Lucene search
K

968 matches found

Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.15 views

PT-2026-43460

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description A shell-metacharacter injection exists in the YPTSocket notification branch within the plugin/Live/on publish.php file. The application constructs a command line for the execAsync function usin...

8.8CVSS6.1AI score0.00318EPSS
Exploits0References4
NVD
NVD
added 2026/05/14 9:16 p.m.28 views

CVE-2026-45369

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix o...

8.3CVSS0.00272EPSS
Exploits0References1
OSV
OSV
added 2026/05/14 4:16 p.m.4 views

GHSA-HCWQ-X9FW-8CFQ @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Summary The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host...

6.5CVSS6.2AI score0.00428EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.19 views

PT-2026-41120

HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString function in convertCore.php is missing backtick and tab t from its strip list. User input then reaches shell exec, where the shell interprets these characters and commands...

9.3CVSS5.8AI score0.00297EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/13 4:1 p.m.7 views

SUSE CVE-2017-11366

components/filemanager/class.filemanager.php in Codiad before 2.8.4 is vulnerable to remote command execution because shell commands can be embedded in parameter values, as demonstrated by searchfiletype...

9.8CVSS7.4AI score0.07547EPSS
Exploits4References3
CVE
CVE
added 2026/05/12 4:19 p.m.16 views

CVE-2026-43991

The CVE-2026-43991 issue affects JunoClaw: a plugin-shell command-safety check used by the Juno Network agent. The root cause is a substring-based blocklist that was applied to the raw command string rather than the parsed first token, enabling bypass via adversarial argument constructions and po...

8.4CVSS5.9AI score0.00171EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.11 views

PT-2026-40533

Name of the Vulnerable Software and Affected Versions protobufjs-cli versions prior to 1.2.1 protobufjs-cli versions prior to 2.0.2 Description The pbts command-line tool invokes JSDoc by constructing a shell command string from input file paths and executing it via child process.exec. File paths...

7.8CVSS6.1AI score0.00132EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.20 views

PT-2026-40102

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell metacharacters in agent-supplied arguments to be...

8.4CVSS5.8AI score0.00151EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/05/11 2:13 p.m.11 views

SUSE CVE-2026-44656

Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the pat...

4.4CVSS6AI score0.00917EPSS
Exploits0References13
ATTACKERKB
ATTACKERKB
added 2026/05/08 2:55 a.m.9 views

CVE-2026-43943

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution RCE vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system edito...

7.8CVSS6.3AI score0.00167EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/05/04 8:16 p.m.9 views

CVE-2026-41925

WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 contains an OS command injection vulnerability in the adm.cgi binary's reboottime function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboottime POST parameter. Attacke...

9.3CVSS0.03387EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/05/03 8:54 a.m.82 views

summary-awi-poc

summary-awi-poc Public proof-of-concept repository for valida...

5.9AI score
Exploits0
AlpineLinux
AlpineLinux
added 2026/04/28 12:0 a.m.5 views

CVE-2026-41526

In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path t...

7.8CVSS5.8AI score0.0017EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.5 views

PT-2026-35678

Name of the Vulnerable Software and Affected Versions KDE KCoreAddons versions prior to 6.25 Description The KShell::quoteArgs function is designed to safely quote arguments for shell commands. However, it fails to adequately handle metacharacters, which can lead to a shell escape. Applications...

7.8CVSS5.8AI score0.0017EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/04/28 12:0 a.m.4 views

CVE-2026-41526

In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path t...

6.5CVSS5.4AI score0.0017EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/28 12:0 a.m.14 views

EUVD-2026-26004

In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path t...

6.5CVSS5.4AI score0.0017EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/04/24 2:10 a.m.3 views

CVE-2026-33208 Roxy-WI Vulnerable to Authenticated Remote Code Execution via OS Command Injection in find-in-config Endpoint

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a...

8.7CVSS6.2AI score0.0066EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/24 2:10 a.m.5 views

CVE-2026-33208

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a...

8.7CVSS6.2AI score0.0066EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/04/24 2:10 a.m.8 views

CVE-2026-33208

The CVE describes a vulnerability in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived. Before version 8.2.6.4, the /config//find-in-config endpoint fails to sanitize the words parameter before embedding it into a shell command string executed on a remote managed server...

8.8CVSS6.2AI score0.0066EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/04/24 2:10 a.m.33 views

CVE-2026-33208 Roxy-WI Vulnerable to Authenticated Remote Code Execution via OS Command Injection in find-in-config Endpoint

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a...

8.7CVSS0.0066EPSS
Exploits1References2
Rows per page
Query Builder