CWE-88

Argument injection in Symfony Mailer's SendmailTransport component allows an attacker who controls recipient email addresses to inject arbitrary sendmail command-line options when the transport operates in -t mode. The flaw affects symfony/mailer and symfony/symfony across the 5.4, 6.x, and 7.x branches, with fixed releases confirmed at 5.4.52, 6.4.40, and 7.4.12. No public exploit code or CISA KEV listing exists at time of analysis, but the vulnerability is exploitable wherever application logic permits user-influenced recipient addresses and -t mode is configured.

VM escape in Kata Containers allows any Kubernetes user with pod-creation rights to break out of the VM sandbox and gain full read/write access to the host filesystem. All Kata Containers installations prior to commit ffa59ce3aa78 are affected when using the default configuration.toml, which enables the `virtio_fs_extra_args` and `kernel_params` pod annotations out of the box. An attacker crafts a pod with two annotations: one to redirect virtiofsd to serve the host root filesystem (`/`) into the guest VM, and a second to enable the agent debug console - after which the entire host filesystem is accessible from inside the supposedly isolated VM. A fully working proof-of-concept with confirmed output against Kata Containers 3.28.0 on Ubuntu 24.04 has been publicly disclosed; no public exploit confirmed as actively exploited (CISA KEV) at time of analysis.

Argument injection in Lumiverse AI chat application before version 0.9.7 enables authenticated high-privilege attackers to execute arbitrary OS commands on the host. When the primary toSmbPath(fullPath) routine throws, a fallback path concatenates the unvalidated basename into an smbclient -c script, where ';' acts as a subcommand separator and '!cmd' triggers a local shell escape. No public exploit identified at time of analysis, and the issue is not currently in CISA KEV.

Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-level commands on the server by abusing the MCP server creation endpoint. Although the endpoint allowlists binary names (node, bun, python3, deno), it forwards user-controlled args unfiltered to the child process, and every allowed binary supports inline code execution flags (-e or -c). No public exploit identified at time of analysis, but the CVSS 9.9 rating reflects the trivial exploit path and the fact that the server binds on all interfaces with a bypassable host-header rebinding check.

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands through the unsanitized reference field. The GitHubRepository block concatenates user input directly into git clone commands, enabling attackers to inject malicious options that can lead to SSRF, credential theft, or remote code execution. While no active exploitation is confirmed, the straightforward attack vector and high impact make this a priority for organizations using Prefect's GitHub integration features.

Arbitrary command execution in IINA media player for macOS versions prior to 1.4.3 allows remote attackers to run shell commands as the logged-in user by tricking the victim into approving an iina://open URL containing malicious mpv_-prefixed parameters. Publicly available exploit code exists and a vendor patch has been released; exploitation requires a single browser protocol prompt approval (UI:A) but no authentication and no valid media file.

Argument injection in dbt-mcp v1.15.1 through v1.17.0 allows MCP clients to inject arbitrary dbt command-line flags such as --profiles-dir, --project-dir, and --target via unsanitized node_selection and resource_type parameters, enabling attackers to redirect dbt's configuration and database operations to attacker-controlled locations. The vulnerability is exploitable via two independent vectors in the _run_dbt_command() function and has been verified by proof-of-concept code demonstrating arbitrary dbt profile injection. Vendor-released patch available in v1.17.1.

Arbitrary file read in n8n workflow automation allows authenticated users with workflow editing permissions to inject malicious CLI flags into the Git node's Push operation, enabling access to sensitive files on the n8n server and potential full system compromise. The vulnerability affects all n8n versions prior to the patched releases (1.123.43, 2.20.7, 2.22.1) and exploits CWE-88 (argument injection) through insufficient sanitization of Git command parameters. No public exploit code or CISA KEV listing identified at time of analysis, but the vendor-confirmed vulnerability requires only low-privileged authenticated access with workflow permissions.

Argument injection in Fortinet FortiDeceptor 5.0 through 6.0.2 allows authenticated administrators with read-only permissions to read arbitrary log files via crafted HTTP requests, exposing sensitive system and audit logs. The vulnerability requires valid admin credentials but no elevated privileges, making it accessible to lower-privileged authenticated users. No public exploit code or active exploitation has been confirmed at time of analysis.

Authenticated remote attackers can read arbitrary files from the operating system filesystem with root privileges on affected RUGGEDCOM ROX devices due to improper input validation in the JSON-RPC web server interface. All versions of ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 below V2.17.1 are affected. No public exploit code has been identified at time of analysis.