Monthly
Arbitrary Perl code execution in the IO::Compress distribution (all versions before 2.220) lets an attacker who controls the output glob string passed to the bundled File::GlobMapper run arbitrary Perl at the calling process's privilege. The output glob is wrapped in double quotes and later handed to Perl's eval STRING, so an embedded double quote escapes the string context and the trailing characters execute as code. This is rated CVSS 7.3 and tagged RCE/Code Injection; no public exploit was identified at time of analysis and EPSS is very low (0.03%), but a vendor patch (2.220) and the fixing commit are publicly available.
Remote code execution in angular-expressions versions ≤1.5.1 allows unauthenticated network attackers to escape the expression sandbox via malicious filter payloads and execute arbitrary system commands with no user interaction required. CVSS 9.3 (Critical) with confirmed public exploit code available. Vendor-released patch in version 1.5.2 addresses the sandbox escape. Affects applications using angular-expressions as a standalone module for evaluating user-supplied Angular.JS expressions.
{eval:...} syntax. An attacker can exploit this by providing a malicious configuration file, leading to arbitrary code execution when the training script is run with that configuration.
Remote code execution in SEPPmail Secure Email Gateway versions prior to 15.0.2.1 enables unauthenticated attackers to execute arbitrary Perl code via the GINA UI. The vulnerability stems from an endpoint passing unsanitized user input directly to Perl's eval function, allowing complete system compromise. Reported by Switzerland's national CERT (NCSC.ch), this represents a critical pre-authentication attack surface requiring immediate patching.
Arbitrary code execution in PPTAgent allows local attackers to execute Python code by exploiting unsafe eval() of LLM-generated content with unrestricted builtins. The framework's agentic architecture passes AI-generated code directly to eval() with full builtin access, enabling execution of arbitrary system commands. Patch available via commit 418491a which restricts eval() globals to an empty builtins dictionary and adds path traversal protections. CVSS 8.6 with local attack vector and user interaction requirement; no evidence of active exploitation or public POC at time of analysis.
Improper neutralization of directives in dynamically evaluated code in Pagekit CMS up to version 1.0.18 allows high-privileged remote attackers to inject and execute arbitrary PHP code through the StringStorage Template Handler's evaluate function in app/modules/view/src/PhpEngine.php. The vulnerability requires administrator-level access but enables information disclosure, code injection, and potential system compromise. Publicly available exploit code exists; the vendor has not responded to disclosure efforts.
Remote code execution in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated attackers with administrative privileges to inject and execute arbitrary PHP code via platform configuration settings. The PlatformConfigurationController::decodeSettingArray() method unsafely uses eval() to parse database-stored settings, executing injected code when any user-including unauthenticated visitors-accesses the /platform-config/list endpoint. Exploitation requires low-privilege authentication (PR:L) but delivers full system compromise with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
Remote code injection in FoundationAgents MetaGPT up to version 0.8.1 allows unauthenticated attackers to execute arbitrary code via improper neutralization of directives in the ActionNode.xml_fill XML handler function. The vulnerability has publicly available exploit code and affects the dynamic code evaluation mechanism in metagpt/actions/action_node.py, enabling attackers to manipulate XML input for code injection with low complexity and no authentication required.
Remote code execution in Rapid7 Insight Agent for Linux versions prior to 4.1.0.2 allows authenticated attackers with high privileges to inject arbitrary code via eval() in the beaconing logic by crafting a malicious beacon response. The vulnerability requires high authentication privileges and mutual TLS verification, making remote exploitation difficult without prior compromise of the Rapid7 Platform backend. CVSS 6.6 reflects the high impact (code execution as root) balanced against high attack complexity and privilege requirements. No public exploit code or active exploitation has been identified at time of analysis.
Remote code execution in Dolibarr ERP/CRM versions prior to 23.0.2 allows authenticated administrators to execute arbitrary system commands by exploiting inadequate input validation in the dol_eval_standard() function. The vulnerability enables attackers to bypass security controls using PHP dynamic callable syntax through computed extrafields or other evaluation paths. With a CVSS score of 7.2 and publicly available exploit code documented by Jiva Security, this represents an elevated risk for organizations running unpatched Dolibarr instances, though exploitation requires high-privilege administrator access (CVSS:3.1/PR:H), limiting the attack surface to insider threats or compromised admin accounts.
