EUVD-2026-38231

MISP allowed an authenticated site administrator to set the Kafkardkafkaconfig setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as...

UBUNTU-CVE-2026-55748

OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability...

CVE-2026-34458

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions EditAdminOnly and ConfigPassword and inject arbitrary directives into the global...

CVE-2026-41392 OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options

OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options like --rcfile, --init-file, and --startup-file to load attacker-chosen initialization files while...

CVE-2026-41392 OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options

OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options like --rcfile, --init-file, and --startup-file to load attacker-chosen initialization files while...

PT-2026-35776

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.31 Description An exec allowlist bypass allows attackers to inherit allowlist trust through shell init-file wrapper invocations. By utilizing shell options such as --rcfile, --init-file, and --startup-file,...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the INI settings parser when environment variable interpolation is processed via the parseinistring function. An attacker with Editor permissions can retrieve sensitive environment variables by injecting...

PT-2026-25036

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to remote code...

PT-2026-20533

FileOptimizer 14.00.2524 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the FileOptimizer32.ini configuration file. Attackers can overwrite the TempDirectory parameter with a 5000-character buffer to cause the application to crash when...

CVE-2026-2548

WAYOS FBM-220G (version 24.10.19) contains a flaw in the rc file affecting function sub_40F820. Per the CVE records, manipulating arguments (upnp_waniface, upnp_ssdp_interval, upnp_max_age) can lead to a remote command injection. Exploitation is described as remotely executable with a low attack ...

XunRuiCMS 跨站脚本漏洞

XunRuiCMS XunRuiCMS is a content management system for individual developers of XunRuiCMS. A code injection vulnerability exists in XunRuiCMS 4.7.1 and earlier versions, which originates from the incorrect operation of the parameter callback in the file /dayrui/Fcms/Init.php, which may lead to...

CVE-2025-10824

A vulnerability was determined in axboe fio up to 3.41. This impacts the function parsejobsini of the file init.c. Executing manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized...

CVE-2025-10824 axboe fio init.c __parse_jobs_ini use after free

A vulnerability was determined in axboe fio up to 3.41. This impacts the function parsejobsini of the file init.c. Executing manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized...

CVE-2025-10824

A vulnerability was determined in axboe fio up to 3.41. This impacts the function parsejobsini of the file init.c. Executing manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized...

PT-2025-39092

Name of the Vulnerable Software and Affected Versions axboe fio versions up to 3.41 Description A flaw exists in axboe fio up to version 3.41. This issue is related to the parse jobs ini function within the init.c file, which can lead to a use after free condition. The attack requires local acces...

CVE-2025-52372

An issue in hMailServer v.5.8.6 allows a local attacker to obtain sensitive information via the hmailserver/installation/hMailServerInnoExtension.iss and hMailServer.ini components...

Macro-Video V380 安全漏洞

Macro-Video V380 is an IP camera from Macro-Video. A security vulnerability exists in Macro-Video V380 version 1020302, which originates in the /mnt/mtd/mvconf/wifi.ini and /mnt/mtd/mvconf/userinfo.ini components could lead to the execution of arbitrary code...

LibreOffice 信息泄露漏洞

LibreOffice is an open source office software suite from The Document Foundation. An information disclosure vulnerability exists in LibreOffice versions prior to 24.8 through 24.8.4, which stems from improper exposure of environment variables and INI file values, which could result in sensitive...

Astra Linux – Vulnerability in LibreOffice

The Document Foundation LibreOffice has a vulnerability where environmental variables and arbitrary INI file values may be exposed to unauthorized actors. URLs can be created that expand environmental variables or INI file values, allowing potentially sensitive information to be exfiltrated to a...

Malicious code in crustyhttp (PyPI)

Base64-encoded commands are executed from init.py, which exfiltrate Telegram session data. --- -= Per source details. Do not edit below this line.=- Source: kam193 806b071147126057a7de9b570f85f694ad06923e4d580ddd5274731b5343f556 In the invokehttp, the init.py contains obfuscated code attempting t...