2466060 matches found
PYSEC-2026-443 PaddlePaddle vulnerable to code injection via winstr
In PaddlePaddle before 2.4, paddle.audio.functional.getwindow is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution...
PYSEC-2026-512 Radicale is vulnerable to directory traversal on Windows Filesystem Storage Backend component
The filesystem storage backend in Radicale before 1.1 on Windows allows remote attackers to read or write to arbitrary files via a crafted path, as demonstrated by /c:/file/ignore...
PYSEC-2026-524 ReviewBoard and Djblets library are vulnerable to code execution
An eval vulnerability exists in Python Software Foundation Djblets version before 0.6.30 and 0.7.0 before 0.7.19 and Beanbag Review Board before 1.7.15 when parsing JSON requests allowing an attacker to execute arbitrary Python code...
PYSEC-2026-314 Cobbler vulnerable to arbitrary code execution
Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user...
PYSEC-2026-545 OpenStack Object Storage (swift) Code Injection vulnerability
OpenStack Object Storage swift before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object...
PYSEC-2026-570 web2py remote code execution via hardcoded encryption key in session.connect function
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function...
PYSEC-2026-313 Cobbler has Exposed Dangerous Method or Function
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon...
PYSEC-2026-315 Cobbler Improper Validation of Security Tokens
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API /cobblerapi that can result in Privilege escalation, data manipulation or...
PYSEC-2026-429 OpenStack Murano Code Execution
OpenStack Murano before 1.0.3 liberty and 2.x before 2.0.1 mitaka, Murano-dashboard before 1.0.3 liberty and 2.x before 2.0.1 mitaka, and python-muranoclient before 0.7.3 liberty and 0.8.x before 0.8.5 mitaka improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files,...
PYSEC-2026-563 Command injection in libvcs and vcspull
The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the updaterepo function when using hg, the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution...
CVE-2026-47162
A flaw was found in Vim, an open-source text editor. This vulnerability, located in the netrw plugin, involves a code injection issue when the editor processes directory paths. A malicious directory name, if crafted by an attacker, could bypass security measures and allow for the execution of...
curl: CURLSHOPT_UNSHARE race can cause UAF in shared SSL session cache during HTTPS transfer
Summary CURLSHOPTUNSHARE can free a shared SSL session cache while another thread is starting a normal HTTPS transfer with the same share handle. The failing transfer reaches the cache through curleasyperform, during the OpenSSL handshake. libcurl appears to try to reject this kind of lifetime...
Exploit for CVE-2026-48939
CVE-2026-48939 - iCagenda Unauthenticated File Upload to RCE...
Malicious code in vkzmn (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a41dc023cd84c69935ac2c642d6cb9c187fb6bce9c18d226d785fba49e80e50a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2026-6594 Malicious code in vkzmn (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a41dc023cd84c69935ac2c642d6cb9c187fb6bce9c18d226d785fba49e80e50a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2026-13559 code-projects Real State Services single-list_sale.php add sql injection
A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-listsale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to...
CVE-2026-13559
A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-listsale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to...
CVE-2026-13559 code-projects Real State Services single-list_sale.php add sql injection
A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-listsale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to...
EUVD-2026-40070
A weakness has been identified in code-projects Real State Services 1.0. Impacted is an unknown function of the file /single-listsale.php?action=add. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to...
CVE-2026-13559
CVE-2026-13559 affects code-projects Real State Services 1.0. The vulnerability resides in the /single-list_sale.php?action=add handling of the ID parameter, where unsafely manipulated input enables SQL injection. Attack vector is network-based and exploitation is possible remotely, with a public...