CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 2026/03/19 2:16 a.m.•1 views

CVE-2026-32000

7.8CVSS0.00618EPSS

Cvelist•added 2026/03/19 1:0 a.m.•21 views

CVE-2026-32000 OpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution

7.1CVSS0.00618EPSS

CNNVD•added 2026/03/19 12:0 a.m.•5 views

OpenClaw 操作系统命令注入漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.2.19 had a vulnerability related to operating system command injection. This vulnerability stemmed from issues with the Windows shell backtracking mechanism used in the Lobster...

7.8CVSS6.1AI score0.00618EPSS

OSV•added 2026/03/13 8:58 p.m.•2 views

GHSA-5CXW-W2XG-2M8H fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`

Our assessment We added platform to the blocklist of unsafe modules https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975. It was not possible to inject extra arguments to file without first monkey-patching platform.followsymlinks with the pickle, as it always...

6.9CVSS6AI score

Exploits0References4

Debian CVE•added 2026/03/05 8:48 p.m.•7 views

CVE-2026-0848

NLTK versions =3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of...

10CVSS9.7AI score0.00777EPSS

Exploits3

Github Security Blog•added 2026/03/04 9:31 p.m.•6 views

Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment The modules uuid, osxsupport and aixsupport were added to the blocklist of unsafe imports https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b. Original report Summary fickling's UNSAFEIMPORTS blocklist is missing at least 3 stdlib modules that provid...

6AI score

Exploits0References3Affected Software1

Snyk•added 2026/02/23 10:13 p.m.•3 views

Command Injection

Overview yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to Command Injection in the --netrc-cmd option and netrccmd API parameter, which invoke subprocess.Popen with shell=True. The GetCourseRuIE, TeachableIE, and...

8.8CVSS6.2AI score0.01596EPSS

Exploits2References2

Github Security Blog•added 2026/02/04 8:34 p.m.•5 views

EPyT-Flow vulnerable to unsafe JSON deserialization (__type__)

Impact EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer myloadfromjson that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. Thi...

10CVSS5.6AI score0.00657EPSS

Exploits0References5Affected Software1

NVD•added 2026/01/30 9:15 p.m.•4 views

CVE-2026-25130

Cybersecurity AI CAI is a framework for AI Security. In versions up to and including 0.5.10, the CAI Cybersecurity AI framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via subprocess.Popen with...

9.6CVSS0.008EPSS

Exploits3References3

Snyk•added 2026/01/30 8:38 p.m.•4 views

Arbitrary Command Injection

Overview cai-framework is a Cybersecurity AI Framework Affected versions of this package are vulnerable to Arbitrary Command Injection via the findfile function, which calls subprocess.Popen with shell=True. An attacker can execute arbitrary commands on the host system by injecting malicious...

9.6CVSS5.8AI score0.008EPSS

Exploits3References2

Github Security Blog•added 2026/01/30 8:38 p.m.•11 views

CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection

Summary The CAI Cybersecurity AI framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via subprocess.Popen with shell=True, allowing attackers to execute arbitrary commands on the host system. Vulnerable...

Exploits3References5Affected Software1

ATTACKERKB•added 2026/01/30 8:15 p.m.•5 views

CVE-2026-25130

Exploits3References4Affected Software1

EUVD•added 2026/01/30 8:15 p.m.•6 views

EUVD-2026-5008

OSV•added 2026/01/30 8:15 p.m.•5 views

Exploits3References3

CVE-2026-25130 Cybersecurity AI vulnerable to command Injection through argument injection in find_file Agent tool

RedhatCVE•added 2026/01/24 9:15 a.m.•7 views

Exploits3References5

CVE-2026-0763

GPT Academic runinsubprocesswrapperfunc Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific...

9.8CVSS6.6AI score0.00993EPSS

OSV•added 2026/01/23 4:16 a.m.•4 views

CVE-2026-0763

9.8CVSS6.7AI score

Vulnrichment•added 2026/01/23 3:28 a.m.•2 views

CVE-2026-0763 GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability

9.8CVSS6.6AI score0.00993EPSS

CNNVD•added 2026/01/23 12:0 a.m.•4 views

GPT Academic Code Issues and Vulnerabilities

GPT Academic is an interface developed by binary-husky developers, designed to provide practical interactions for large language models like GPT/GLM. There are code vulnerabilities in GPT Academic; these vulnerabilities stem from the runinsubprocesswrapperfunc function, which lacks validation of...

9.8CVSS7.6AI score0.00993EPSS