CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

110 matches found

CNNVD•added 2022/06/08 12:0 a.m.•2 views

metacalc 代码注入漏洞

metacalc is a Metarhia spreadsheet calculator for the Metarhia community. A security vulnerability exists in versions of metacalc prior to 0.0.2, which stems from vulnerability to arbitrary code execution attacks. An attacker exploited the vulnerability to access the Function constructor of...

9.8CVSS9AI score0.02389EPSS

Exploits1References4

Cvelist•added 2022/06/03 8:5 p.m.•12 views

CVE-2022-21122 Arbitrary Code Execution

The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor...

9CVSS9.9AI score0.02389EPSS

Exploits1References3

ATTACKERKB•added 2022/06/03 8:0 p.m.•3 views

CVE-2022-21122

9.8CVSS7.3AI score0.02389EPSS

Exploits1References4

OSV•added 2022/03/18 12:1 a.m.•4 views

GHSA-8M2F-74R2-X3F2 Code injection in accesslog

All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If attacker-controlled user input is given to the format option of the package's exported constructor function, it is possible for an attacker to...

7.1CVSS7.6AI score0.01614EPSS

Exploits1References4

Github Security Blog•added 2022/03/18 12:1 a.m.•28 views

Code injection in accesslog

10CVSS4.6AI score0.01614EPSS

Exploits1References4Affected Software1

OSV•added 2022/03/17 12:15 p.m.•5 views

CVE-2022-25760

9.8CVSS6.1AI score0.01614EPSS

Exploits1References2

NVD•added 2022/03/17 12:15 p.m.•29 views

CVE-2022-25760

10CVSS0.01614EPSS

Exploits1References2

Prion•added 2022/03/17 12:15 p.m.•21 views

Code injection

10CVSS9.8AI score0.01614EPSS

Exploits1References2

ATTACKERKB•added 2022/03/17 11:16 a.m.•2 views

CVE-2022-25760

10CVSS6.2AI score0.01614EPSS

Exploits1References3

Snyk•added 2021/12/08 8:32 a.m.•2 views

Arbitrary Code Injection

Overview accesslog is a simple common/combined access log middleware Affected versions of this package are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If attacker-controlled user input is given to the format option of the package...

10CVSS7.6AI score0.01614EPSS

Exploits1References2

OSV•added 2021/10/12 4:3 p.m.•14 views

GHSA-PGJJ-866W-FC5C Risk of code injection

Impact Some routes use eval or Function constructor, which may be injected by the target site with unsafe code, causing server-side security issues Patches Temporarily removed the problematic route and added a no-new-func rule to eslint Self-built users should upgrade to 7f1c430 and later as soon...

8.6CVSS9.4AI score0.01572EPSS

Exploits0References5

Veracode•added 2021/01/27 7:51 a.m.•22 views

Remote Code Execution (RCE)

rsshub is vulnerable to remote code execution. An attacker is able to inject malicious code via the eval or Function constructor which allows an attacker to inject and execute codes in the system...

9.8CVSS9.6AI score0.01572EPSS

Exploits0References3Affected Software1

CNNVD•added 2021/01/26 12:0 a.m.•2 views

RSSHub Injection Vulnerability

An injection vulnerability exists in RSSHub that stems from the use of "eval" or "Function constructor" in some routes, leading to server-side security issues...

9.8CVSS7.3AI score0.01572EPSS

Exploits0References4

OSV•added 2020/09/03 7:39 p.m.•9 views

GHSA-5MRR-RGP6-X4GR Command Injection in marsdb

All versions of marsdb are vulnerable to Command Injection. In the DocumentMatcher class, selectors on $where clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed. Recommendation No fix is currently...

7.5AI score

Exploits0References2

Github Security Blog•added 2020/09/03 7:39 p.m.•195 views

Command Injection in marsdb

6.4AI score

Exploits0References3Affected Software1

OSV•added 2020/09/03 7:3 p.m.•1 views

GHSA-7R5F-7QR4-PF6Q Sandbox Breakout / Arbitrary Code Execution in notevil

Versions of notevil prior to 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor leading t...

6AI score

Exploits0References1

Github Security Blog•added 2020/09/03 7:3 p.m.•31 views

Sandbox Breakout / Arbitrary Code Execution in notevil

4.8AI score

Exploits0References2Affected Software1

OSV•added 2020/09/01 3:32 p.m.•21 views

GHSA-C7PP-G2V2-2766 DOM-based XSS in gmail-js

Affected versions of gmail-js are vulnerable to cross-site scripting in the tools.parseresponse, helper.get.visibleemailspost, and helper.get.emaildatapost functions, which pass user input directly into the Function constructor. Recommendation Update to version 0.6.5 or later...

6AI score0.00713EPSS

Exploits0References5

Github Security Blog•added 2020/09/01 3:32 p.m.•33 views

DOM-based XSS in gmail-js

3.5AI score0.00713EPSS

Exploits0References5Affected Software1

Node.js•added 2019/08/29 5:53 p.m.•15 views

Command Injection

Overview All versions of marsdb are vulnerable to Command Injection. In the DocumentMatcher class, selectors on $where clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed. Recommendation No fix is...

7.1AI score

Exploits0Affected Software1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by