363 matches found
CVE-2026-33881
Windmill CVE-2026-33881 affects the NativeTS executor in Windmill’s workspace environment. The flaw arises because workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes, allowing a workspace admin to inject arbitrary JavaScript that ...
EUVD-2026-16820
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environmen...
CVE-2026-33881 Windmill: Rogue Workspace Admins can inject code via unescaped workspace environment variable interpolation in NativeTS executor
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environmen...
GHSA-54FQ-V6X8-244G Hugging Face Smolagents has an Injection issue
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluateaugassign/evaluatecall/evaluatewith of the file src/smolagents/localpythonexecutor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to...
CVE-2026-4963
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluateaugassign/evaluatecall/evaluatewith of the file src/smolagents/localpythonexecutor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to...
CVE-2026-4963
CVE-2026-4963 affects huggingface smolagents 1.25.0.dev0, specifically the LocalPythonExecutor in src/smolagents/local_python_executor.py (evaluate_augassign/evaluate_call/evaluate_with). Root cause is a code injection vulnerability that can be triggered remotely. Public exploits exist; multiple ...
CVE-2026-4963 huggingface smolagents Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_with code injection
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluateaugassign/evaluatecall/evaluatewith of the file src/smolagents/localpythonexecutor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to...
CVE-2026-4963 huggingface smolagents Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_with code injection
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluateaugassign/evaluatecall/evaluatewith of the file src/smolagents/localpythonexecutor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to...
PT-2026-28689
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate augassign/evaluate call/evaluate with of the file src/smolagents/local python executor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible...
PT-2026-28548
Name of the Vulnerable Software and Affected Versions Windmill versions prior to 1.664.0 Description Windmill, a developer platform for internal code including APIs, background jobs, workflows, and UIs, is affected by a code injection issue. Workspace environment variable values are interpolated...
CVE-2026-4199
A vulnerability was identified in bazinga012 mcpcodeexecutor up to 0.3.0. Affected by this issue is the function installDependencies of the file src/index.ts. Such manipulation leads to command injection. The attack can only be performed from a local environment. The exploit is publicly available...
OSV-2026-437 Heap-use-after-free in tf::Executor::_invoke
OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=494709474 Crash type: Heap-use-after-free WRITE 8 Crash state: tf::Executor::invoke tf::Executor::spawn void std::1::threadproxy...
GetPDB (>=0.1.0 <=1.0.1), IMAPServer (=0.1.0) +3229 more potentially affected by unknown CVE via tokio-executor (>=0.1.10 <=0.2.0-alpha.6)
tokio-executor CARGO version =0.1.10, =0.1.0, =0.1.0, =0.1.0, =0.2.0, =0.5.3, =0.2.1, =0.1.0, =0.1.0, =0.1.0, =0.9.1 - acme-lib-load-order =0.1.0 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0063...
RUSTSEC-2026-0063 `tokio-executor` is unmaintained
The tokio-executor crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
`tokio-executor` is unmaintained
The tokio-executor crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
EUVD-2026-12269
A vulnerability was identified in bazinga012 mcpcodeexecutor up to 0.3.0. Affected by this issue is the function installDependencies of the file src/index.ts. Such manipulation leads to command injection. The attack can only be performed from a local environment. The exploit is publicly available...
CVE-2026-4199
A vulnerability was identified in bazinga012 mcpcodeexecutor up to 0.3.0. Affected by this issue is the function installDependencies of the file src/index.ts. Such manipulation leads to command injection. The attack can only be performed from a local environment. The exploit is publicly available...
CVE-2026-4199
The vulnerability CVE-2026-4199 affects bazinga012/mcp_code_executor up to v0.3.0, specifically the installDependencies function in src/index.ts. The issue enables command injection via local exploitation. The exploit is publicly available, and patching is advised. No additional details on affect...
CVE-2026-4199
A vulnerability was identified in bazinga012 mcpcodeexecutor up to 0.3.0. Affected by this issue is the function installDependencies of the file src/index.ts. Such manipulation leads to command injection. The attack can only be performed from a local environment. The exploit is publicly available...
CVE-2026-4199 bazinga012 mcp_code_executor index.ts installDependencies command injection
A vulnerability was identified in bazinga012 mcpcodeexecutor up to 0.3.0. Affected by this issue is the function installDependencies of the file src/index.ts. Such manipulation leads to command injection. The attack can only be performed from a local environment. The exploit is publicly available...