GHSA-34W8-MCWR-VG29 CodeceptJS's incomprehensive sanitation can lead to Command Injection

CodeceptJS versions 3.5.0 through 3.7.5-beta.18 contain a command injection vulnerability in the emptyFolder function lib/utils.js. The execSync command directly concatenates the user-controlled directoryPath parameter without sanitization or escaping, allowing attackers to execute arbitrary...

CVE-2025-57285

CVE-2025-57285 affects CodeceptJS 3.7.3, where the emptyFolder function in lib/utils.js uses execSync with a user-controlled directoryPath unsafely, enabling potential command execution. The IBM and OSSV/GHSA entries corroborate the vulnerability in CodeceptJS and note versions around 3.5.0–3.7.5...

PT-2025-36489

Name of the Vulnerable Software and Affected Versions: codeceptjs version 3.7.3 Description: codeceptjs version 3.7.3 contains a command injection issue in the emptyFolder function located in lib/utils.js. The execSync command directly concatenates the user-controlled directoryPath parameter...

CVE-2025-53542

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...

CVE-2025-53542

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...

CVE-2025-53542 Kubernetes Headlamp Allows Arbitrary Command Injection in macOS Process headlamp@codeSign

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...

CVE-2025-53542 Kubernetes Headlamp Allows Arbitrary Command Injection in macOS Process headlamp@codeSign

Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...

CVE-2025-53542

CVE-2025-53542 affects Headlamp, an extensible Kubernetes web UI. The vulnerability is a command injection in the macOS packaging workflow (codeSign.js) caused by using Node.js execSync() with unsanitized environment-derived input (teamID, entitlementsPath, config.app) passed to the shell without...

GHSA-G85V-WF27-67XC Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

Summary Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of...

PT-2024-40274 · Saltcorn · Saltcorn

Name of the Vulnerable Software and Affected Versions: Saltcorn versions prior to the fixed version Description: The issue arises from the use of user-controlled data in the git clone command without proper validation, leading to a command injection vulnerability. This allows an attacker with adm...

GO-2022-0482 containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd

containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd...

GO-2022-0480 Node DOS by way of memory exhaustion through ExecSync request in CRI-O in github.com/cri-o/cri-o

Node DOS by way of memory exhaustion through ExecSync request in CRI-O in github.com/cri-o/cri-o...

OS Command Execution

HFS is vulnerable to OS Command Execution. The vulnerability is due to using execSync instead of spawnSync in a childprocess to execute the df shell command, which allows an attacker to execute OS commands remotely via the file upload feature...

CVE-2024-39943

rejetto HFS aka HTTP File Server 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users if they have Upload permissions. This occurs because a shell is used to execute df i.e., with execSync instead of spawnSync in childprocess in Node.js...

CBL Mariner 2.0 Security Update: cri-o (CVE-2022-1708)

The version of cri-o installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-1708 advisory. - A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with...

A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.

...

EulerOS 2.0 SP8 : docker-engine (EulerOS-SA-2023-2190)

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container c...

EulerOS 2.0 SP5 : docker-engine (EulerOS-SA-2023-2142)

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container c...

EulerOS 2.0 SP11 : containerd (EulerOS-SA-2023-1421)

According to the versions of the containerd package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can...

Huawei EulerOS: Security Advisory for containerd (EulerOS-SA-2023-1421)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...