CVE-2025-65791

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php...

PT-2026-7418

Name of the Vulnerable Software and Affected Versions EverShop versions prior to 2.1.1 Description EverShop is a TypeScript-first eCommerce platform susceptible to a second-order SQL injection. During category update and deletion event handling, the application incorporates values from the url...

CVE-2020-37032 Wing FTP Server 6.3.8 - Remote Code Execution

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the...

CVE-2025-61489

A command injection vulnerability in the shellexec function of sonirico mcp-shell v0.3.1 allows attackers to execute arbitrary commands via supplying a crafted command string...

CVE-2025-63680

Nero BackItUp in the Nero Productline is vulnerable to a path parsing/UI rendering flaw CWE-22 that, in combination with Windows ShellExecuteW fallback extension resolution, leads to arbitrary code execution when a user clicks a crafted entry. By creating a trailing-dot folder and placing a...

EUVD-2021-20147

Malware in sbrugna...

EUVD-2006-3387

Malware in sbrugna...

EUVD-2022-0824

Malicious code in bioql PyPI...

Exposure of Information Through Directory Listing

Overview @mastra/mcp-docs-server is a MCP server for accessing Mastra.ai documentation, changelogs, and news. Affected versions of this package are vulnerable to Exposure of Information Through Directory Listing via the execute function. An attacker can access sensitive directory listings by...

Linux Distros Unpatched Vulnerability : CVE-2023-30088

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjsexecute function in mjs.c. CVE-2023-30088 Note that Nessus...

SimStudioAI: A function in route.ts is vulnerable to Code Injection

A vulnerability was identified in SimStudioAI sim. This impacts an unknown function of the file apps/sim/app/api/function/execute/route.ts. The manipulation of the argument code leads to code injection. The attack is possible to be carried out remotely...

CVE-2025-10097

A vulnerability was identified in SimStudioAI sim up to 1.0.0. This impacts an unknown function of the file apps/sim/app/api/function/execute/route.ts. The manipulation of the argument code leads to code injection. The attack is possible to be carried out remotely...

PT-2025-36482

Name of the Vulnerable Software and Affected Versions: SimStudioAI sim versions up to 1.0.0 Description: A vulnerability exists in SimStudioAI sim up to version 1.0.0. The issue involves code injection due to the manipulation of the code argument within an unknown function of the file...

CVE-2012-10037

PhpTax 0.8 is affected by a remote code execution in drawimage.php. The pfilez GET parameter is passed directly to exec() without sanitization, allowing an attacker to inject arbitrary shell commands and execute code in the web server context without authentication. Multiple sources (NVD, Red Hat...

SQL Injection

Overview airda is an airda Affected versions of this package are vulnerable to SQL Injection via the execute function in the /v1/chat/completions file when processing the question argument. An attacker can access or modify sensitive data, or disrupt application functionality by sending crafted...

CVE-2015-10054

A vulnerability, which was classified as critical, was found in githuis P2Manage. This affects the function Execute of the file PTwoManage/Database.cs. The manipulation of the argument sql leads to sql injection. The identifier of the patch is 717380aba80002414f82d93c770035198b7858cc. It is...

Access Control Bypass

Overview openmanus is an Add your description here Affected versions of this package are vulnerable to Access Control Bypass through the execute function. An attacker can manipulate file handling operations by exploiting the improper access controls configured in the system. This is only...

Malicious user can still native tokens of MoneyMarketHook caller

Lines of code Vulnerability details Proof of Concept MoneyMarketHook allows user to chain some actions into one multicall to the InitCore. In the end user can get all wrapped native tokens that he withdrew in a form of native token. Note, that this part of code withdraws all balance from wrapped...

All contributions can get locked in the Crowdfund contract, with no means to refund users or finalize.

Lines of code Vulnerability details Impact ETHCrowdfundBasefinalize assumes that all contributions are intact, but there is an emergencyExecute function that is capable of spending part of crowdfund eth. If as little as one wei gets spent, Users cannot get refunded, and the Crowdfund will not get...

ODProxy contract can't grant safeRights (can't change the state of the called contracts) which will disable generating debts functionality

Lines of code Vulnerability details Impact The protocol implements a proxy mechanism to enable only the Vault721 contract from transferring SAFEs, as each SAFE is represented by a NFV non fungible vault. This contract has only one function execute that makes delegatecalls to other contracts, so...