ALSA-2025:22005 Moderate: go-rpm-macros security update

This package provides build-stage rpm automation to simplify the creation of Go language golang packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only. Security Fixes: os/exec: Unexpected paths returned from LookPath in os/exec...

RHEL 9 : go-rpm-macros (RHSA-2025:22004)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:22004 advisory. This package provides build-stage rpm automation to simplify the creation of Go language golang packages. It does not need to be included in the...

AlmaLinux 9 : go-rpm-macros (ALSA-2025:22005)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2025:22005 advisory. os/exec: Unexpected paths returned from LookPath in os/exec CVE-2025-47906 Tenable has extracted the preceding description block directly from the AlmaLinux...

EUVD-2025-199260

Malicious code in shell-exec npm...

@abtnode/blocklet-services (>=1.16.6 <=1.17.12-beta-20260422-093007-b389a838), @abtnode/cli (>=1.0.0 <=1.16.34-beta-20241113-102431-65542b84) +445 more potentially affected by unknown CVE via shell-exec (>=1.0.2 <=1.1.2)

shell-exec NPM version =1.0.2, =1.16.6, =1.0.0, =1.16.6, =1.0.0, =0.3.35, =1.5.0, =0.0.0-beta.0, =0.0.0, =2.49.0, =1.0.0, =2.0.0-0, =2.0.0-0, =1.0.16, =1.0.0, =1.2.1, =1.3.16 and more Source cves: unknown CVE Source advisory: OSV:MAL-2025-191424...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

@abtnode/blocklet-services (>=1.16.6 <=1.17.12-beta-20260422-093007-b389a838), @abtnode/cli (>=1.0.0 <=1.16.34-beta-20241113-102431-65542b84) +445 more potentially affected by unknown CVE via shell-exec (>=1.0.2 <=1.1.2)

shell-exec NPM version =1.0.2, =1.16.6, =1.0.0, =1.16.6, =1.0.0, =0.3.35, =1.5.0, =0.0.0-beta.0, =0.0.0, =2.49.0, =1.0.0, =2.0.0-0, =2.0.0-0, =1.0.16, =1.0.0, =1.2.1, =1.3.16 and more Source cves: unknown CVE Source advisory: SNYK:JS-SHELLEXEC-14103722...

CLSA-2025-1763989962 Fix of 8 CVEs

CVE-url: https://ubuntu.com/security/CVE-2025-38352 - posix-cpu-timers: fix race between handleposixcputimers and posixcputimerdel CVE-url: https://ubuntu.com/security/CVE-2022-25265 - x86/elf: Add table to document READIMPLIESEXEC - x86/elf: Split READIMPLIESEXEC from executable PTGNUSTACK -...

CVE-2025-12121 CVE-2025-12121

Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching core.lua, drag-and-drop file handling rootview.lua, and the “open i...

CVE-2025-12121

Lite XL versions 2.1.8 and earlier are affected by CVE-2025-12121 due to an unsanitized system.exec usage in core.lua (project directory launching), rootview.lua (drag‑and‑drop handling), and treeview.lua (open in system). This allows arbitrary command execution with the Lite XL process privilege...

CVE-2025-12121

Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching core.lua, drag-and-drop file handling rootview.lua, and the “open i...

os/exec: Unexpected paths returned from LookPath in os/exec

A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables rather than just directories, passing certain strings to LookPath "", ".", and "..", can result in the binaries listed in the PATH being unexpectedly returned...

Exploit for Missing Authentication for Critical Function in Langflow

CVE-2025-3248: Langflow Unauthenticated RCE Vulnerability Scan...

Lite XL 安全漏洞

Lite XL is a lightweight text editor from lite-xl open source. A security vulnerability exists in Lite XL 2.1.8 and earlier versions, which stems from a failure to clean up shell command constructs in the system.exec function, which could lead to the execution of arbitrary commands...

CVE-2025-63604

A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the executequery method. The vulnerability stems from the exposure of dangerous Python built-in functions import, getattr, hasattr in...

CVE-2025-63604

A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the executequery method. The vulnerability stems from the exposure of dangerous Python built-in functions import, getattr, hasattr in...

CVE-2025-63603

A command injection vulnerability exists in the MCP Data Science Server's reading-plus-ai/mcp-server-data-exploration 0.1.6 in the safeeval function src/mcpserverds/server.py:108. The function uses Python's exec to execute user-supplied scripts but fails to restrict the builtins dictionary in the...

CVE-2025-63603

A command injection vulnerability exists in the MCP Data Science Server's reading-plus-ai/mcp-server-data-exploration 0.1.6 in the safeeval function src/mcpserverds/server.py:108. The function uses Python's exec to execute user-supplied scripts but fails to restrict the builtins dictionary in the...

CVE-2025-63603

MCP Data Science Server 0.1.6 (reading-plus-ai/mcp-server-data-exploration) contains a command injection in safe_eval() (src/mcp_server_ds/server.py:108) where exec() runs user scripts without restricting builtins in globals. This allows execution of arbitrary Python code with full system privile...

CVE-2025-63604

A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the executequery method. The vulnerability stems from the exposure of dangerous Python built-in functions import, getattr, hasattr in...