GHSA-FP25-P6MJ-QQG6 locutus call_user_func_array vulnerable to Remote Code Execution (RCE) due to Code Injection

Details A Remote Code Execution RCE flaw was discovered in the locutus project v2.0.39, specifically within the calluserfuncarray function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an...

locutus call_user_func_array vulnerable to Remote Code Execution (RCE) due to Code Injection

Details A Remote Code Execution RCE flaw was discovered in the locutus project v2.0.39, specifically within the calluserfuncarray function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an...

CVE-2025-15551 LAN Code Execution on TP-Link Archer MR200, Archer C20, TL-WR850N and TL-WR845N

The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle MitM attack to execute JavaScript...

Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs

Dear Maintainers, I am writing to you on behalf of the Tencent AI Sec. We have identified a potential vulnerability in one of your products and would like to report it to you for further investigation and mitigation. Summary The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of...

CVE-2022-36010

This library allows strings to be parsed as functions and stored as a specialized component, JsonFunctionValue. To do this, Javascript's eval function is used to execute strings that begin with "function" as Javascript. This unfortunately could allow arbitrary code to be executed if it exists as ...

GHSA-MPCW-3J5P-P99X Butterfly's parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE)

Summary Usage of the Butterfly.prototype.parseJSON or getJSON functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server. Since Butterfly JavaScript code has access to Java classes, it can run arbitrary programs. Details The...

SUSE CVE-2009-3272

Stack consumption vulnerability in WebKit.dll in WebKit in Apple Safari 3.2.3, and possibly other versions before 4.1.2, allows remote attackers to cause a denial of service application crash via JavaScript code that calls eval on a long string composed of A/ sequences...

GHSA-J3RV-W43Q-F9X2 React Editable Json Tree vulnerable to arbitrary code execution via function parsing

Impact Our library allows strings to be parsed as functions and stored as a specialized component, JsonFunctionValue. To do this, Javascript's eval function was used to execute strings that begin with "function" as Javascript. This was an oversight that unfortunately allows arbitrary code to be...

CVE-2022-36010 Arbitrary code execution via function parsing in react-editable-json-tree

This library allows strings to be parsed as functions and stored as a specialized component, JsonFunctionValue. To do this, Javascript's eval function is used to execute strings that begin with "function" as Javascript. This unfortunately could allow arbitrary code to be executed if it exists as ...

PT-2022-23110 · Unknown · React-Editable-Json-Tree

Name of the Vulnerable Software and Affected Versions: react-editable-json-tree versions =3.0.0, no...

Microsoft Chakra eval Integer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Chakra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of...

Memory corruption

The TraceRecorder::traverseScopeChain function in js/src/jstracer.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 allows remote attackers to cause a denial of service memory corruption and application crash and possibly execute arbitrary code via vectors involving certain indirect...

CVE-2010-0165

The TraceRecorder::traverseScopeChain function in js/src/jstracer.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 allows remote attackers to cause a denial of service memory corruption and application crash and possibly execute arbitrary code via vectors involving certain indirect...

Apple Safari 3.2.3 (Windows x86) - JavaScript eval Remote Denial of Service

Apple Safari 3.2.3 Windows x86 - JavaScript eval Remote Denial of Service !/usr/bin/perl letsgosurfinnowonsafari.pl AKA Safari 3.2.3 Win32 JavaScript 'eval' Remote Denial of Service Exploit Jeremy Brown [email protected]//jbrownsec.blogspot.com//krakowlabs.com 09.07.2009 Safari crashes when...

security flaw

Mozilla Firefox before 1.5.0.5 and SeaMonkey before 1.0.3 allows remote Proxy AutoConfig PAC servers to execute code with elevated privileges via a PAC script that sets the FindProxyForURL function to an eval method on a privileged object...

security flaw

Firefox before 1.0.4 and Mozilla Suite before 1.7.8 do not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CVE-2005-1160...

FreeBSD : mozilla -- privilege escalation via non-DOM property overrides (a6427195-c2c7-11d9-89f7-02061b08fc24)

A Mozilla Foundation Security Advisory reports : Additional checks were added to make sure JavaScript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional...