5 matches found
CVE-2026-44717
The MCP Calculate Server (based on MCP and SymPy) is vulnerable prior to version 0.1.1 due to use of eval() for evaluating expressions without input sanitization, enabling remote code execution. The issue is fixed in 0.1.1. The CVSS3.1 vector indicates a network-facing, high-impact (CRITICAL) RCE...
CVE-2025-68700
RAGFlow (pre-0.23.0) is affected by a Remote Code Execution vulnerability. An authenticated, low-privilege user can cause arbitrary commands on the server host via the frontend Canvas CodeExec component because untrusted stdout is parsed with eval() without filtering or sandboxing. This design fl...
PYSEC-2019-199
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDGCONFIGDIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in...
DEBIAN-CVE-2019-12761
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDGCONFIGDIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in...
UBUNTU-CVE-2019-12761
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDGCONFIGDIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in...