Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection

Summary A Server-Side Code Injection vulnerability exists in the Yamcs script evaluation engine for Python algorithms. The application dynamically compiles and evaluates user-controlled algorithm text using Jython via the JSR-223 ScriptEngine API without enforcing a secure sandbox. An authenticat...

GHSA-2G95-6X5Q-XJWJ Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection

Summary A Server-Side Code Injection vulnerability exists in the Yamcs script evaluation engine for Python algorithms. The application dynamically compiles and evaluates user-controlled algorithm text using Jython via the JSR-223 ScriptEngine API without enforcing a secure sandbox. An authenticat...

PT-2026-44162

Summary A Server-Side Code Injection vulnerability exists in the Yamcs script evaluation engine for Python algorithms. The application dynamically compiles and evaluates user-controlled algorithm text using Jython via the JSR-223 ScriptEngine API without enforcing a secure sandbox. An authenticat...

ai.h2o:h2o-admissibleml (>=3.34.0.1 <=3.46.0.1), ai.h2o:h2o-algos (>=3.0.0.5 <=3.46.0.1) +44 more potentially affected by CVE-2026-3960 via ai.h2o:h2o-core (>=3.0.0.12 <=3.46.0.1)

ai.h2o:h2o-core MAVEN version =3.0.0.12, =3.34.0.1, =3.0.0.5, =3.0.0.5, =3.12.0.1, =3.10.0.1, =3.14.0.7, =3.16.0.1, =3.14.0.1, =3.24.0.1, =3.30.1.1, =3.26.0.4, =3.10.5.1, =3.24.0.1, =3.30.0.1, =3.34.0.3, =3.46.0.1 and more Source cves: CVE-2026-3960 Source advisory: SNYK:JAVA-AIH2O-16417170...

CVE-2026-22737

Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...

ai.h2o:h2o-admissibleml (>=3.34.0.1 <=3.46.0.1), ai.h2o:h2o-algos (>=0.1.9 <=3.46.0.1) +45 more potentially affected by CVE-2024-5986 via ai.h2o:h2o-core (>=0.1.10 <=3.46.0.1)

ai.h2o:h2o-core MAVEN version =0.1.10, =3.34.0.1, =0.1.9, =0.1.9, =3.12.0.1, =3.10.0.1, =3.14.0.7, =3.16.0.1, =3.14.0.1, =3.24.0.1, =3.30.1.1, =3.26.0.4, =3.10.5.1, =3.24.0.1, =3.30.0.1, =3.34.0.3, =3.46.0.1 and more Source cves: CVE-2024-5986 Source advisory: OSV:GHSA-WJ3H-WX8G-X699...

Unity Linux 20.1070e Security Update: jython (UTSA-2025-984795)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-984795 advisory. The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified...

EUVD-2022-3281

Malicious code in bioql PyPI...

ai.h2o:h2o-admissibleml (>=3.34.0.1 <=3.46.0.10), ai.h2o:h2o-algos (>=0.1.9 <=3.46.0.10) +45 more potentially affected by CVE-2025-6544 via ai.h2o:h2o-core (>=0.1.10 <=3.46.0.7)

ai.h2o:h2o-core MAVEN version =0.1.10, =3.34.0.1, =0.1.9, =0.1.9, =3.12.0.1, =3.10.0.1, =3.14.0.7, =3.16.0.1, =3.14.0.1, =3.24.0.1, =3.30.1.1, =3.26.0.4, =3.10.5.1, =3.24.0.1, =3.30.0.1, =3.34.0.3, =3.46.0.10 and more Source cves: CVE-2025-6544 Source advisory: OSV:GHSA-5W3J-GWGH-4RFV...

ai.h2o:h2o-admissibleml (>=3.34.0.1 <=3.46.0.10), ai.h2o:h2o-algos (>=0.1.9 <=3.46.0.10) +49 more potentially affected by CVE-2025-10769 via ai.h2o:h2o-core (>=0.1.10 <=3.8.3.4)

ai.h2o:h2o-core MAVEN version =0.1.10, =3.34.0.1, =0.1.9, =0.1.9, =3.12.0.1, =3.8.2.4, =3.14.0.7, =3.16.0.1, =3.14.0.1, =3.24.0.1, =3.30.1.1, =3.26.0.4, =3.10.5.1, =3.24.0.1, =3.30.0.1, =3.34.0.3, =3.46.0.10 and more Source cves: CVE-2025-10769 Source advisory: SNYK:JAVA-AIH2O-13003701...

VulnCheck KEV: CVE-2025-34143

An authentication bypass vulnerability exists in ETQ Reliance on the CG legacy platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The SYSTEM account does not require a password, enabling attackers with network access to the login pag...

CVE-2025-34143

An authentication bypass vulnerability exists in ETQ Reliance on the CG legacy platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The SYSTEM account does not require a password, enabling attackers with network access to the login pag...

CVE-2025-34143

CVE-2025-34143 affects ETQ Reliance on the CG (legacy) platform. The vulnerability enables authentication bypass by manipulating the username field to login as the internal SYSTEM account, which does not require a password, granting network-access attackers elevated access. After authentication, ...

OESA-2025-1758 jython security update

Jython is an implementation of the high-level, dynamic, object-oriented language Python seamlessly integrated with the Java platform. The predecessor to Jython, JPython, is certified as 100% Pure Java. Jython is freely available for both commercial and non-commercial use and is distributed with...

Malicious code in jython-file (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fc56f6ba4b75b25d4289c3aa3cb1d05f9b1d7bbfacf00b11e270d76ba87a1a3e Package attempts to load in an obfuscated way a code from a file not included in the package as well as inject a dynamic library to the Python dynamic libs...

Exploit for Unrestricted Upload of File with Dangerous Type in Sap Netweaver

CVE-2025-31324 Burp Suite Extension Overview This Python-b...

ai.h2o:h2o-admissibleml (>=3.34.0.1 <=3.44.0.3), ai.h2o:h2o-algos (>=3.2.0.1 <=3.44.0.3) +34 more potentially affected by CVE-2024-8062 via ai.h2o:h2o-core (>=3.2.0.1 <=3.44.0.3)

ai.h2o:h2o-core MAVEN version =3.2.0.1, =3.34.0.1, =3.2.0.1, =3.2.0.1, =3.30.0.1, =3.30.0.1, =3.30.0.1, =3.30.0.1, =3.30.0.1, =3.30.1.1, =3.30.0.1, =3.30.0.1, =3.30.0.1, =3.30.0.1, =3.34.0.3, =3.30.0.1, =3.44.0.3 and more Source cves: CVE-2024-8062 Source advisory: OSV:GHSA-5C8J-G96X-CJ78...

CVE-2024-47880 OpenRefine has a reflected cross-site scripting vulnerability from POST request in ExportRowsCommand

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page th...

OpenRefine has a reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand

Summary The export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then ...

Fedora: Security Advisory (FEDORA-2024-b26f07d27b)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...