Lucene search
+L

111 matches found

osv
osv
added 2026/06/30 11:3 p.m.3 views

SUSE-SU-2026:22459-1 Security update for pcr-oracle

This update for pcr-oracle fixes the following issues Update to 0.6.3: Security issue: - integer underflow vulnerability in parsesbatlevelsection bsc1265042. Non security issue: - Lockout Authorization error for libvirt-emulated TPM bsc1265871. Changes for pcr-oracle: + Relax TPM self-test...

5.9AI score
Exploits0References3
osv
osv
added 2026/06/17 6:35 p.m.5 views

GHSA-6V84-V468-3C7F Duplicate Advisory: Picklescan has Incomplete List of Disallowed Inputs

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-84r2-jw7c-4r5q. This link is maintained to preserve external references. Original Description picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller...

9.8CVSS6.2AI score0.00623EPSS
Exploits0References4
nvd
nvd
added 2026/06/17 5:16 p.m.10 views

CVE-2025-71320

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when...

9.8CVSS0.00623EPSS
Exploits0References2
cve
cve
added 2026/06/17 3:4 p.m.29 views

CVE-2025-71320

The CVE identifies a vulnerability in picklescan prior to 0.0.33, where an incomplete deny-list fails to block pydoc.locate and operator.methodcaller. This allows remote attackers to craft malicious pickle files that, when deserialized, yield arbitrary code execution. The issue is tied to deseria...

9.8CVSS6.1AI score0.00623EPSS
Exploits0References2
euvd
euvd
added 2026/06/17 3:4 p.m.13 views

EUVD-2025-210267

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when...

9.8CVSS6.1AI score0.00623EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/17 3:4 p.m.19 views

CVE-2025-71320 picklescan - Remote Code Execution via Incomplete Disallowed Inputs

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when...

9.8CVSS0.00623EPSS
Exploits0References2
osv
osv
added 2026/05/15 10:50 a.m.8 views

CLSA-2026-1778820779 tar: Fix of CVE-2023-39804

CVE-2023-39804: fix crash on PAX archive with malformed extended header attributes in locatehandler and xattrdecoder...

6.2CVSS7.3AI score0.00283EPSS
Exploits0References1
osv
osv
added 2026/05/15 8:41 a.m.10 views

CLSA-2026-1778828497 tar: Fix of CVE-2023-39804

CVE-2023-39804: fix crash on PAX archive with malformed extended header attributes in locatehandler and xattrdecoder...

6.2CVSS5.8AI score0.00283EPSS
Exploits0References1
github
github
added 2026/03/19 7:25 p.m.7 views

Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG

The fix for CVE-2026-27598 commit e2ed589, PR 1691 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the fileName URL path parameter to locateDAG without...

8.1CVSS6AI score0.00571EPSS
Exploits2References4Affected Software1
vulnrichment
vulnrichment
added 2026/03/03 1:21 a.m.2 views

CVE-2026-2448 Page Builder by SiteOrigin <= 2.33.5 - Authenticated (Contributor+) Local File Inclusion

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locatetemplate function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary fil...

8.8CVSS6.5AI score0.00888EPSS
Exploits0References2
susecve
susecve
added 2026/02/21 12:24 a.m.6 views

SUSE CVE-2026-26318

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions. Version 5.31.0 fixes the issue...

8.8CVSS5.8AI score0.0115EPSS
Exploits1References3
osv
osv
added 2026/02/19 8:25 p.m.5 views

DEBIAN-CVE-2026-26318

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions. Version 5.31.0 fixes the issue...

8.8CVSS5.8AI score0.0115EPSS
Exploits1References1
nvd
nvd
added 2026/02/19 8:25 p.m.8 views

CVE-2026-26318

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions. Version 5.31.0 fixes the issue...

8.8CVSS0.0115EPSS
Exploits1References5
cvelist
cvelist
added 2026/02/19 7:48 p.m.29 views

CVE-2026-26318 systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions. Version 5.31.0 fixes the issue...

8.8CVSS0.0115EPSS
Exploits1References2
debiancve
debiancve
added 2026/02/19 7:48 p.m.9 views

CVE-2026-26318

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions. Version 5.31.0 fixes the issue...

8.8CVSS5.8AI score0.0115EPSS
Exploits1
vulnrichment
vulnrichment
added 2026/02/19 7:48 p.m.4 views

CVE-2026-26318 systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions. Version 5.31.0 fixes the issue...

8.8CVSS5.5AI score0.0115EPSS
Exploits1References2
cve
cve
added 2026/02/19 7:48 p.m.20 views

CVE-2026-26318

The CVE-2026-26318 issue affects the systeminformation package for Node.js: versions prior to 5.31.0 are vulnerable to local command injection via unsanitized output from the locate command in versions(). Version 5.31.0 fixes the issue. Root has patched the vulnerability in @rootio/systeminformat...

8.8CVSS5.5AI score0.0115EPSS
Exploits1References5Affected Software1
osv
osv
added 2026/02/19 7:48 p.m.6 views

CVE-2026-26318 systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions. Version 5.31.0 fixes the issue...

8.8CVSS5.6AI score0.0115EPSS
Exploits1References7
cnnvd
cnnvd
added 2026/02/19 12:0 a.m.7 views

systeminformation 操作系统命令注入漏洞

SystemInformation is a NPM library developed by Sebastian Hildebrandt that allows access to operating system information. Versions of SystemInformation prior to 5.31.0 contained a vulnerability related to operating system command injection, caused by uncleaned locate output in the versions...

8.8CVSS5.8AI score0.0115EPSS
Exploits1References2
snyk
snyk
added 2026/02/18 10:36 p.m.8 views

Command Injection

Overview systeminformation is a simple system and OS information library. Affected versions of this package are vulnerable to Command Injection via the versions function, which executes a locate command to find a PostgreSQL installation on Linux. An attacker who can write files to the target...

8.8CVSS6.1AI score0.0115EPSS
Exploits1References2
Rows per page
Query Builder