CVE-2017-18306

Information disclosure due to uninitialized variable...

CVE-2024-41956

Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by...

PT-2026-1720

Name of the Vulnerable Software and Affected Versions MG AdvancedOptions versions prior to 1.3 Description The MG AdvancedOptions plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output escaping. This allows unauthenticated attackers t...

WordPress plugin MG AdvancedOptions 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripting...

PT-2026-1721

Name of the Vulnerable Software and Affected Versions Lesson Plan Book versions prior to 1.4 Description The Lesson Plan Book plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to...

Siemens Ruggedcom ROX Static Code Injection (CVE-2024-32487)

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the...

EUVD-2026-1462

Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles...

CVE-2026-21876 OWASP CRS has multipart bypass using multiple content-type parts

The OWASP core rule set CRS is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a...

CVE-2025-69262

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Cod...

EUVD-2026-1159

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Cod...

CVE-2025-69262 pnpm vulnerable to Command Injection via environment variable substitution

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Cod...

Use of Uninitialized Variable

Overview Panda3D is a Panda3D is a framework for 3D rendering and game development for Python and C++ programs. Affected versions of this package are vulnerable to Use of Uninitialized Variable via the deploy-stub process. An attacker can cause the application to crash or exhibit undefined behavi...

GHSA-2PHV-J68V-WWQX pnpm vulnerable to Command Injection via environment variable substitution

Summary A command injection vulnerability exists in pnpm when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve remote code execution RCE in build environments...

CVE-2025-14127

The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

WordPress Starred Review plugin <= 1.4.2 - Reflected Cross-Site Scripting via PHP_SELF Variable vulnerability

Reflected Cross-Site Scripting via PHPSELF Variable vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Starred Review versions = 1.4.2...

CVE-1999-0782

KDE kppp allows local users to create a directory in an arbitrary location via the HOME environmental variable...

CVE-1999-0872

Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file...

CVE-1999-0786

The dynamic linker in Solaris allows a local user to create arbitrary files via the LDPROFILE environmental variable and a symlink attack...

CVE-1999-0768

Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO environmental variable...

CVE-1999-0297

Buffer overflow in Vixie Cron library up to version 3.0 allows local users to obtain root access via a long environmental variable...