Command Injection

uniget is vulnerable to Command Injection. The vulnerability is due to unsafe execution of the untrusted check field from metadata files through /bin/bash -c without proper validation or sanitization, which allows an attacker to execute arbitrary shell commands on the victim's system...

EUVD-2026-29559

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

llm CLI tool contains a code injection vulnerability via `--functions` command-line argument

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

DEBIAN-CVE-2026-31236

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

PT-2026-40123

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

CVE-2026-31236

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec function...

CVE-2026-31231

Cognee thru v0.4.0 contains a critical remote code execution vulnerability in its notebook cell execution API endpoint. The endpoint is designed to execute arbitrary Python code provided by the user, but it does so using the unsafe exec function without any sandboxing, validation, or security...

Security Bulletin: Langflow OSS Authenticated Remote Code Execution (RCE) vulnerability exists in the validate_code function

Summary Langflow OSS contains a critical vulnerability in code validate endpoint due to unsafe use of Python's exec function within the validatecode routine. While the feature is intended to validate user-supplied function definitions, it fails to account for Python decorators, which are executed...

CVE-2026-26029

sf-mcp-server is an implementation of Salesforce MCP server for Claude for Desktop. A command injection vulnerability exists in sf-mcp-server due to unsafe use of childprocess.exec when constructing Salesforce CLI commands with user-controlled input. Successful exploitation allows attackers to...

CVE-2026-26029 sf-mcp-server has a Command Injection in query_records tool due to unsafe use of child_process.exec

sf-mcp-server is an implementation of Salesforce MCP server for Claude for Desktop. A command injection vulnerability exists in sf-mcp-server due to unsafe use of childprocess.exec when constructing Salesforce CLI commands with user-controlled input. Successful exploitation allows attackers to...

GHSA-54J7-GRVR-9XWG Command Injection in adb-mcp MCP Server

Command Injection in adb-mcp MCP Server The MCP Server at https://github.com/srmorete/adb-mcp is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server is also published publicly to npm at...

PT-2025-39374

Name of the Vulnerable Software and Affected Versions git-commiters versions prior to 0.1.2 Description git-commiters is a Node.js function module used to provide committers statistics for a git repository. A command injection issue exists due to insufficient input sanitization and insecure proce...

CVE-2023-30553

Archery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to multiple SQL injections in the sqlapi/apiworkflow.py endpoint ExecuteCheck. User input...

GHSA-62CX-5XJ4-WFM4 ggit is vulnerable to Command Injection via the fetchTags(branch) API

All versions of the package ggit are vulnerable to Command Injection via the fetchTagsbranch API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec Node.js child process API...

SUSE CVE-2014-0048

An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways...

DEBIAN-CVE-2014-0048

An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways...

CVE-2014-0048

An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways...

Design/Logic Flaw

An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways...

CVE-2014-0048

CVE-2014-0048 affects Docker before 1.6.0. The issue is that some programs and scripts in Docker were downloaded via HTTP and then executed or used in unsafe ways, enabling potential exposure of data or control depending on use. Multiple sources (NVD, OSV, OSV Ubuntu, Nessus/NASL) corroborate thi...

Hashicorp vagrant-vmware-fusion 4.0.20 - Local Privilege Escalation

Hashicorp vagrant-vmware-fusion 4.0.20 - Local Privilege Escalation I'm a big fan of Hashicorp but this is an awful bug to have in software of their calibre. Their vagrant plugin for vmware fusion uses a product called Ruby Encoder to protect their proprietary ruby code. It does this by turning t...