CVE-2026-31226

CVE-2026-31226 relates to a critical command-injection in TinyZero’s HDFS file operations utilities. The flaw stems from unsafe shell command construction and execution via os.system(), where user-controlled input (e.g., file paths) is interpolated using f-strings inside the _copy() function. An ...

Exploit for CVE-2026-33017

CVE-2026-33017 — Langflow Unauthenticated RCE PoC !CVEhttp...

EUVD-2025-208671

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the mlflow/sagemaker/init.py file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, whic...

CVE-2025-14287

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the mlflow/sagemaker/init.py file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, whic...

CVE-2025-52365

A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system. The vulnerability arises from improper input handling where command-line arguments are directly...

CVE-2025-36059

IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls...

EUVD-2017-13000

Malware in sbrugna...

EUVD-2018-10725

Malware in sbrugna...

PT-2025-36965

Name of the Vulnerable Software and Affected Versions: FTP-Flask-python versions through 5173b68 Description: A command injection issue exists in FTP-Flask-python. The /ftp.html endpoint’s "Upload File" action constructs a shell command from the ftp file parameter and executes it using os.system...

Linux Distros Unpatched Vulnerability : CVE-2020-13091

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the readpickle function, if reduce makes an os.system call...

PT-2025-32492 · Pypi · Ms-Swift

I. Detailed Description: 1. Install ms-swift pip install ms-swift -U 2. Start web-ui swift web-ui --lang en 3. After startup, access through browser at http://localhost:7860/ to see the launched fine-tuning framework program 4. Fill in necessary parameters In the LLM Training interface, fill in...

IBM Db2 Denial of Service Vulnerability (CNVD-2025-12295)

IBM Db2 is a relational database management system from International Business Machines IBM. The system's execution environments are mainly UNIX, Linux, IBMi, z/OS, and Windows server versions. A denial of service vulnerability exists in IBM Db2, which can be exploited by an attacker to cause a...

CVE-2021-20044

A post-authentication remote command injection vulnerability in SonicWall SMA100 allows a remote authenticated attacker to execute OS system commands in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances...

CVE-2024-3955

CVE-2024-3955 affects CraftBeerPi 4 up to 4.4.1.a1. The issue arises when the URL parameter logtime in the downloadlog endpoint is passed from cbpi/http_endpoints/http_system.py to os.system in cbpi/controller/system_controller.py without validation, allowing arbitrary code execution. Multiple co...

Code injection

An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used...

PT-2023-25499 · Langchain · Langchain

Name of the Vulnerable Software and Affected Versions: LangChain versions prior to 0.0.236 Description: The issue allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used. This is possible via the PALChain in the python exec method. Recommendation...

SUSE CVE-2017-16667

backintime aka Back in Time before 1.1.24 did improper escaping/quoting of file paths used as arguments to the 'notify-send' command, leading to some parts of file paths being executed as shell commands within an os.system call in qt4/plugins/notifyplugin.py. This could allow an attacker to craft...

SUSE CVE-2020-13092

scikit-learn aka sklearn through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load function, if reduce makes an os.system call. NOTE: third parties dispute this issue because the joblib.load function is documented as unsafe and it is the user's...

CVE-2021-20044

A post-authentication remote command injection vulnerability in SonicWall SMA100 allows a remote authenticated attacker to execute OS system commands in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances...

Code Injection in prayag2/konsave

✍️ Description konsave is a CLI program that will let you save and apply your KDE Plasma customizations with just one command , which is vulnerable to YAML deserialization attack caused by unsafe loading leads to Arbitary Code Execution. 🕵️‍♂️ Proof of Concept Installation bash pip install konsave...