CVE-2018-8972

Creditwest Bank CMS Project aka CWCMS through 2017-07-28 has CSRF in the functionality for updating the site configuration, which allows remote attackers to inject arbitrary PHP code, as demonstrated by a PHP shell that calls eval on request parameters...

CVE-2019-10769

safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError...

Code Injection

langroid is vulnerable to code injection. The vulnerability is due to improper input sanitization in TableChatAgent using pandas eval, allowing attackers to execute arbitrary code within the application...

CVE-2019-14746

A issue was discovered in KuaiFanCMS 5.0. It allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...

CVE-2019-10759

safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code...

CVE-2019-10760

safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code...

CVE-2012-5932

Eval injection vulnerability in the ldapagnteval function in ldapagnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote attackers to execute arbitrary Perl code via a crafted application/x-amf request...

CVE-2011-4932

Eval injection vulnerability in ipcms/modules/standard/contentmanagement/actions.php in ImpressPages CMS 1.0.12 and possibly other versons before 1.0.13 allows remote attackers to execute arbitrary code via the cmgroup parameter...

CVE-2012-1625

Eval injection vulnerability in the fillpdfformexportdecode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via unspecified vectors...

CVE-2009-2946

Eval injection vulnerability in scripts/uscan.pl before Rev 1984 in devscripts allows remote attackers to execute arbitrary Perl code via crafted pathnames on distribution servers for upstream source code used in Debian GNU/Linux packages...

CVE-2005-2837

Multiple eval injection vulnerabilities in PlainBlack Software WebGUI before 6.7.3 allow remote attackers to execute arbitrary Perl code via 1 Help.pm, 2 International.pm, or 3 WebGUI.pm...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection due to the improper handling of environment variables during the decryption process. An attacker with control over .ejson files can execute arbitrary commands on the host system by injecting malicious keys or encrypted...

GHSA-22C2-9GWG-MJ59 Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store

Summary LanceDocChatAgent uses pandas eval through computefromdocs: https://github.com/langroid/langroid/blob/18667ec7e971efc242505196f6518eb19a0abc1c/langroid/vectorstore/base.pyL136-L150 As a result, an attacker may be able to make the agent run malicious commands through QueryPlan.dataframecal...

Langroid has a Code Injection vulnerability in TableChatAgent

Summary TableChatAgent uses pandas eval. If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection. PoC For example, one could prompt the Agent: Evaluate the following pandas expression on the data provided and print output:...

Arbitrary Code Injection

Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to Arbitrary Code Injection due to the use of pandas eval function. An attacker can execute arbitrary code by supplying malicious input to this function. This is only exploitable if t...

PT-2026-6292

Name of the Vulnerable Software and Affected Versions Langroid versions prior to 0.59.32 Description Langroid is a framework used for building applications powered by large-language-models. A weakness exists in the TableChatAgent component where the Web Application Firewall WAF can be bypassed...

Langroid 代码注入漏洞

Langroid is a Langroid open source tool for developing LLMs using multi-agent programming. A code injection vulnerability exists in Langroid versions prior to 0.53.15, which stems from TableChatAgent's use of pandas eval to process unauthenticated user input, which could lead to code injection...

Langroid 代码注入漏洞

Langroid is a Langroid open source tool for developing LLMs using multi-agent programming. A code injection vulnerability exists in Langroid versions prior to 0.53.15, which stems from LanceDocChatAgent processing unauthenticated user input using pandas eval via computefromdocs, which could lead ...

PT-2025-22277 · Langroid · Langroid

Name of the Vulnerable Software and Affected Versions: Langroid versions prior to 0.53.15 Description: The issue concerns the use of pandas eval through the compute from docs function in the LanceDocChatAgent component. This allows an attacker to potentially run malicious commands, compromising t...

CVE-2025-26845

An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script...