Lucene search
K

25 matches found

OSV
OSV
added 2026/06/29 11:50 a.m.4 views

PYSEC-2026-560 utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol

Summary The substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix or powershell.exe -Command Windows, allowing an attacker to...

10CVSS6.1AI score0.00272EPSS
Exploits0References5
OSV
OSV
added 2026/05/26 6:16 p.m.9 views

DEBIAN-CVE-2026-48695

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The log function in src/mikrotikplugin/fastnetmonmikrotik.php lines 107-108 constructs shell commands by concatenating the $msg parameter directly into exec calls:...

8.1CVSS5.9AI score0.0107EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 6:16 p.m.14 views

CVE-2026-48695

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The log function in src/mikrotikplugin/fastnetmonmikrotik.php lines 107-108 constructs shell commands by concatenating the $msg parameter directly into exec calls:...

8.1CVSS0.0107EPSS
Exploits0References3
OSV
OSV
added 2026/05/14 8:56 p.m.7 views

GHSA-33P6-5JXP-P3X4 utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol

Summary The substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix or powershell.exe -Command Windows, allowing an attacker to...

10CVSS6AI score0.00272EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/14 8:14 p.m.51 views

CVE-2026-45369 python-utcp: Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix o...

8.3CVSS0.00272EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/14 8:14 p.m.11 views

CVE-2026-45369 python-utcp: Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the substituteutcpargs method in clicommunicationprotocol.py inserts user-controlled toolargs values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c Unix o...

8.3CVSS5.9AI score0.00272EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 8:14 p.m.20 views

CVE-2026-45369

Summary: CVE-2026-45369 affects python-utcp prior to 1.1.3, where _substitute_utcp_args in cli_communication_protocol.py injects user-controlled tool_args directly into shell commands without sanitization, leading to potential Remote Code Execution when commands are run via /bin/bash -c (Unix) or...

8.3CVSS5.9AI score0.00272EPSS
Exploits0References1
CVE
CVE
added 2026/05/11 7:4 p.m.14 views

CVE-2026-42874

CVE-2026-42874 affects Microdot prior to version 2.6.1, where Response.set_cookie() does not sanitize string arguments and fails to detect the CRLF sequence, enabling HTTP header injection via cookie storage. Exploitation requires the attacker to first compromise a client (e.g., through a separat...

3.7CVSS5.8AI score0.00215EPSS
Exploits0References3
OSV
OSV
added 2026/04/03 6:31 a.m.4 views

GHSA-8JR8-V43G-5C57 Roundcube Webmail: Unsanitized IMAP SEARCH command arguments

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

3.1CVSS5.9AI score0.00283EPSS
Exploits0References9
NVD
NVD
added 2026/04/03 5:16 a.m.7 views

CVE-2026-35538

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

3.1CVSS0.00283EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/01/22 12:0 a.m.12 views

Azure Linux 3.0 Security Update: kernel (CVE-2025-38182)

The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-38182 advisory. - In the Linux kernel, the following vulnerability has been resolved: ublk: santizize the arguments from...

7.8CVSS5.3AI score0.00156EPSS
Exploits0References2
Snyk
Snyk
added 2025/11/01 6:30 a.m.6 views

Command Injection

Overview dar-backup is an A script to do full, differential and incremental backups using dar. Some files are restored from the backups during verification, after which par2 redundancy files are created. The script also has a cleanup feature to remove old backups and par2 files. Affected versions...

9.8CVSS8AI score
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2023-43016

Malicious code in bioql PyPI...

5.5CVSS5.8AI score0.00178EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/22 3:10 p.m.8 views

CVE-2020-7628

umount through 1.1.6 is vulnerable to Command Injection. The argument device can be controlled by users without any sanitization...

9.8CVSS6.8AI score0.01744EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/04/24 6:4 p.m.13 views

CVE-2025-43858 YoutubeDLSharp allows command injection on windows system due to non sanitized arguments

YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting yt-dlp from a commands prompt running on Windows OS with...

9.2CVSS9.5AI score0.00222EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/04/24 6:4 p.m.50 views

CVE-2025-43858 YoutubeDLSharp allows command injection on windows system due to non sanitized arguments

YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting yt-dlp from a commands prompt running on Windows OS with...

9.2CVSS0.00222EPSS
Exploits0References3
OSV
OSV
added 2025/04/23 10:25 p.m.12 views

GHSA-2JH5-G5CH-43Q5 YoutubeDLSharp allows command injection on windows system due to non sanitized arguments

Summary This vulnerability only apply when running on a Windows OS. An unsafe conversion of arguments allows the injection of a malicous commands when starting yt-dlp from a commands prompt. !CAUTION NOTE THAT DEPENDING ON THE CONTEXT AND WHERE THE LIBRARY IS USED, THIS MAY HAVE MORE SEVERE...

9.2CVSS7.6AI score0.00222EPSS
Exploits0References5
SUSE CVE
SUSE CVE
added 2024/11/28 3:48 a.m.4 views

SUSE CVE-2024-52337

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick t...

5.5CVSS6.5AI score0.00298EPSS
Exploits0References6
OSV
OSV
added 2024/11/26 4:15 p.m.6 views

AZL-53676 CVE-2024-52337 affecting package tuned for versions less than 2.15.0-5

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick t...

5.5CVSS6.6AI score0.00298EPSS
Exploits0References1
OSV
OSV
added 2023/11/02 9:15 p.m.5 views

CVE-2023-39284

An issue was discovered in IhisiServicesSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There are arbitrary calls to SetVariable with unsanitized arguments in the SMI handler...

5.5CVSS5.9AI score0.00178EPSS
Exploits0References2
Rows per page
Query Builder