CVE-2026-29955

The /registercrd endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses subprocess.Popen with shell=True parameter to execute shell commands, and the user-supplied chartName parameter is directly concatenated into the command string...

EUVD-2024-31727

Malicious code in bioql PyPI...

EUVD-2024-0100

Malicious code in bioql PyPI...

CVE-2024-3121

A remote code execution vulnerability exists in the createcondaenv function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the envname and...

OS Command Injection

aworld is vulnerable to OS Command Injection. The vulnerability is due to improper input sanitization due to unsafe use of subprocess.run and subprocess.Popen in AWorld/aworld/virtualenvironments/terminals/shelltool.py, which allows remote attackers to execute arbitrary operating system commands ...

AWorld OS Command Injection vulnerability

A vulnerability was found in inclusionAI AWorld up to 8c257626e648d98d793dd9a1a950c2af4dd84c4e. It has been rated as critical. This issue affects the function subprocess.run/subprocess.Popen of the file AWorld/aworld/virtualenvironments/terminals/shelltool.py. The manipulation leads to os command...

AWorld 命令注入漏洞

AWorld is an easy to build, evaluate, and run generic multi-agent assistance program open-sourced by inclusionAI. AWorld suffers from a command injection vulnerability that stems from incorrect manipulation of the function subprocess.run/subprocess.Popen resulting in os command injection...

CVE-2024-9920

In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the '/openfile' API...

CVE-2024-9920

CVE-2024-9920 affects parisneo/lollms-webui (v12). The vulnerability occurs in the “Send file to AL” feature, which accepts file uploads with extensions such as .py/.sh/.bat and then can execute them via the /open_file endpoint. Root cause: files are opened with subprocess.Popen without proper va...

CVE-2024-3121

A remote code execution vulnerability exists in the createcondaenv function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the envname and...

document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection

Impact What kind of vulnerability is it? Who is impacted? A remote code execution RCE via server-side template injection SSTI allows for user supplied code to be executed in the server's context where it is executed as the document-merge-server user with the UID 901 thus giving an attacker...

CVE-2024-3126

A command injection vulnerability exists in the 'runxttsapiserver' function of the parisneo/lollms-webui application, specifically within the 'lollmsxtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utiliz...

SUSE CVE-2023-41334

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the TranformGraph.todotgraph function. A malicious user can provide a...

PYSEC-2024-9

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.runscript passes shell metacharacters to subprocess.Popen...

CVE-2024-23750

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.runscript passes shell metacharacters to subprocess.Popen...

PT-2024-20056 · Metagpt · Metagpt

Name of the Vulnerable Software and Affected Versions: MetaGPT versions 0.6.4 and earlier Description: The issue allows the QaEngineer role to execute arbitrary code because RunCode.run script passes shell metacharacters to subprocess.Popen. This enables potential exploitation, but specific detai...

Ansible pipe lookup plugin arbitrary command execution vulnerability

Ansible is a computer system configuration manager. A security vulnerability in the Ansible pipe lookup plugin subprocess.Popen allows remote attackers to exploit the vulnerability to submit a special request that can execute arbitrary commands...