CVE-2023-22853

Tiki before 24.1, when featurecreatewebhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval...

CVE-2021-26276

scripts/cli.js in the GoDaddy node-config-shield aka Config Shield package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data...

CVE-2019-10759

safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code...

CVE-2025-32461

wikipluginincludetpl in lib/wiki-plugins/wikipluginincludetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3...

Dynamic Variable Evaluation

Overview composio-core is a Core package to act as a bridge between composio platform and other services. Affected versions of this package are vulnerable to Dynamic Variable Evaluation through the eval function in the mathematicalcalculator endpoint. An attacker can execute arbitrary code by...

Arbitrary Command Injection

Overview lollms is a python library for AI personality definition Affected versions of this package are vulnerable to Arbitrary Command Injection in the calculate function, which uses the eval function without sufficient protection. An attacker can execute commands on the server by injecting...

CVE-2024-6982

Parisneo/lollms v9.8 exposes a remote code execution vulnerability in the Calculate function. The flaw stems from evaluating user-supplied expressions with Python eval() inside a sandbox that disables builtins and only permits math.*. An attacker can bypass the sandbox by loading the os module vi...

Medium: perl-Module-ScanDeps

Issue Overview: Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by opening a "pesky pipe" such as passing "commands|" as a filename or by passing arbitrary strings to eval...

DEBIAN-CVE-2024-9101

A reflected cross-site scripting XSS vulnerability in the 'Entry Chooser' of phpLDAPadmin version 1.2.1 through the latest version, 1.2.6.7 allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' functio...

AZL-53394 CVE-2024-10224 affecting package perl-Module-ScanDeps for versions less than 1.35-2

Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by opening a "pesky pipe" such as passing "commands|" as a filename or by passing arbitrary strings to eval...

The vulnerability of the eval function in software platforms for automating data exchange between MindsDB queues allows a hacker to execute arbitrary code.

The vulnerability of the eval function in software platforms for automating data exchange between MindsDB queues is related to improper code generation. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by introducing a specially crafted INSERT query...

MindsDB 安全漏洞

MindsDB is an emerging low-code machine learning platform from MindsDB, Inc. A security vulnerability exists in MindsDB versions 23.12.4.0 through 24.7.4.1, which stems from the presence of an arbitrary code execution vulnerability that is passed to the eval function and executed on the server if...

streamlit-geospatial 安全漏洞

streamlit-geospatial is an Open Geospatial Solutions open source streamlit multi-page application for geospatial applications. A security vulnerability exists in streamlit-geospatial, which originates in pages/1? The visparams variable in Timelapse.py accepts user input that is then used in the...

PYSEC-2024-62

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if the...

OESA-2024-1659 python-tqdm security update

tqdm derives from the Arabic word taqaddum which can mean "progress". Instantly make your loops show a smart progress meter - just wrap any iterable with tqdminterable, and you are done! Security Fixes: tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments...

DEBIAN-CVE-2024-34062

tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments e.g. --delim, --buf-size, --manpath are passed through python's eval, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All user...

tqdm 安全漏洞

tqdm is a fast, extensible progress bar for Python and the CLI from the tqdm open source. A security vulnerability exists in versions of tqdm prior to 4.66.3, which stems from the fact that any optional non-Boolean CLI arguments can be passed through python's eval, allowing arbitrary code executi...

CVE-2024-32649

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the sqrt builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the buildIR function of the sqrt builtin doesn't cache the argument to...

CVE-2024-32649

Vyper CVE-2024-32649 affects versions 0.3.10 and earlier, where the sqrt builtin’s build_IR does not cache its argument, allowing potential double evaluation when the argument has side-effects. The affected component is the sqrt builtin in Vyper’s IR generation, leading to multiple evaluations of...

CVE-2024-32647 vyper performs double eval of raw_args in create_from_blueprint

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the createfromblueprint builtin can result in a double eval vulnerability when rawargs=True and the args argument has side-effects. It can be seen that the buildcreateIR function of t...