5 matches found
EUVD-2026-43129
The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for installaddon,...
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Summary An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenixstorybook playground accepts user-controlled attribute values over WebSocket and interpolates them unsanitized into a HEEx template that is subsequently...
GHSA-VP6R-9M58-5XV8 OmniFaces: EL injection via crafted resource name in wildcard CDN mapping
Impact Server-side EL injection leading to Remote Code Execution RCE. Affects applications that use CDNResourceHandler with a wildcard CDN mapping e.g. libraryName:=https://cdn.example.com/. An attacker can craft a resource request URL containing an EL expression in the resource name, which is...
Arbitrary Code Injection
Overview llama-stack is a Llama Stack Affected versions of this package are vulnerable to Arbitrary Code Injection due to using 'eval' on server there is a security risk, a potential code injection vulnerability. Remediation Upgrade llama-stack to version 0.1.5.1 or higher. References - GitHub...
Totaljs CMS 12.0 Widget Creation Code Injection
Author/Discoverer: Riccardo Krauter @CertimeterGroup + Title: Totaljs CMS Authenticated Code injection on widget creation. + Affected software: Totaljs CMS 12.0 + Description: An authenticated user with “widgets” privilege can gain RCE on the remote server by creating a malicious widget with a...