CVE-2025-13204 CVE-2025-13204

npm package expr-eval is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue...

CVE-2025-13204 CVE-2025-13204

npm package expr-eval is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue...

PT-2025-46975

Name of the Vulnerable Software and Affected Versions npm package expr-eval affected versions not specified Description The npm package expr-eval is susceptible to a Prototype Pollution issue. An attacker who can access the express eval interface may leverage the JavaScript prototype-based...

CVE-2025-12733 Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic

The Import any XML, CSV or Excel File to WordPress WP All Import plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval on unsanitized user-supplied input in the pmxiif function within helpers/functions.php. This mak...

CVE-2025-12733 Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic

The Import any XML, CSV or Excel File to WordPress WP All Import plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. This is due to the use of eval on unsanitized user-supplied input in the pmxiif function within helpers/functions.php. This mak...

PT-2025-46893

Name of the Vulnerable Software and Affected Versions GroupOffice versions prior to 25.0.47 GroupOffice versions prior to 6.8.136 Description A flaw exists that allows a remote attacker to execute arbitrary code. This is possible through the dbToApi and eval functions within the FunctionField.php...

PT-2025-46780

Name of the Vulnerable Software and Affected Versions WP All Import versions up to and including 3.9.6 Description The Import any XML, CSV or Excel File to WordPress WP All Import plugin for WordPress is susceptible to Remote Code Execution. This is caused by the use of eval on unsanitized...

CVE-2025-63406

An issue in Intermesh BV GroupOffice vulnerable before v.25.0.47 and 6.8.136 allows a remote attacker to execute arbitrary code via the dbToApi and eval in the FunctionField.php...

antgrid-server (>=0.0.2 <=0.0.3), kani-tts (=0.0.1) +3 more potentially affected by CVE-2025-33202 via nvidia-pytriton (=0.7.0)

nvidia-pytriton PYPI version =0.7.0 is affected by a known vulnerability. The following packages have a transitive dependency on nvidia-pytriton and may be impacted: - antgrid-server =0.0.2, =0.1.0, =0.1.0rc1, =0.1.0, =0.4.0 Source cves: CVE-2025-33202 Source advisory:...

redis: Lua library commands may lead to integer overflow and potential RCE

An integer overflow present in the Redis Lua scripting engine that allows an authenticated client to submit a specially crafted Lua script for example via EVAL/EVALSHA that can trigger memory corruption and potentially lead to remote code execution within the Redis server process...

Vulnerability in expr-eval JavaScript library can lead to arbitrary code execution

Overview The npm package expr-eval is a JavaScript library that evaluates mathematical expressions and is used in various applications, including NLP and AI. A vulnerability in this library has been disclosed that could allow arbitrary code execution by an attacker using maliciously crafted input...

GHSA-JC85-FPWF-QM7X expr-eval does not restrict functions passed to the evaluate function

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate function and trigger arbitrary...

expr-eval does not restrict functions passed to the evaluate function

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate function and trigger arbitrary...

10minions-engine (>=0.0.1 <=0.0.4), 3ui (>=0.1.0 <=0.1.8) +1043 more potentially affected by CVE-2025-12735 via expr-eval (>=0.12.0 <=2.0.2)

expr-eval NPM version =0.12.0, =0.0.1, =0.1.0, =1.0.2, =1.2.0, =1.0.0, =0.0.9, =0.0.1, =0.1.4, =0.0.11, =0.0.1, =0.0.0, =0.0.1 - @alphalang-ai/alphalang =0.0.1-alpha and more Source cves: CVE-2025-12735 Source advisory: OSV:GHSA-JC85-FPWF-QM7X...

CVE-2025-12735

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluat...

10minions-engine (>=0.0.1 <=0.0.4), 3ui (>=0.1.0 <=0.1.8) +1043 more potentially affected by CVE-2025-12735 via expr-eval (>=0.12.0 <=2.0.2)

expr-eval NPM version =0.12.0, =0.0.1, =0.1.0, =1.0.2, =1.2.0, =1.0.0, =0.0.9, =0.0.1, =0.1.4, =0.0.11, =0.0.1, =0.0.0, =0.0.1 - @alphalang-ai/alphalang =0.0.1-alpha and more Source cves: CVE-2025-12735 Source advisory: SNYK:JS-EXPREVAL-13833679...

CVE-2025-12735 CVE-2025-12735

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluat...

CVE-2025-12735 CVE-2025-12735

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluat...

PT-2025-45064

Name of the Vulnerable Software and Affected Versions expr-eval versions prior to 3.0.0 expr-eval-fork versions prior to 3.0.0 Description The expr-eval library, a JavaScript expression parser and evaluator, is susceptible to remote code execution RCE. This issue stems from inadequate input...

redis: Lua library commands may lead to integer overflow and potential RCE

An integer overflow present in the Redis Lua scripting engine that allows an authenticated client to submit a specially crafted Lua script for example via EVAL/EVALSHA that can trigger memory corruption and potentially lead to remote code execution within the Redis server process...