CVE-2024-21552

All versions of SuperAGI are vulnerable to Arbitrary Code Execution due to unsafe use of the ‘eval’ function. An attacker could induce the LLM output to exploit this vulnerability and gain arbitrary code execution on the SuperAGI application server...

CVE-2024-21537

Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function...

CVE-2024-45851

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a...

CVE-2024-45850

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site column creation. If such a...

CVE-2024-45858

An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing i...

CVE-2024-4889

A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. This vulnerability requires a valid Google KMS configuration file to be exploitable. Specifically, by setting the...

CVE-2024-4343

A Python command injection vulnerability exists in the SagemakerLLM class's complete method within ./privategpt/components/llm/custom/sagemaker.py of the imartinez/privategpt application, versions up to and including 0.3.0. The vulnerability arises due to the use of the eval function to parse a...

CVE-2024-4264

A remote code execution RCE vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.getsecret method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval function...

CVE-2024-8512

The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization function. This is due to the plugin passing user supplied input to eval. This makes it possible for authenticated...

Security update for python-asteval (moderate)

openSUSE Security Update: Security update for python-asteval Announcement ID: openSUSE-SU-2025:0052-1 Rating: moderate References: 1236405 Cross-References: CVE-2025-24359 Affected Products: openSUSE Backports SLE-15-SP6 An update that fixes one vulnerability is now available. Description: This...

Medium: perl-Module-ScanDeps

Issue Overview: Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by opening a "pesky pipe" such as passing "commands|" as a filename or by passing arbitrary strings to eval...

BIT-PYTHON-MIN-2020-27619

In Python 3 through 3.9.0, the Lib/test/multibytecodecsupport.py CJK codec tests call eval on content retrieved via HTTP...

Remote Code Execution (RCE)

Overview org.webjars.npm:jsonpath-plus is an A JS implementation of JSONPath with some additional operators Affected versions of this package are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the...

Remote Code Execution (RCE)

Overview jsonpath-plus is an A JS implementation of JSONPath with some additional operators Affected versions of this package are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usag...

BIT-VALKEY-2024-46981 Redis' Lua library commands may lead to remote code execution

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate...

data-agora (=0.1.1), dtx (>=0.31.0 <=0.34.0) +10 more potentially affected by CVE-2024-10044 via fastchat (=0.1.0)

fastchat PYPI version =0.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on fastchat and may be impacted: - data-agora =0.1.1 - dtx =0.31.0, =0.2.0, =0.18.3, =0.0.2, =0.4.0, =0.0.1, =0.1.3, =0.1.0, =0.1.0, =0.1.1 Source cves: CVE-2024-10044 Source...

CVE-2024-9101

A reflected cross-site scripting XSS vulnerability in the 'Entry Chooser' of phpLDAPadmin version 1.2.1 through the latest version, 1.2.6.7 allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' functio...

DEBIAN-CVE-2024-9101

A reflected cross-site scripting XSS vulnerability in the 'Entry Chooser' of phpLDAPadmin version 1.2.1 through the latest version, 1.2.6.7 allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' functio...

UBUNTU-CVE-2024-9101

A reflected cross-site scripting XSS vulnerability in the 'Entry Chooser' of phpLDAPadmin version 1.2.1 through the latest version, 1.2.6.7 allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' functio...

ComfyUI_AceNodes 安全漏洞

ComfyUIAceNodes is a utility node for ComfyUI by Kaifeng Xu, a personal developer. A security vulnerability exists in ComfyUIAceNodes, which originates when the entry point function of the ACEExpressionEval node accepts arbitrary user-controlled data, which allows the user to create a workflow th...