AI SDK 命令注入漏洞

AI SDK is a TypeScript AI toolkit open-sourced by Vercel. Versions of AI SDK 3.0.97 and earlier have a command injection vulnerability. This vulnerability stems from the run function in the PR Branch Name Interpolation component, where operating system commands can be injected, potentially allowi...

PT-2026-41570

Name of the Vulnerable Software and Affected Versions vercel ai versions prior to 3.0.98 Description An OS command injection issue exists in the PR Branch Name Interpolation component. The flaw is located within the run function of the .github/workflows/prettier-on-automerge.yml file. This allows...

CVE-2026-5974

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affected element is the function Bash.run in the library metagpt/tools/libs/terminal.py. This manipulation causes os command injection. The attack is possible to be carried out remotely. The project was informed of the...

PT-2026-24895

A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the argument Message can lead to os command injection. The attack is restricted to local execution. The...

PT-2026-8349

Name of the Vulnerable Software and Affected Versions kalcaddle kodbox versions up to 1.64.05 Description A flaw exists in kalcaddle kodbox that allows for operating system command injection. This occurs through manipulation of the localFile argument within the run function of the...

CVE-2024-13820

The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.9 via the 'run' function, which uses a hardcoded hash. This makes it possible for unauthenticated attackers to extract sensitive data including environment information,...

PT-2024-23045 · Timber · Timber

Name of the Vulnerable Software and Affected Versions: Timber versions 1.23.0 and earlier Description: The issue is related to Deserialization of Untrusted Data, which can lead to remote code execution, especially when used with frameworks or developer code that have vulnerable POP chains. This i...

SUSE CVE-2008-5713

The qdiscrun function in net/sched/schgeneric.c in the Linux kernel before 2.6.25 on SMP machines allows local users to cause a denial of service soft lockup by sending a large amount of network traffic, as demonstrated by multiple simultaneous invocations of the Netperf benchmark application in...

CVE-2022-25171

The package p4 before 0.0.7 are vulnerable to Command Injection via the run function due to improper input sanitization...

CVE-2022-25171

The package p4 before 0.0.7 are vulnerable to Command Injection via the run function due to improper input sanitization...

PT-2022-17110 · P4 · P4

Name of the Vulnerable Software and Affected Versions: p4 versions prior to 0.0.7 Description: The issue is related to Command Injection via the run function due to improper input sanitization. Recommendations: For versions prior to 0.0.7, update to version 0.0.7 or later to resolve the issue. As...

p4 操作系统命令注入漏洞

p4 is a small utility library for working with Perforce by the individual developer Nate Long. An operating system command injection vulnerability exists in versions prior to p4 0.0.7, which stems from incorrect input cleanup, and a command injection vulnerability via the run function...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the run function due to improper input sanitization PoC javascript var root = require"p4" root.run"& touch JHU","",function Remediation Upgrade p4 to version 0.0.7 or higher. References - GitHub Commit - Vulnerable...

OS Command Injection in curling

npm package curling before version 1.1.0 is vulnerable to Command Injection via the run function. The command argument can be controlled by users without any sanitization...

GHSA-XMXH-G7WJ-8M4M OS Command Injection in curling

npm package curling before version 1.1.0 is vulnerable to Command Injection via the run function. The command argument can be controlled by users without any sanitization...

CMS Made Simple 2.2.15 Remote Command Execution

Exploit Title: CMS Made Simple 2.2.15 - RCE Authenticated Author: Andrey Stoykov Vendor Homepage: https://www.cmsmadesimple.org/ Software Link: https://www.cmsmadesimple.org/downloads/cmsms Version: 2.2.15 Tested on: Debian 10 LAMPP Exploit and Detailed Info:...

CMS Made Simple 2.2.15 - RCE (Authenticated)

Exploit Title: CMS Made Simple 2.2.15 - RCE Authenticated Author: Andrey Stoykov Vendor Homepage: https://www.cmsmadesimple.org/ Software Link: https://www.cmsmadesimple.org/downloads/cmsms Version: 2.2.15 Tested on: Debian 10 LAMPP Exploit and Detailed Info:...

CVE-2019-10789

All versions of curling.js are vulnerable to Command Injection via the run function. The command argument can be controlled by users without any sanitization...

Command injection

All versions of curling.js are vulnerable to Command Injection via the run function. The command argument can be controlled by users without any sanitization...

CVE-2019-10789

All versions of curling.js are vulnerable to Command Injection via the run function. The command argument can be controlled by users without any sanitization...