109 matches found
CVE-2026-15668 louisho5 picobot web Tool web.go WebTool.Execute server-side request forgery
A vulnerability has been found in louisho5 picobot up to 0.2.0. This vulnerability affects the function WebTool.Execute of the file internal/agent/tools/web.go of the component web Tool. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotel...
CVE-2026-15330
CVE-2026-15330 affects zhayujie CowAgent — Vision Tool, specifically the file vision.py, function _build_image_content/_download_to_data_url. The vulnerability arises from manipulating the input image argument, enabling remote SSRF via the Vision Tool component. Attacker could trigger remotely; e...
CVE-2026-13501 antlr ANTLR4 gofmt GoTarget.java GoTarget command injection
A security vulnerability has been detected in antlr ANTLR4 up to 4.13.2. Affected by this vulnerability is the function GoTarget of the file tool/src/org/antlr/v4/codegen/target/GoTarget.java of the component gofmt. The manipulation leads to command injection. The attack can only be performed fro...
SUSE CVE-2018-25356
SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Attackers can trigger the vulnerability by supplying oversized input to the -3pcc, -i, or -logfile parameters,...
EUVD-2018-21877
SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Attackers can trigger the vulnerability by supplying oversized input to the -3pcc, -i, or -logfile parameters,...
Astra Linux – Vulnerability in libimage-exiftool-perl
In ExifTool’s lib/Image/ExifTool.pm, version 12.38 incorrectly handles the $file = /|$/ check, resulting in command injection...
CVE-2026-7609 TRENDnet TEW-821DAP Firmware Udpate diagnostic tools_diagnostic os command injection
A flaw has been found in TRENDnet TEW-821DAP up to 1.12B01. The impacted element is the function toolsdiagnostic of the file /tmp/diagnostic of the component Firmware Udpate. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publish...
CVE-2026-42427 OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection
OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGOBUILDRUSTCWRAPPER, RUSTCWRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and...
CVE-2026-32022
OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass vulnerability in the grep tool within tools.exec.safeBins that allows attackers to read arbitrary files by supplying a pattern via the -e flag parameter. Attackers can include a positional filename operand to bypass file acce...
acdc-aws-etl-pipeline (>=0.1.7 <=0.5.9), airflow-dbt-python (=2.1.0) +49 more potentially affected by CVE-2026-29790 via dbt-common (>=0.1.6 <=1.33.0)
dbt-common PYPI version =0.1.6, =0.1.7, =0.1.5, =0.21.7, =0.0.1rc1, =0.1.0a1, =1.0.9, =1.8.0, =1.5.2, =1.8.0, =1.8.0, =1.8.15 and more Source cves: CVE-2026-29790 Source advisory: OSV:GHSA-W75W-9QV4-J5XJ...
CVE-2026-24853
CVE-2026-24853 affects Caido before version 0.55.0. The issue allows bypassing domain-based access controls on the 8080 port by injecting an X-Forwarded-Host header (127.0.0.1:8080). Multiple sources confirm the vulnerability exists in Caido up to 0.54.x and was fixed in 0.55.0. Impact details in...
Amazon Linux 2023 : nerdctl (ALAS2023-2026-1401)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1401 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processe...
PT-2026-6187
Name of the Vulnerable Software and Affected Versions Claude Code versions prior to 2.0.74 Description Claude Code is an agentic coding tool affected by a Bash command validation flaw when parsing ZSH clobber syntax. This flaw allowed bypassing directory restrictions and writing files outside the...
AZL-75527 CVE-2025-11065 affecting package moby-cli for versions less than 24.0.9-8
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in...
Azure Linux 3.0 Security Update: gh (CVE-2024-52308)
The version of gh installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-52308 advisory. - The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace S...
EUVD-2026-2015
Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5...
EUVD-2025-205454
n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node...
EUVD-2025-204595
OCS Inventory NG 2.3.0.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges to system level. Attackers can place a malicious executable in the unquoted service path and trigger the service restart to execute code with elevated system privileges...
VulnCheck KEV: CVE-2024-55890
D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the update-settings endpoint blocks the ability...
CVE-2025-67634 Software Acquisition Guide Supplier Response Web Tool XSS
The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would...