PT-2026-6322

Name of the Vulnerable Software and Affected Versions Godot MCP versions prior to 0.1.1 Description Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. A command injection issue in godot-mcp allows remote code execution. The executeOperation function passe...

PT-2026-6403

Impact Vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. Patches The issue has been fixed in n8n versions 2.5.0, and 1.123.10. Users should upgrade to this version...

EUVD-2025-206683

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 tmpserver modules allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. The vulnerability arises from improper validation of a packet field whose offset is used to determine...

GHSA-7G56-FWXJ-CM23 FUXA contains an Unrestricted File Upload vulnerability

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files such as the SQLite user...

CVE-2020-37102

Adaware Web Companion 4.9.2159 contains an unquoted service path vulnerability in the WCAssistantService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges...

CVE-2020-37100

Sync Breeze Enterprise 12.4.18 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the...

MAL-2026-698 Malicious code in tableshow (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4fe9c764b4cb621cdd65c3dee4c4cf00cc273aab33642ebce5690b3d5c8d71e1 Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

EUVD-2025-206705

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files such as the SQLite user...

FUXA 安全漏洞

FUXA is a web-based process visualization software developed by frangoteam. Version 1.2.7 of FUXA contains a security vulnerability. This vulnerability stems from the lack of an authentication mechanism for the/api/upload API endpoints. This allows unauthorized remote attackers to upload arbitrar...

PT-2026-5847

Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with...

CVE-2020-37062

DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can place malicious executables in the service path to gain elevated privileges when the service starts...

CVE-2020-37055

SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations to gain elevated access...

CVE-2020-37045

CVE-2020-37045 affects Veritas NetBackup 7.0. The vulnerability is an unquoted service path in the NetBackup INET Daemon (bpinetd.exe under C:\Program Files\Veritas\NetBackup\bin). This unquoted path can be exploited by local users to execute arbitrary code with elevated LocalSystem privileges. E...

OSV-2026-169 Null-dereference READ in execute_post_instantiate_functions

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=479872443 Crash type: Null-dereference READ Crash state: executepostinstantiatefunctions wasminstantiate wasmruntimeinstantiate...

CVE-2020-37032

Wing FTP Server 6.3.8 is affected by a remote code execution flaw in the Lua-based web console. The issue allows authenticated users to send crafted POST requests that trigger operating system commands via os.execute(), enabling arbitrary code execution on the server. Affected component: Lua-base...

CVE-2020-37032 Wing FTP Server 6.3.8 - Remote Code Execution

Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the...

Hikvision Wireless Access Points security vulnerabilities

Hikvision Wireless Access Points are wireless access point devices produced by the Chinese company Hikvision. There are security vulnerabilities in Hikvision Wireless Access Points, and these vulnerabilities stem from insufficient input validation, which may allow authenticated attackers to execu...

Popcorn Time code-related vulnerabilities

Popcorn Time is an open-source, multi-platform free software BitTorrent client developed by Popcorn Time. Version 6.2.1.14 of Popcorn Time contains a code vulnerability caused by an unquoted service path. This vulnerability could allow local non-privileged users to execute code and gain system...

CVE-2020-37016 BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path

BarcodeOCR 19.3.6 contains an unquoted service path vulnerability that allows local attackers to execute code with elevated privileges during system startup. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will run with LocalSystem...

BIT-APPSMITH-2026-24042 Appsmith public apps can execute unpublished actions (viewMode confusion)

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished edit-mode actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. This bypasses the...