Arbitrary Perl code execution in the IO::Compress distribution (all versions before 2.220) lets an attacker who controls the output glob string passed to the bundled File::GlobMapper run arbitrary Perl at the calling process's privilege. The output glob is wrapped in double quotes and later handed to Perl's eval STRING, so an embedded double quote escapes the string context and the trailing characters execute as code. This is rated CVSS 7.3 and tagged RCE/Code Injection; no public exploit was identified at time of analysis and EPSS is very low (0.03%), but a vendor patch (2.220) and the fixing commit are publicly available.
Remote code execution in angular-expressions versions ≤1.5.1 allows unauthenticated network attackers to escape the expression sandbox via malicious filter payloads and execute arbitrary system commands with no user interaction required. CVSS 9.3 (Critical) with confirmed public exploit code available. Vendor-released patch in version 1.5.2 addresses the sandbox escape. Affects applications using angular-expressions as a standalone module for evaluating user-supplied Angular.JS expressions.
{eval:...} syntax. An attacker can exploit this by providing a malicious configuration file, leading to arbitrary code execution when the training script is run with that configuration.
Remote code execution in SEPPmail Secure Email Gateway versions prior to 15.0.2.1 enables unauthenticated attackers to execute arbitrary Perl code via the GINA UI. The vulnerability stems from an endpoint passing unsanitized user input directly to Perl's eval function, allowing complete system compromise. Reported by Switzerland's national CERT (NCSC.ch), this represents a critical pre-authentication attack surface requiring immediate patching.
Arbitrary code execution in PPTAgent allows local attackers to execute Python code by exploiting unsafe eval() of LLM-generated content with unrestricted builtins. The framework's agentic architecture passes AI-generated code directly to eval() with full builtin access, enabling execution of arbitrary system commands. Patch available via commit 418491a which restricts eval() globals to an empty builtins dictionary and adds path traversal protections. CVSS 8.6 with local attack vector and user interaction requirement; no evidence of active exploitation or public POC at time of analysis.
Improper neutralization of directives in dynamically evaluated code in Pagekit CMS up to version 1.0.18 allows high-privileged remote attackers to inject and execute arbitrary PHP code through the StringStorage Template Handler's evaluate function in app/modules/view/src/PhpEngine.php. The vulnerability requires administrator-level access but enables information disclosure, code injection, and potential system compromise. Publicly available exploit code exists; the vendor has not responded to disclosure efforts.
Remote code execution in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated attackers with administrative privileges to inject and execute arbitrary PHP code via platform configuration settings. The PlatformConfigurationController::decodeSettingArray() method unsafely uses eval() to parse database-stored settings, executing injected code when any user-including unauthenticated visitors-accesses the /platform-config/list endpoint. Exploitation requires low-privilege authentication (PR:L) but delivers full system compromise with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
Remote code injection in FoundationAgents MetaGPT up to version 0.8.1 allows unauthenticated attackers to execute arbitrary code via improper neutralization of directives in the ActionNode.xml_fill XML handler function. The vulnerability has publicly available exploit code and affects the dynamic code evaluation mechanism in metagpt/actions/action_node.py, enabling attackers to manipulate XML input for code injection with low complexity and no authentication required.
Remote code execution in Rapid7 Insight Agent for Linux versions prior to 4.1.0.2 allows authenticated attackers with high privileges to inject arbitrary code via eval() in the beaconing logic by crafting a malicious beacon response. The vulnerability requires high authentication privileges and mutual TLS verification, making remote exploitation difficult without prior compromise of the Rapid7 Platform backend. CVSS 6.6 reflects the high impact (code execution as root) balanced against high attack complexity and privilege requirements. No public exploit code or active exploitation has been identified at time of analysis.
Remote code execution in Dolibarr ERP/CRM versions prior to 23.0.2 allows authenticated administrators to execute arbitrary system commands by exploiting inadequate input validation in the dol_eval_standard() function. The vulnerability enables attackers to bypass security controls using PHP dynamic callable syntax through computed extrafields or other evaluation paths. With a CVSS score of 7.2 and publicly available exploit code documented by Jiva Security, this represents an elevated risk for organizations running unpatched Dolibarr instances, though exploitation requires high-privilege administrator access (CVSS:3.1/PR:H), limiting the attack surface to insider threats or compromised admin accounts.