13 matches found
CVE-2026-30302
The command auto-approval module in CodeRider-Kilo contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser the Unix-based shell-quote library to analyze commands on the...
CVE-2026-28391
OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests non-default configuration, allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...%...
Command Injection
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection in the wrapper resolution. An attacker can execute arbitrary commands by influencing the current working directory during wrapper resolution for .cmd or .bat files on...
CVE-2025-30222
Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of...
Shescape has potential environment variable exposure on Windows with CMD
Impact This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of quote/quoteAll/escape/escapeAll. An attacker may be able to get read-only access to environment variables. Example: javascript import as cp from "node:childprocess"; import...
GHSA-66PP-5P9W-Q87J Shescape has potential environment variable exposure on Windows with CMD
Impact This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of quote/quoteAll/escape/escapeAll. An attacker may be able to get read-only access to environment variables. Example: javascript import as cp from "node:childprocess"; import...
CVE-2025-30222
Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of...
CVE-2025-30222
Shescape vulnerability (CVE-2025-30222) affects versions 1.7.2–2.1.1 of the JavaScript shell-escape library. On Windows, when shell: 'cmd.exe' or shell: true is configured and any of quote/quoteAll/escape/escapeAll is used, an attacker may gain read-only access to environment variables due to env...
CVE-2025-30222 Shescape has potential environment variable exposure on Windows with CMD
Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of...
CVE-2025-30222 Shescape has potential environment variable exposure on Windows with CMD
Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of...
CVE-2022-31179 Insufficient escaping of line feeds for CMD in shescape
Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape any API function to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by...
Metasploit RPC Console Command Execution
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core/rpc/v10/client' class MetasploitModule 'Metasploit RPC Console Command Execution', 'Description' = %q This module connects to a specified Metasploit RPC...
MediaWiki Thumb.php Remote Command Execution Exploit
Exploit for multiple platform in category remote exploits require 'msf/core' class Metasploit3 'MediaWiki Thumb.php Remote Command Execution', 'Description' = %q MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows...