Lucene search
K

954 matches found

Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.15 views

PT-2026-42693

Name of the Vulnerable Software and Affected Versions KnpLabs Snappy versions prior to 1.7.1 Description A shell injection issue exists on POSIX systems where the escapeshellarg function returns a string containing single-quote characters. This causes the is executable check to fail, as it search...

7.5CVSS5.9AI score0.00152EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.12 views

PT-2026-42412

Name of the Vulnerable Software and Affected Versions Netatalk versions 3.1.4 through 4.4.2 Description A logic error involving bitwise OR operations allows a remote authenticated attacker to perform shell injection, enabling the execution of arbitrary OS commands. Recommendations Update to versi...

9.9CVSS6.1AI score0.00477EPSS
Exploits0References19
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability in JRuby

In versions of Ruby from 2.4.7, 2.5.x up to 2.5.6, and 2.6.x up to 2.6.4, code injection is possible if the first argument also known as the “command” argument passed to Shell or Shelltest in lib/shell.rb is untrusted data. An attacker can exploit this vulnerability to call arbitrary Ruby methods...

8.1CVSS6.8AI score0.04221EPSS
Exploits1References1
Snyk
Snyk
added 2026/05/19 3:21 p.m.5 views

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path,...

9.6CVSS6AI score0.00365EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 3:21 p.m.7 views

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path,...

9.6CVSS6AI score0.00365EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/18 8:31 p.m.7 views

CVE-2026-25244

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...

9.8CVSS6.6AI score0.02799EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.16 views

PT-2026-41693

Name of the Vulnerable Software and Affected Versions Arcane versions 1.18.1 and earlier Description An issue exists where the endpoint "GET /environments/id/volumes/volumeName/browse" accepts a path query parameter that is passed to a shell command sh -c "find … | while …" inside a helper...

6.3CVSS6AI score0.0021EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.15 views

PT-2026-43460

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description A shell-metacharacter injection exists in the YPTSocket notification branch within the plugin/Live/on publish.php file. The application constructs a command line for the execAsync function usin...

8.8CVSS6.1AI score0.00318EPSS
Exploits0References4
NVD
NVD
added 2026/05/14 9:16 p.m.28 views

CVE-2026-45369

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix o...

8.3CVSS0.00272EPSS
Exploits0References1
OSV
OSV
added 2026/05/14 4:16 p.m.4 views

GHSA-HCWQ-X9FW-8CFQ @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Summary The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host...

6.5CVSS6.2AI score0.00428EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.19 views

PT-2026-41120

HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString function in convertCore.php is missing backtick and tab t from its strip list. User input then reaches shell exec, where the shell interprets these characters and commands...

9.3CVSS5.8AI score0.00297EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/13 4:1 p.m.7 views

SUSE CVE-2017-11366

components/filemanager/class.filemanager.php in Codiad before 2.8.4 is vulnerable to remote command execution because shell commands can be embedded in parameter values, as demonstrated by searchfiletype...

9.8CVSS7.4AI score0.07547EPSS
Exploits4References3
CVE
CVE
added 2026/05/12 4:19 p.m.16 views

CVE-2026-43991

The CVE-2026-43991 issue affects JunoClaw: a plugin-shell command-safety check used by the Juno Network agent. The root cause is a substring-based blocklist that was applied to the raw command string rather than the parsed first token, enabling bypass via adversarial argument constructions and po...

8.4CVSS5.9AI score0.00171EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.11 views

PT-2026-40533

Name of the Vulnerable Software and Affected Versions protobufjs-cli versions prior to 1.2.1 protobufjs-cli versions prior to 2.0.2 Description The pbts command-line tool invokes JSDoc by constructing a shell command string from input file paths and executing it via child process.exec. File paths...

7.8CVSS6.1AI score0.00132EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.19 views

PT-2026-40102

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell metacharacters in agent-supplied arguments to be...

8.4CVSS5.8AI score0.00151EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/05/11 2:13 p.m.11 views

SUSE CVE-2026-44656

Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the pat...

4.4CVSS6AI score0.00917EPSS
Exploits0References13
ATTACKERKB
ATTACKERKB
added 2026/05/08 2:55 a.m.8 views

CVE-2026-43943

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution RCE vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system edito...

7.8CVSS6.3AI score0.00167EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/05/04 8:16 p.m.9 views

CVE-2026-41925

WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 contains an OS command injection vulnerability in the adm.cgi binary's reboottime function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboottime POST parameter. Attacke...

9.3CVSS0.03387EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/05/03 8:54 a.m.81 views

summary-awi-poc

summary-awi-poc Public proof-of-concept repository for valida...

5.9AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.5 views

PT-2026-35678

Name of the Vulnerable Software and Affected Versions KDE KCoreAddons versions prior to 6.25 Description The KShell::quoteArgs function is designed to safely quote arguments for shell commands. However, it fails to adequately handle metacharacters, which can lead to a shell escape. Applications...

7.8CVSS5.8AI score0.0017EPSS
Exploits0References10
Rows per page
Query Builder