IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Code Injection
Online Weather
NVD
GitHub
CVSS 3.1
9.8
EPSS
1.2%