10 matches found
EUVD-2026-42340
Horde Virtual File System VFS API before 3.0.1 contains an OS command injection vulnerability in the HordeVfsSmb driver where the escapeShellCommand method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled...
CVE-2026-49103
Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi...
CVE-2025-13030
All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file...
CVE-2024-36057
Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by...
WordPress plugin PoloPag Pix Automático para Woocommerce 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...
CLSA-2025-1741125595 python3.9: Fix of CVE-2007-4559
CVE-2007-4559: add security filter in the tarfile module to prevent directory traversal attacks. Introduces the filter parameter; use filter="data" to block unsafe filenames...
libreoffice: Improper Input Validation leading to arbitrary gstreamer plugin execution
An improper input validation vulnerability was found in LibreOffice. In versions where filenames are not sufficiently escaped, an attacker can execute arbitrary GStreamer plugins...
CLSA-2022-1658346794 Fix CVE(s): CVE-2015-20107
SECURITY UPDATE: Injection vulnerability - debian/patches/CVE-2015-20107.patch: Make mailcap refuse to match unsafe filenames/types/param in Lib/mailcap.py. - CVE-2015-20107...
CLSA-2022-1658346144 Fix CVE(s): CVE-2015-20107
SECURITY UPDATE: Injection vulnerability - debian/patches/CVE-2015-20107.patch: Make mailcap refuse to match unsafe filenames/types/param in Lib/mailcap.py. - CVE-2015-20107...
security flaw
Enscript 1.6.3 does not sanitize filenames, which allows remote attackers or local users to execute arbitrary commands via crafted filenames...