Code Injection

Code injection in Bootstrap CMS 0.9.0-alpha page creation handler allows authenticated remote attackers to inject arbitrary code via the body parameter in resources/views/pages/show.blade.php, with publicly available exploit code and a CVSS score of 2.1 reflecting low confidentiality/integrity impact. The vulnerability affects an unmaintained product with an inactive code repository, limiting real-world exposure but enabling opportunistic exploitation of legacy deployments.

Remote code execution in IBM Langflow Desktop 1.0.0 through 1.8.4 allows authenticated attackers to execute arbitrary commands at the privilege level of the Langflow process. Attackers can exfiltrate API keys and database credentials from environment variables, modify application files, or pivot to internal network targets. IBM has released a vendor patch addressing this code injection vulnerability. No active exploitation confirmed by CISA KEV at time of analysis, though CVSS 8.8 severity and low attack complexity indicate high exploitability once authenticated access is obtained.

Code injection in Qt SVG module allows attackers to execute arbitrary QML/JavaScript when applications load malicious SVG files through Qt Quick's VectorImage component. Exploitation requires local file access and user interaction (opening crafted SVG). While QML execution is more restricted than native code, attackers can still trigger denial of service, exfiltrate application data, or manipulate UI logic depending on the victim application's privilege context. No active exploitation confirmed (not in CISA KEV), but patch available from Qt Project reduces urgency for immediate emergency response.

Remote code execution in Krayin CRM 2.1.5 allows authenticated attackers to execute arbitrary code through the compose email function via code injection. The vulnerability was patched in version 2.1.6 released by the vendor. A public proof-of-concept exploit exists on GitHub (cybercrewinc/CVE-2026-36340), significantly lowering the barrier to exploitation. With CVSS 8.1 (High) and network accessibility requiring only low-privilege authentication, this presents immediate risk to organizations running unpatched Krayin CRM instances, particularly those exposing the CRM to internal users or external partners.

Sandbox escape in n8n's Python Task Runner enables authenticated workflow editors to execute arbitrary code on the task runner container. This vulnerability (CWE-94: Improper Control of Generation of Code) affects n8n instances with the Python Code Node feature enabled, allowing attackers with workflow creation/modification permissions to break out of the Python sandbox. Vendor-released patches are available in versions 1.123.32, 2.17.4, and 2.18.1. No public exploit identified at time of analysis, though the technical details in the GitHub advisory provide sufficient information for exploitation by authenticated users.

SQL injection in n8n's Oracle Database node allows attackers to inject arbitrary SQL commands through the Limit field when user-controlled input is passed via expressions, enabling data exfiltration from connected Oracle databases. Exploitation requires a specific workflow configuration where external input (e.g., from webhooks) reaches the Limit field; authentication depends on the webhook's access controls. The vulnerability affects n8n versions prior to 1.123.32, 2.17.4, and 2.18.1, and vendor-released patches are available.

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.

A weakness has been identified in EyouCMS up to 1.7.9. Impacted is the function editFile of the file application/admin/logic/FilemanagerLogic.php of the component Template File Handler. Executing a manipulation can lead to code injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Remote code execution in Cockpit CMS versions 2.13.5 and earlier allows unauthenticated attackers to execute arbitrary system commands on the server by injecting malicious payloads through the filter parameter across multiple endpoints. The vulnerability exploits the MongoLite database layer's $func operator, which processes user-controlled input as executable code. Public proof-of-concept exists and the attack is fully automatable with total system compromise potential, though EPSS scoring suggests limited observed exploitation attempts (2nd percentile) at time of analysis.

Local attackers can execute malicious code in OpenClaw versions before 2026.3.31 by placing crafted .env files in workspaces to override the OPENCLAW_BUNDLED_PLUGINS_DIR variable, bypassing plugin trust verification. The vulnerability enables code injection through untrusted plugins masquerading as verified components when users open compromised workspace configurations. EPSS data not available; CVSS v4.0 rates this 8.5 HIGH with local attack vector requiring user interaction. Vendor patch available via GitHub commit 330a9f98cb and release 2026.3.31.

Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by manipulating the AJAX endpoint's databaseConnectivity action parameter. The injected code persists in config.php and executes on every page load while the installation wizard remains incomplete. Publicly available exploit code demonstrates breakout from define() string context using quote and statement separator techniques. Patch available via GitHub commit 3002a29, though CVSS AC:H (high complexity) suggests exploitation requires specific timing or environmental conditions during installation phase.

Filter expression injection in Spring AI 1.0.0-1.0.5 and 1.1.0-1.1.4 allows remote unauthenticated attackers to manipulate vector store queries through unescaped keys and values in FilterExpressionConverter implementations. The vulnerability enables query language injection across multiple vector database backends, potentially exposing sensitive data (CVSS:C:H) and modifying query results (CVSS:I:L). VMware has released patches in versions 1.0.6 and 1.1.5. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack vector (AV:N/AC:L/PR:N) and code injection classification (CWE-94) indicate significant risk for applications processing untrusted filter expressions.

KDE KCoreAddons before version 6.25 contains an improper neutralization of special elements vulnerability in the KShell::quoteArgs() function that fails to safely escape metacharacters and control characters, allowing local attackers with user interaction to inject arbitrary shell commands or terminal control sequences when user input is passed to shell execution contexts. Applications using this method to quote arguments for security-critical operations are affected; exploitation requires local access and user interaction but can achieve arbitrary code execution with user privileges.

Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Content Designer interface, which bypasses the intended expression sandbox through JavaScript prototype manipulation. This may grant direct access to backend resources (Lambda environment variables, OpenSearch indices, S3 objects, DynamoDB tables) that are not exposed through normal administrative interfaces. We recommend you upgrade to version 7.3.0 or above.

