Conda Constructor 命令注入漏洞

Conda Constructor is a Conda open source tool for creating installers from conda packages. A command injection vulnerability exists in versions of Conda Constructor prior to 3.11.3, which stems from the execution of uncleared user input when the eval statement handles the installer prefix, and...

CVE-2025-32798 Conda-build Allows Arbitrary Code Execution via Malicious Recipe Selectors

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval function to process...

CVE-2025-32798 Conda-build Allows Arbitrary Code Execution via Malicious Recipe Selectors

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval function to process...

CVE-2025-32798 Conda-build Allows Arbitrary Code Execution via Malicious Recipe Selectors

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval function to process...

CVE-2025-6101 letta-ai letta interface.py function_message eval injection

A vulnerability classified as critical has been found in letta-ai letta up to 0.4.1. Affected is the function functionmessage of the file letta/letta/interface.py. The manipulation of the argument functionname/functionargs leads to improper neutralization of directives in dynamically evaluated...

CVE-2025-6101

CVE-2025-6101 affects the letta-ai letta project up to version 0.4.1. The vulnerable component is the function_message logic in the file letta/letta/interface.py, where manipulation of the arguments function_name/function_args enables improper neutralization of directives in dynamically evaluated...

CVE-2025-6101 letta-ai letta interface.py function_message eval injection

A vulnerability classified as critical has been found in letta-ai letta up to 0.4.1. Affected is the function functionmessage of the file letta/letta/interface.py. The manipulation of the argument functionname/functionargs leads to improper neutralization of directives in dynamically evaluated...

PT-2025-25585 · Unknown · Conda-Build

Name of the Vulnerable Software and Affected Versions: conda-build versions prior to 25.4.0 Description: The conda-build recipe processing logic is vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. This is because conda-build uses the eval function to process...

conda forge ci-setup 安全漏洞

conda forge ci-setup is an open source library from the conda forge community. A security vulnerability exists in conda forge ci-setup, which stems from the unsafe use of the eval function and could lead to arbitrary code execution...

Malicious code in gclient-eval (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5e9ffb1a50c4ad309a03eadf4dd05776ca6e5ac0e03e118c1f7c74bb2c1d5b3f Research packages targeting typosquatting and dependency confusions, without really harmful behaviour - just calling home through DNS resolver. Related to...

MAL-2025-191737 Malicious code in gclient-eval (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5e9ffb1a50c4ad309a03eadf4dd05776ca6e5ac0e03e118c1f7c74bb2c1d5b3f Research packages targeting typosquatting and dependency confusions, without really harmful behaviour - just calling home through DNS resolver. Related to...

BIT-MARIADB-MIN-2021-27928

A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database...

VulnCheck KEV: CVE-2025-0868

A vulnerability, that could result in Remote Code Execution RCE, has been found in DocsGPT. Due to improper parsing of JSON data using eval an unauthorized attacker could send arbitrary Python code to be executed via /api/remote endpoint.. This issue affects DocsGPT: from 0.8.1 through 0.12.0...

CVE-2024-23346

Pymatgen Python Materials Genomics is an open-source Python library for materials analysis. A critical security vulnerability exists in the JonesFaithfulTransformation.fromtransformationstr method within the pymatgen library prior to version 2024.2.20. This method insecurely utilizes eval for...

CVE-2024-46946

langchainexperimental aka LangChain Experimental 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify which uses eval in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 2023-10-05...

CVE-2024-39173

calculator-boilerplate v1.0 was discovered to contain a remote code execution RCE vulnerability via the eval function at /routes/calculator.js. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the input field...

CVE-2024-42845

An eval Injection vulnerability in the component invesalius/reader/dicom.py of InVesalius 3.1.99991 through 3.1.99998 allows attackers to execute arbitrary code via loading a crafted DICOM file...

CVE-2023-26122

All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution "RCE". Vulnerable functions: defineGetter, stack,...

CVE-2023-30454

An issue was discovered in ebankIT before 7. Document Object Model based XSS exists within the /Security/Transactions/Transactions.aspx endpoint. Users can supply their own JavaScript within the ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray POST parameter that will be...

CVE-2023-26121

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content...