Lucene search
K

8 matches found

NVD
NVD
added 2026/05/28 5:16 p.m.18 views

CVE-2026-44461

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

8.6CVSS0.00257EPSS
Exploits1References1
OSV
OSV
added 2026/05/28 5:16 p.m.29 views

UBUNTU-CVE-2026-44461

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

8.6CVSS6.2AI score0.00257EPSS
Exploits1References3
CVE
CVE
added 2026/05/28 4:8 p.m.30 views

CVE-2026-44461

The CVE affects the Zed code editor prior to version 0.227.1. When Zed builds SSH/WSL remote commands, it places environment variable keys into the shell command string without proper quoting or validation. If an attacker can control an environment variable key (e.g., via project terminal setting...

8.6CVSS6.2AI score0.00257EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/05/28 4:8 p.m.3 views

CVE-2026-44461 Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key for example via project termin...

8.6CVSS6.4AI score0.00257EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/05/19 6:32 p.m.10 views

BillaBear is Vulnerable to SQL Injection in the EventRepository

BillaBear all versions prior to Jan 2026 contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf without proper sanitization or identifier quoting. Although...

8.8CVSS6.1AI score0.00365EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/05/19 4:16 p.m.12 views

CVE-2026-31069

BillaBear all versions prior to Jan 2026 contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf without proper sanitization or identifier quoting. Although...

8.8CVSS0.00365EPSS
Exploits0References3
CVE
CVE
added 2026/05/19 12:0 a.m.20 views

CVE-2026-31069

The CVE-2026-31069 entry concerns BillaBear (versions before Jan 2026) with a SQL Injection in the EventRepository. The root cause is unsafely interpolating user-controlled identifiers (filter names and aggregation property keys) into SQL via sprintf(), while values are parameterized. An authenti...

8.8CVSS6.1AI score0.00365EPSS
Exploits0References3
NVD
NVD
added 2026/05/13 8:16 p.m.47 views

CVE-2026-42550

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an...

8.8CVSS0.00396EPSS
Exploits0References1
Rows per page
Query Builder