EUVD-2026-38048

php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted isexecutable guard mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc...

EUVD-2026-39862

Cudy LT300 3.0 running firmware prior to version 2.5.12 contains an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the cbid.system.ntp.current POST parameter in the system time configuration interface...

CVE-2026-45406 Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename...

CVE-2026-54088

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, the Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplie...

CVE-2026-54090 File Browser: Command Allowlist Bypass via Shell Metacharacter Injection

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured e.g. /bin/sh -c, the command allowlist can be bypassed through shell metacharacters. The allowlist...

PT-2026-52536

Name of the Vulnerable Software and Affected Versions File Browser versions prior to 2.63.6 Description The Hook Authentication feature allows administrators to delegate login verification to an external shell command. The application uses os.Expand to interpolate user-supplied credentials into...

CVE-2026-55249

The CVE-2026-55249 entry concerns @rtk-ai/rtk-rewrite, an OpenClaw plugin that rewrites shell commands via execSync using a template string. The root cause is attacker-controlled input injected directly into the shell-backed template without proper escaping; JSON.stringify wraps the value in quot...

CVE-2026-35018 NetComm NF20MESH < R6B032 Authenticated RCE via OS Command Injection

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the...

PT-2026-51141

Name of the Vulnerable Software and Affected Versions WooCommerce version 7.1.0 Description A remote code execution flaw exists in the 'class-wc-meta-box-product-images.php' endpoint. The product-type parameter is processed without proper sanitization, allowing attackers to inject shell commands...

CVE-2026-49260

CVE-2026-49260 affects PhpWeasyPrint prior to 2.5.1. The vulnerability arises from building the WeasyPrint command by passing the binary path through escapeshellarg() and then validating the quoted result with is_executable(); on POSIX systems this makes the bin path string contain quotes, causin...

CVE-2026-49260

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.5.1, pontedilana/php-weasyprint builds the shell command for WeasyPrint by passing the binary path through escapeshellarg first and then checking the quoted result with isexecutable. On POSIX...

Astra Linux – Vulnerability in JRuby

In versions of Ruby from 2.4.7, 2.5.x up to 2.5.6, and 2.6.x up to 2.6.4, code injection is possible if the first argument also known as the “command” argument passed to Shell or Shelltest in lib/shell.rb is untrusted data. An attacker can exploit this vulnerability to call arbitrary Ruby methods...

PT-2026-50965

Name of the Vulnerable Software and Affected Versions PhpWeasyPrint versions prior to 2.5.1 Description PhpWeasyPrint is a PHP library used for generating PDFs from HTML pages or URLs. The software contains a shell command injection flaw occurring when the binary path for WeasyPrint is processed...

OSEC-2026-05 Windows command execution via filename quotes.

The quoting of stdin/stdout/stderror using Filename.quotecommand on Windows is not sufficient, and allows the & character to be passed through. This allows an attacker to inject a shell command if they can specify the stdin/stdout/stderr of a program to be executed. Exploit bash $ opam exec --...

Deno: Command Injection via spawnSync & spawn on Windows

Summary Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters such as &, |, , ^, !, , , and did not neutralize %...

CVE-2026-12398

A command injection vulnerability was found in galaxyng. The dogitcheckout function in the legacy role import API v1 interpolates unsanitized git ref names branch/tag names into shell commands executed via subprocess.run with shell=True. An authenticated user who controls a git repository can...

CVE-2026-12398 Galaxy_ng: shell injection in legacy role import via unsanitized git ref names

A command injection vulnerability was found in galaxyng. The dogitcheckout function in the legacy role import API v1 interpolates unsanitized git ref names branch/tag names into shell commands executed via subprocess.run with shell=True. An authenticated user who controls a git repository can...

CVE-2026-12398 Galaxy_ng: shell injection in legacy role import via unsanitized git ref names

A command injection vulnerability was found in galaxyng. The dogitcheckout function in the legacy role import API v1 interpolates unsanitized git ref names branch/tag names into shell commands executed via subprocess.run with shell=True. An authenticated user who controls a git repository can...

CVE-2026-12398

The CVE-2026-12398 entry describes a command-injection in galaxy_ng via the legacy role import API (v1) do_git_checkout(), where unsanitized git ref names are interpolated into shell commands executed with subprocess.run(shell=True). An authenticated user controlling a git repo can craft branch/t...

SaltStack <=3002 - Shell Injection

SaltStack Salt through 3002 allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt-API using the SSH client. id: CVE-2020-16846 info: name: SaltStack =3003 to mitigate this vulnerability. reference: -...