Lucene search
K

6 matches found

Cvelist
Cvelist
added 2026/06/23 5:20 p.m.34 views

CVE-2026-49402 Deno: Command Injection via spawnSync & spawn on Windows

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.e...

8.1CVSS0.00283EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 5:20 p.m.13 views

CVE-2026-49402

Deno is affected by CVE-2026-49402 on Windows when using node:child_process with shell: true. The escapeShellArg() helper failed to properly quote arguments containing cmd.exe metacharacters (e.g., &, |, , ^, !, (, )), and did not neutralize % inside double-quoted strings. This allowed an attacke...

8.1CVSS6.1AI score0.00283EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2024/07/08 12:0 a.m.3 views

PT-2024-4625

Name of the Vulnerable Software and Affected Versions: Node.js versions up to 18.20.3 Node.js versions up to 20.15.0 Node.js versions up to 22.4.0 Description: The issue arises from improper handling of batch files with all possible extensions on Windows via child process.spawn / child...

10CVSS8AI score0.01098EPSS
Exploits0References242
Veracode
Veracode
added 2024/07/05 7:0 a.m.32 views

OS Command Execution

HFS is vulnerable to OS Command Execution. The vulnerability is due to using execSync instead of spawnSync in a childprocess to execute the df shell command, which allows an attacker to execute OS commands remotely via the file upload feature...

9.9CVSS9.6AI score0.48477EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2024/07/04 12:0 a.m.47 views

CVE-2024-39943

rejetto HFS aka HTTP File Server 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users if they have Upload permissions. This occurs because a shell is used to execute df i.e., with execSync instead of spawnSync in childprocess in Node.js...

9.9CVSS0.48477EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2024/02/29 12:0 a.m.3 views

PT-2024-5241 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: Node.js versions 18.x, 20.x, and 21.x Description: The issue is related to the improper handling of batch files in child process.spawn and child process.spawnSync on Windows platforms. This allows a malicious command line argument to inject...

10CVSS6.3AI score0.01387EPSS
Exploits0References64
Rows per page
Query Builder