CVE-2026-54271 protobufjs-cli: Code injection in pbjs static output from crafted JSON descriptor names

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static outp...

EUVD-2026-35535

Improper neutralization of special elements in output used by a downstream component 'injection' in Microsoft Teams for Android allows an authorized attacker to disclose information over a network...

CVE-2026-41109

Improper neutralization of special elements in output used by a downstream component 'injection' in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network...

GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability

Improper neutralization of special elements in output used by a downstream component 'injection' in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network...

CVE-2026-40112

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The sanitizehtml function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml...

Trust Boundary Violation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Trust Boundary Violation via the process handling background runtime output injection into trusted System: events. An attacker can escalate privileges or inject unauthorized commands by...

EUVD-2026-11751

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary...

Output Injection

Badkeys is vulnerable to output injection. The vulnerability is due to improper handling and sanitization of control characters in input, which allows an attacker to inject malicious content that produces misleading or manipulated command-line output when scanning DKIM keys, SSH keys, or filename...

EUVD-2019-0796

Malware in sbrugna...

Improper Neutralization

Mongosh is vulnerable to Improper Neutralization. The vulnerability is due to improper output sanitization due to an attacker being able to inject control characters into shell output, potentially displaying falsified messages that mislead users into executing unsafe actions...

PT-2025-8939

Name of the Vulnerable Software and Affected Versions mongosh versions prior to 2.3.9 Description The MongoDB Shell may be susceptible to control character injection, allowing an attacker with control over the database cluster contents to inject control characters into the shell output. This can...

CVE-2025-23366

A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups...

CVE-2019-19714

Contao 4.8.4 and 4.8.5 has Improper Encoding or Escaping of Output. It is possible to inject insert tags into the login module which will be replaced when the page is rendered...