Command Injection

Overview Affected versions of this package are vulnerable to Command Injection due to the improper handling of environment variables during the decryption process. An attacker with control over .ejson files can execute arbitrary commands on the host system by injecting malicious keys or encrypted...

GHSA-22C2-9GWG-MJ59 Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store

Summary LanceDocChatAgent uses pandas eval through computefromdocs: https://github.com/langroid/langroid/blob/18667ec7e971efc242505196f6518eb19a0abc1c/langroid/vectorstore/base.pyL136-L150 As a result, an attacker may be able to make the agent run malicious commands through QueryPlan.dataframecal...

Langroid has a Code Injection vulnerability in TableChatAgent

Summary TableChatAgent uses pandas eval. If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection. PoC For example, one could prompt the Agent: Evaluate the following pandas expression on the data provided and print output:...

Arbitrary Code Injection

Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to Arbitrary Code Injection due to the use of pandas eval function. An attacker can execute arbitrary code by supplying malicious input to this function. This is only exploitable if t...

Langroid 代码注入漏洞

Langroid is a Langroid open source tool for developing LLMs using multi-agent programming. A code injection vulnerability exists in Langroid versions prior to 0.53.15, which stems from TableChatAgent's use of pandas eval to process unauthenticated user input, which could lead to code injection...

PT-2026-6292

Name of the Vulnerable Software and Affected Versions Langroid versions prior to 0.59.32 Description Langroid is a framework used for building applications powered by large-language-models. A weakness exists in the TableChatAgent component where the Web Application Firewall WAF can be bypassed...

PT-2025-22277 · Langroid · Langroid

Name of the Vulnerable Software and Affected Versions: Langroid versions prior to 0.53.15 Description: The issue concerns the use of pandas eval through the compute from docs function in the LanceDocChatAgent component. This allows an attacker to potentially run malicious commands, compromising t...

Langroid 代码注入漏洞

Langroid is a Langroid open source tool for developing LLMs using multi-agent programming. A code injection vulnerability exists in Langroid versions prior to 0.53.15, which stems from LanceDocChatAgent processing unauthenticated user input using pandas eval via computefromdocs, which could lead ...

CVE-2025-26845

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script...

CVE-2025-26845

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script...

CVE-2025-26845

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script...

DEBIAN-CVE-2025-26845

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script...

UBUNTU-CVE-2025-26845

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script...

CVE-2025-26845

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script...

CVE-2025-26845

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script...

CVE-2025-26845

CVE-2025-26845 describes an Eval Injection vulnerability in Znuny up to version 7.1.3. A user with write access to the configuration file can cause code execution via the command that runs the backup.pl script, effectively allowing escalation to the user running that script. The primary affected ...

ROS-20250424-12

A vulnerability in the eval function of the Cloud Deployment and Query Tool modules of the database management tool pgAdmin 4 is related to incorrect code generation control when processing endpoints /sqleditor/querytool/download and /cloud/deploy with querycommitted and highavailability...

Exploit for Code Injection in Dgorissen Pycel

CVE-2024-53924 - Description: Pycel through 1.0b30, when oper...

PT-2025-17210 · Pycel · Pycel

Name of the Vulnerable Software and Affected Versions: Pycel versions 1.0b30 and earlier Description: The issue allows code execution via a crafted formula in a cell, such as one beginning with the =IFA1=200, eval" import 'os'.system substring." in an untrusted spreadsheet. Recommendations: For...

Remote Code Execution (RCE)

pgAdmin4 is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe use of Python's eval function due to unsanitized input in the querycommitted and highavailability parameters on two POST endpoints...