CVE-2024-39173

calculator-boilerplate v1.0 was discovered to contain a remote code execution RCE vulnerability via the eval function at /routes/calculator.js. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the input field...

PT-2024-28377 · Unknown · Calculator-Boilerplate

Name of the Vulnerable Software and Affected Versions: calculator-boilerplate version 1.0 Description: The issue is related to a remote code execution RCE vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the input field. The...

PYSEC-2024-62

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if the...

OSGeo GeoServer GeoTools Eval Injection Vulnerability

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input...

Exploit for Code Injection in Geoserver

GeoServer 无回显 远程代码执行漏洞 CVE-2024-36401 options: -h, --help sho...

litellm vulnerable to remote code execution based on using eval unsafely

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the adddeployment function, which decodes and decrypts environment variables from base64 and assigns them to os.environ. An attacker can exploit this by sendin...

kernel: netfilter: nf_tables: disallow anonymous set with timeout flag

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFTSETEVAL to ensure legacy meters still work...

PT-2024-28406 · Skycaiji · Skycaiji

Name of the Vulnerable Software and Affected Versions: skycaiji version 2.8 Description: A cross-site scripting XSS issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload using evalString.fromCharCode. This enables the execution of malicious code on the victim's...

CVE-2024-39242

CVE-2024-39242 is a reported cross-site scripting (XSS) vulnerability in skycaiji v2.8 . The issue arises from a crafted payload that uses eval(String.fromCharCode()) , enabling attackers to run arbitrary web scripts/HTML in a victim’s browser. The CVSS 3.1 metrics indicate a Network attack vecto...

CVE-2024-39242

A cross-site scripting XSS vulnerability in skycaiji v2.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload using evalString.fromCharCode...

CVE-2014-5470

Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval operation...

CVE-2014-5470

Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval operation...

PT-2024-10557 · Unknown · Actual Analyzer

Name of the Vulnerable Software and Affected Versions: Actual Analyzer versions prior to 2014-08-29 Description: The issue allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval operation. Recommendations: For versions prior to...

CVE-2014-5470

Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval operation...

CVE-2014-5470

CVE-2014-5470 affects Actual Analyzer (versions prior to 2014-08-29). The vulnerability arises from untrusted input being passed to an eval operation, enabling code execution via shell metacharacters in the input data. Connected sources show concrete details: the flaw exists in Actual Analyzer’s ...

WordPress Plugin Custom Field Suite Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL. WordPress plugin is an application plugin. A security vulnerability exists in...

PT-2024-27153 · Rhai · Rhai

Name of the Vulnerable Software and Affected Versions: rhai version 1.18.0 Description: A stack overflow vulnerability was found in rhai. The issue is related to a recursive call in the eval stmt block function, located in the /SRC/rhai/SRC/eval/STMT.Rs file. This vulnerability can be exploited d...

Code Injection

litellm is vulnerable to Code Injection. The vulnerability is caused due to a lack of input validation in the eval function within the secret management system, which allows an attacker to execute arbitrary code...

pillow: Arbitrary Code Execution via the environment parameter

A vulnerability was found in Pillow, a popular Python imaging library. The flaw identified in the PIL.ImageMath.eval function enables arbitrary code execution by manipulating the environment parameter...

CVE-2024-4889

A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. This vulnerability requires a valid Google KMS configuration file to be exploitable. Specifically, by setting the...