GHSA-VJ3M-2G9H-VM4P Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass

Multiple RCE vectors were found in Grav CMS. Three are critical, two are high. 1. Unsafe unserialize in JobQueue — direct RCE gadget Critical system/src/Grav/Common/Scheduler/JobQueue.php:465 calls unserializebase64decode... without restricting allowedclasses. The Job class has...

Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass

Multiple RCE vectors were found in Grav CMS. Three are critical, two are high. 1. Unsafe unserialize in JobQueue — direct RCE gadget Critical system/src/Grav/Common/Scheduler/JobQueue.php:465 calls unserializebase64decode... without restricting allowedclasses. The Job class has...

Deserialization of Untrusted Data

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via unsafe handling of serialized data and improper input validation in multiple components, including...

CVE-2023-50458

In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users' jobs...

CVE-2025-64992

A command injection vulnerability was discovered in TeamViewer DEX former 1E DEX, specifically within the 1E-Nomad-PauseNomadJobQueue instruction prior V25. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remo...

CVE-2025-64992

CVE-2025-64992 describes a command injection in TeamViewer DEX (formerly 1E DEX), specifically in the 1E-Nomad-PauseNomadJobQueue instruction before version V25. The root cause is improper input validation that allows authenticated attackers with Actioner privileges to inject arbitrary commands, ...

CVE-2025-64992 Command Injection in 1E-Nomad-PauseNomadJobQueue Instruction

A command injection vulnerability was discovered in TeamViewer DEX former 1E DEX, specifically within the 1E-Nomad-PauseNomadJobQueue instruction prior V25. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remo...

EUVD-2010-2421

Malware in sbrugna...

EUVD-2008-5414

Malware in sbrugna...

EUVD-2023-55247

Malicious code in bioql PyPI...

EUVD-2021-28808

Malicious code in bioql PyPI...

drupwn

This is an offensive tool for Drupal enumeration and exploitation. The tool, named Drupwn, is designed to automate Drupal information gathering and exploitation. It can be run in two modes: enum and exploit. The enum mode allows performing enumerations, while the exploit mode allows checking and...

CVE-2023-50458

In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users' jobs...

PT-2025-28975 · Dradis · Dradis

Name of the Vulnerable Software and Affected Versions: Dradis versions prior to 4.11.0 Description: The Dradis Output Console displays a job queue that may reveal information pertaining to jobs belonging to other users. Recommendations: Update to version 4.11.0 or later...

CVE-2023-50458

Summary: CVE-2023-50458 affects Dradis before 4.11.0. The Output Console can expose a job queue that may contain information about other users’ jobs, representing a potential information disclosure. "What is affected": Dradis core software, prior to version 4.11.0. "Root cause / vulnerability typ...

CVE-2023-50458

In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users' jobs...

CVE-2023-50458

In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users' jobs...

CVE-2025-24900

Concorde (Nexkey) vulnerability: lack of CSRF protection and misconfigured cookies for MediaProxy authentication allow bypassing authentication, enabling image loading without restrictions. Affects versions prior to 12.25Q1.1 (SameSite attribute missing); prior to 12.24Q2.3 the same cookie also a...

BIT-MEDIAWIKI-2021-41801

The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time due to the job queue backlog...

CVE-2023-43793

Misskey is an open source, decentralized social media platform. Prior to version 2023.9.0, by editing the URL, a user can bypass the authentication of the Bull dashboard, which is the job queue management UI, and access it. Version 2023.9.0 contains a fix. There are no known workarounds...