590 matches found
CVE-2026-32260
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:childprocess polyfill shell: true mode that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand...
CVE-2026-32260 Command Injection via incomplete shell metacharacter blocklist in node:child_process (bypass of CVE-2026-27190 fix)
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.7.0 to 2.7.1, A command injection vulnerability exists in Deno's node:childprocess polyfill shell: true mode that bypasses the fix for CVE-2026-27190. The two-stage argument sanitization in transformDenoShellCommand...
cpython: email header injection due to unquoted newlines
A flaw was found in the email module in the Python standard library. When serializing an email message, the BytesGenerator class fails to properly quote newline characters for email headers. This issue is exploitable when the LiteralHeader class is used as it does not respect email folding rules,...
cpython: email header injection due to unquoted newlines
A flaw was found in the email module in the Python standard library. When serializing an email message, the BytesGenerator class fails to properly quote newline characters for email headers. This issue is exploitable when the LiteralHeader class is used as it does not respect email folding rules,...
SUSE-SU-2026:0884-1 Security update for python36
This update for python36 fixes the following issues: - CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator bsc1257181...
PT-2026-25071
Summary A command injection vulnerability exists in Deno's node:child process polyfill shell: true mode that bypasses the fix for CVE-2026-27190 GHSA-hmh4-3xvx-q5hr. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno'...
Security update for python
This update for python fixes the following issue: CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in BytesGenerator bsc1257181. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypp...
GHSA-MQR9-VQHQ-3JXW OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling
Summary OpenClaw Windows Scheduled Task script generation allowed unsafe argument handling in generated gateway.cmd files. In vulnerable versions, cmd metacharacter-only values could be emitted without safe quoting/escaping, which could lead to unintended command execution when the scheduled task...
PT-2026-26234
Summary OpenClaw Windows Scheduled Task script generation allowed unsafe argument handling in generated gateway.cmd files. In vulnerable versions, cmd metacharacter-only values could be emitted without safe quoting/escaping, which could lead to unintended command execution when the scheduled task...
CVE-2026-27469 Isso: Stored XSS via comment website field
Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting XSS vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, whi...
PT-2026-5807
Name of the Vulnerable Software and Affected Versions ProShow Producer version 9.0.3797 Description The software contains an unquoted service path vulnerability within the ScsiAccess service. This allows local attackers to potentially execute arbitrary code. Exploitation involves leveraging the...
PT-2026-5804
Name of the Vulnerable Software and Affected Versions NETGATE Data Backup version 3.0.620 Description The software contains an unquoted service path vulnerability in its NGDatBckpSrv Windows service configuration. This allows attackers to inject and execute malicious code with LocalSystem...
PT-2026-5805
Name of the Vulnerable Software and Affected Versions TexasSoft CyberPlanet version 6.4.131 Description TexasSoft CyberPlanet 6.4.131 contains a security issue due to an unquoted service path in the CCSrvProxy service. This allows local attackers to execute arbitrary code. The unquoted path is...
GHSA-VQQR-RMPC-HHG2 melange pipeline working-directory could allow command injection
An attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses $vars. or $inputs. substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. Fix: Fixed with e51ca30c,...
PT-2026-6488
An attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses $vars. or $inputs. substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. Fix: Fixed with e51ca30c,...
EPSON EasyMP Network Projection 代码问题漏洞
EPSON EasyMP Network Projection is a network projection management software developed by the Japanese company EPSON. Version 2.81 of EPSON EasyMP Network Projection contains a code vulnerability. This vulnerability stems from a path in the EMPNSWLSV service that lacks quotation marks, which may...
CVE-2026-22696
dcap-qvl implements the quote verification logic for DCAP Data Center Attestation Primitives. A vulnerability present in versions prior to 0.3.9 involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral including qeidentity,...
CVE-2026-22696
dcap-qvl implements the quote verification logic for DCAP Data Center Attestation Primitives. A vulnerability present in versions prior to 0.3.9 involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral including qeidentity,...
dcap-qvl has Missing Verification for QE Identity
Impact This vulnerability involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral including qeidentity, qeidentitysignature, and qeidentityissuerchain from the PCCS. However, it skips to verify the QE Identity signature...
CLSA-2026-1769084608 mariadb: Fix of 5 CVEs
Updated to the 10.5.29 tarball - CVE-2025-30722: fix mariadb-dump wrong quoting character by using ' not " and using quoteforequal - CVE-2025-30693: fix incorrect undo logging for indexes on virtual columns by properly encoding/decoding large index IDs in InnoDB undo log records - CVE-2025-21490:...