CVE-2026-45312

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator rag/prompts/generator.py allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas...

CVE-2026-6902

A Remote Code Execution vulnerability in P4 Helix Core Server's Command-Line Client, prior to the 2025.2 Patch 2, has been fixed to address potential security risks...

CVE-2026-23882 Blinko: Admin RCE - MCP Server Command Injection

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP Model Context Protocol server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4...

SAP Netweaver Visual Composer Unrestricted File Upload (3084487)

SAP NetWeaver Visual Composer 7.0 RT versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of th...

Arbitrary Code Injection

Amendment This was deemed not a vulnerability. Overview es-toolkit is an A state-of-the-art, high-performance JavaScript utility library with a small bundle size and strong type annotations. Affected versions of this package are vulnerable to Arbitrary Code Injection. The template function in...

CVE-1999-0399

The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands...

TP-Link WA850RE 安全漏洞

TP-Link WA850RE is a wireless signal extender from China P&L TP-Link. A security vulnerability exists in the TP-Link WA850RE V2160527 and earlier versions, which originates from a command injection in the httpd module that could lead to the execution of arbitrary commands...

EUVD-2025-122031

Malicious code in server-command-lyra-loop npm...

EUVD-2019-10180

Malware in sbrugna...

EUVD-2025-32138

Malicious code in bioql PyPI...

EUVD-2025-20505

Malicious code in bioql PyPI...

CVE-2025-7812

The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport function. This makes it possible for unauthenticated...

CVE-2025-7812

The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport function. This makes it possible for unauthenticated...

CVE-2025-7812

CVE-2025-7812 affects the WordPress plugin Video Share VOD – Turnkey Video Site Builder Script (versions through 2.7.6). The root cause is missing or incorrect nonce validation on adminExport(), enabling Cross-Site Request Forgery that can lead to remote code execution when the Server command exe...

PT-2025-34956

Name of the Vulnerable Software and Affected Versions: Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress versions through 2.7.6 Description: The plugin is susceptible to Cross-Site Request Forgery CSRF due to missing or incorrect nonce validation in the adminExport function...

CVE-2025-41675

A high privileged remote attacker can execute arbitrary system commands via GET requests in the cloud server communication script due to improper neutralization of special elements used in an OS command...

CVE-2025-53100

The CVE-2025-53100 entry concerns RestDB codehooks-mcp-server (Codehooks.io MCP Server). Before version 0.2.2, the MCP Server tools definition/implementation allow user-initiated remote command injection, enabling a potential attacker to execute commands on a running MCP Server. The issue is stat...

CVE-2025-5277

CVE-2025-5277 affects the aws-mcp-server MCP server. The vulnerability is a command injection where an attacker can craft a prompt that, when accessed by the MCP client, will cause arbitrary commands to run on the host. The NVD metrics indicate a CRITICAL impact (CVSSv4.0 9.4; CVSSv3.1 9.6) with ...

CVE-2021-42669

A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboardteacher.php, which allows changing the avatar through teacheravatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By...

CVE-2020-11817

In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting...