15357 matches found
CVE-2026-45805
Penpot MCP ReplServer exposes an unauthenticated /execute endpoint and binds to 0.0.0.0 (all interfaces), enabling remote JavaScript execution on the server. The issue is implemented in mcp/packages/server/src/ReplServer.ts by listening without a host (default 0.0.0.0) and posting code to PluginB...
CVE-2026-56352
n8n before 2.19.3 contains a file path restriction bypass in the legacy ExecuteWorkflow node's localFile source option, which reads workflow files from disk without the file-access checks enforced by other file-reading nodes. Although hidden from the UI since v1.2, it remains reachable via the RE...
CVE-2026-56352 n8n - Arbitrary File Read and Execution via ExecuteWorkflow localFile Parameter
n8n before 2.19.3 contains a file path restriction bypass in the legacy ExecuteWorkflow node's localFile source option, which reads workflow files from disk without the file-access checks enforced by other file-reading nodes. Although hidden from the UI since v1.2, it remains reachable via the RE...
VvvebJs < 1.7.5 - Arbitrary File Upload
Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php. id: CVE-2024-29272 info: name: VvvebJs 1.7.5 - Arbitrary File Upload author: s4e-...
Jan v0.4.12 - Arbitrary File Upload
An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file. id: CVE-2024-36858 info: name: Jan v0.4.12 - Arbitrary File Upload author: pussycat0x severity: critical description: | An arbitrar...
mooSocial v.3.1.8 - Cross-Site Scripting
Cross-Site Scripting XSS vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function. id: CVE-2023-44813 info: name: mooSocial v.3.1.8 - Cross-Site Scripting author: ritikchaddha severity:...
CVE-2026-15751
A security vulnerability has been detected in mastergo-design mastergo-magic-mcp up to 0.2.0. The affected element is the function execute of the file mastergo/component-workflow.md of the component mcpgetComponentGenerator. The manipulation of the argument rootPath leads to path traversal. An...
CVE-2026-15751 mastergo-design mastergo-magic-mcp mcp__getComponentGenerator component-workflow.md execute path traversal
A security vulnerability has been detected in mastergo-design mastergo-magic-mcp up to 0.2.0. The affected element is the function execute of the file mastergo/component-workflow.md of the component mcpgetComponentGenerator. The manipulation of the argument rootPath leads to path traversal. An...
CVE-2026-53633
Vitest is a testing framework powered by Vite. From 3.0.0 until 3.2.5, 4.1.8, and 5.0.0-beta.4, Vitest Browser Mode exposed a cdp API that forwarded raw Chrome DevTools Protocol methods without being gated by allowWrite or allowExec, allowing a remote client with exposed browser API metadata to u...
CVE-2026-48371
Adobe Commerce is affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerabl...
CVE-2026-54999
The CVE-2026-54999 entry concerns a race condition in Windows TCP/IP where concurrent access to a shared resource allows an unauthorized attacker on an adjacent network to execute code. Documented impact is remote code execution with high severity (CVSSv3.1: AV=A, AC=L, PR=N, UI=N, S=U, C=H, I=H,...
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
Numeric truncation error in Windows Resilient File System ReFS allows an authorized attacker to execute code locally...
CVE-2026-15668
A vulnerability has been found in louisho5 picobot up to 0.2.0. This vulnerability affects the function WebTool.Execute of the file internal/agent/tools/web.go of the component web Tool. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotel...
CVE-2026-15669
Technical details (affected products, vulnerable components, exploit vectors) are not publicly available in the provided documents. Monitor for updates.
CVE-2026-15669 louisho5 picobot exec Tool exec.go ExecTool.Execute os command injection
A vulnerability was found in louisho5 picobot up to 0.2.0. This issue affects the function ExecTool.Execute of the file internal/agent/tools/exec.go of the component exec Tool. The manipulation results in os command injection. The attack requires a local approach. The exploit has been made public...
CVE-2026-15668
The CVE affects louisho5 picobot up to version 0.2.0, specifically the web Tool component. The vulnerability resides in WebTool.Execute (internal/agent/tools/web.go) where manipulation of the url argument enables server-side request forgery (SSRF). It is a network-vector, with low privileges requ...
CVE-2026-15668 louisho5 picobot web Tool web.go WebTool.Execute server-side request forgery
A vulnerability has been found in louisho5 picobot up to 0.2.0. This vulnerability affects the function WebTool.Execute of the file internal/agent/tools/web.go of the component web Tool. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotel...
PT-2026-58165
Name of the Vulnerable Software and Affected Versions Windows Resilient File System ReFS affected versions not specified Description A heap-based buffer overflow exists in the Windows Resilient File System ReFS. This issue allows an authenticated attacker with local access to execute arbitrary co...
PT-2026-58850
Name of the Vulnerable Software and Affected Versions mastergo-design mastergo-magic-mcp versions prior to 0.2.1 Description Path traversal occurs in the execute function within the mastergo/component-workflow.md file of the mcp getComponentGenerator component. This issue arises from the improper...
PT-2026-58187
Name of the Vulnerable Software and Affected Versions Windows Storage Spaces Direct affected versions not specified Description An integer overflow or wraparound issue exists in Windows Storage Spaces Direct. This flaw allows an unauthorized attacker with physical access to the system to execute...