...
CVE-2026-23885
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
PT-2026-3507
Name of the Vulnerable Software and Affected Versions Alchemy versions prior to 7.4.12 Alchemy versions prior to 8.0.3 Description Alchemy, a Ruby on Rails content management system, allows an authenticated attacker to execute arbitrary system commands on the host operating system. The applicatio...
CVE-2020-7675
cd-messenger through 2.7.26 is vulnerable to Arbitrary Code Execution. User input provided to the color argument executed by the eval function resulting in code execution...
CVE-2020-7674
access-policy through 3.1.0 is vulnerable to Arbitrary Code Execution. User input provided to the template function is executed by the eval function resulting in code execution...
PT-2025-53921
Name of the Vulnerable Software and Affected Versions Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress versions up to and including 1.1.13 Description The software contains a PHP Code Injection issue stemming from the use of eval to process user-provided input from the 'Conditional...
EUVD-2025-199935
A security flaw has been discovered in Qualitor 8.20/8.24. Affected by this vulnerability is the function eval of the file /html/st/stdeslocamento/request/getResumo.php. Performing manipulation of the argument passageiros results in code injection. Remote exploitation of the attack is possible. T...
CVE-2025-12733 Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic
The Import any XML, CSV or Excel File to WordPress WP All Import plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval on unsanitized user-supplied input in the pmxiif function within helpers/functions.php. This mak...
PT-2025-46893
Name of the Vulnerable Software and Affected Versions GroupOffice versions prior to 25.0.47 GroupOffice versions prior to 6.8.136 Description A flaw exists that allows a remote attacker to execute arbitrary code. This is possible through the dbToApi and eval functions within the FunctionField.php...
CVE-2025-63406
An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitrary code via the dbToApi and eval in the FunctionField.php...
EUVD-2018-2168
Malware in sbrugna...
EUVD-2021-1043
Malware in sbrugna...
EUVD-2020-7651
Malware in sbrugna...
EUVD-2021-1110
Malware in sbrugna...