36 matches found
CVE-2026-10538
Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker ...
CVE-2026-10539
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This...
EUVD-2026-40926
Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker ...
EUVD-2026-40925
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This...
CVE-2026-10539 Unauthenticated command injection in Control-M/Server communication command
A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This...
CVE-2026-10539
The vulnerability CVE-2026-10539 affects Control-M/Server versions 9.0.20.x through 9.0.21.200 (and potentially earlier unsupported versions). It is caused by insufficient filtering/sanitization of user-supplied input in a Control-M/Server communication command, which could allow an unauthenticat...
EUVD-2019-0295
Malware in sbrugna...
EUVD-2019-0260
Malware in sbrugna...
EUVD-2025-29568
Malicious code in bioql PyPI...
CVE-2025-48709
An issue was discovered in BMC Control-M 9.0.21.300. When Control-M Server has a database connection, it runs DBUStatus.exe frequently, which then calls dbuconnectiondetails.vbs with the username, password, database hostname, and port written in cleartext, which can be seen in event and process...
CVE-2025-48709
BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on,...
CVE-2025-48709 BMC Control-M/Server cleartext database credentials in process lists and logs
BMC Control-M/Server 9.0.21.300 displays cleartext database credentials in process lists and logs. An authenticated attacker with shell access could observe these credentials and use them to log in to the database server. For example, when Control-M/Server on Windows has a database connection on,...
Node.js third-party modules: [m-server] XSS reflected because path does not escapeHtml
I would like to report XSS in m-server It allows attacker can perform XSS in client side Module module name: m-server version: 1.4.2 npm page: https://www.npmjs.com/package/m-server Module Description M-Server is a mini http static server that without any dependencies; Module Stats 1 weekly...
BMC Control-M/Agent Arbitrary File Download Vulnerability
Control-M is one of BMC's most important automation control products, and is the world's leading integrated business scheduling solution for cross-platform and cross-application job scheduling. A security vulnerability exists in BMC Control-M/Agent and Control-M/Server communication when using th...
GHSA-VC6R-4X6G-MMQC Path Traversal in m-server
Versions of m-server before 1.4.2 are vulnerable to path traversal allowing a remote attacker to display content of arbitrary files from the server. Recommendation Update to version 1.4.2 or later...
Path Traversal in m-server
Versions of m-server before 1.4.2 are vulnerable to path traversal allowing a remote attacker to display content of arbitrary files from the server. Recommendation Update to version 1.4.2 or later...
GHSA-899G-6Q6W-7V94 m-server Vulnerable to Directory Traversal
Path Traversal vulnerability in module m-server 1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request...
GHSA-GMXV-XF2Q-6J8M Cross-Site Scripting in m-server
Versions of m-server before 1.4.2 are vulnerable to stored cross-site scripting. This vulnerability is exploitable if an attacker is able to control the name of a file that m-server is serving. Recommendation Update to version 1.4.2 or later...
Cross-Site Scripting in m-server
Versions of m-server before 1.4.2 are vulnerable to stored cross-site scripting. This vulnerability is exploitable if an attacker is able to control the name of a file that m-server is serving. Recommendation Update to version 1.4.2 or later...
M-Server Path Traversal Vulnerability
m-server is a small http static server . M-Server suffers from a path traversal vulnerability that arises from a failure of a network system or product to properly filter special elements in the path of a resource or file. An attacker could use this vulnerability to access locations outside of a...