Cypher injection in LogonTracer prior to v2.0.0 allows remote attackers to alter database contents by submitting specially crafted Windows event log data. The vulnerability requires user interaction to load the malicious log data but results in integrity compromise of the underlying database due to improper input sanitization in Cypher query construction.

SpEL expression injection in baomidou dynamic-datasource 2.5.0 allows authenticated remote attackers to execute arbitrary code via the DsSpelExpressionProcessor component. The vulnerability stems from unsafe evaluation of Spring Expression Language (SpEL) in datasource routing logic, enabling attackers with application access to inject malicious expressions that execute with application privileges. No public exploit code or active exploitation has been identified at time of analysis, though upstream fix is available.

Code injection in Envoy up to 1.33.0 via improper query parameter handling in the Header Mutation filter allows authenticated remote attackers to inject arbitrary code through the params.add function, resulting in limited confidentiality and integrity impact. The CVSS 5.3 score reflects the requirement for prior authentication and limited scope of impact, though the injection vector in a core HTTP filtering component warrants prompt patching.

Remote code execution in simple-git before 3.36.0 allows unauthenticated attackers to execute arbitrary commands via incomplete sanitization of command-line options. The vulnerability bypasses the prior CVE-2022-25912 fix by accepting --config instead of the blocked -c flag, enabling protocol.ext.allow=always configuration and malicious ext:: URLs. Publicly available exploit code exists (POC confirmed), with EPSS score of 0.08% indicating low current exploitation probability despite the theoretical severity. SSVC framework classifies this as automatable with total technical impact.

GitHub Actions workflow injection in Skim's CI pipeline allows remote code execution with elevated privileges when any GitHub user opens a pull request from a fork. The vulnerable generate-files job automatically checks out and executes attacker-controlled Rust code (via cargo run) with access to SKIM_RS_BOT_PRIVATE_KEY secret and GITHUB_TOKEN with contents:write permissions, enabling repository compromise. User interaction (maintainer reviewing the PR) is required for context, though the exploit executes automatically on PR creation. Patch available via commit bf63404, no active exploitation confirmed at time of analysis.

Remote code execution in Ray Data 2.49.0-2.54.0 allows attackers to execute arbitrary Python code by crafting malicious Parquet files containing Ray tensor extension types. When Ray Data reads these files, it deserializes untrusted metadata using cloudpickle.loads() without validation, triggering code execution during schema parsing before any data is read. The vulnerability requires only that a victim read a crafted Parquet file from any source (cloud storage, HuggingFace datasets, shared filesystems)-no cluster access or authentication needed. This reintroduces a vulnerability class previously fixed in May 2024, making it a regression introduced in July 2025 (PR #54831). Working proof-of-concept exists demonstrating exploitation via HuggingFace datasets following Ray's own documentation. EPSS data not available, not currently in CISA KEV.

STARTTLS response injection in MailKit prior to version 4.16.0 allows man-in-the-middle attackers to downgrade SASL authentication mechanisms by injecting malicious protocol responses before TLS negotiation completes. The vulnerability stems from failure to flush the internal read buffer when upgrading from plaintext to encrypted connections, enabling attackers to force weaker authentication (e.g., PLAIN instead of SCRAM-SHA-256) on affected SMTP, IMAP, and POP3 connections. User interaction is required (establishing a mail connection through the client), and exploitation requires network position to intercept and modify STARTTLS exchanges. Vendor-released patch version 4.16.0 addresses the issue.

This vulnerability only affects Kirby sites that use the `Xml` data handler (e.g. `Data::encode($string, 'xml')`) or the `Xml::create()`, `Xml::tag()` or `Xml::value()` method(s) in site or plugin code. The Kirby core does not use any of the affected methods. If consumers use an affected method and cannot rule out input to these methods controlled by an attacker, Kirby strongly recommends that they update to a patch release. ---- XML strings contain structured data in tags and attributes. Depending on the used XML schema, this data can carry specific meaning that can lead to actions in other systems that parse and act on the XML data. Tags and attributes are detected based on their specific syntax, which includes characters such as `<`, `>`, `"`, and `&`. If these characters are to be used verbatim in text within the XML string, they can be escaped using a `<![CDATA[ ]]>` block. XML injection is an attack on a system generating or parsing XML files. By injecting special characters into input data, XML output with a malicious meaning could be generated by a vulnerable system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However it was possible to trick this check into allowing values that only *contained* a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are *not* affected. The problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability. Kirby thanks to Patrick Falb (@dapatrese) at [FORMER 03](https://former03.de/) for responsibly reporting the identified issue.

Cypher injection in Flowise GraphCypherQAChain node allows remote unauthenticated attackers to execute arbitrary database commands against connected Neo4j instances. Attackers can exfiltrate, modify, or delete data in the graph database by injecting malicious Cypher queries through user-controlled input fields that bypass sanitization (CWE-943: Improper Neutralization of Special Elements in Data Query Logic). The vulnerability affects both Flowise core and flowise-components packages prior to version 3.1.0. CVSS 9.3 critical severity reflects network-accessible attack vector requiring no authentication or user interaction. EPSS data unavailable; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though GitHub security advisory confirms vendor awareness and patch availability.

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. The cookie rewriting feature is internally implemented using Envoy's HTTP Lua filter. User-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. The injected code only executes when processing traffic on the attacker's own route, which they already control. However, since Envoy runs as shared infrastructure, the injected code can also read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance. This vulnerability is fixed in v1.33.4, v1.32.5, and v1.31.6.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. This vulnerability is fixed in 3.1.0.

Remote code execution in FunnelFormsPro WordPress plugin (versions up to 3.8.1) allows authenticated attackers to inject and execute arbitrary code on vulnerable servers. The CVSS 9.9 Critical rating reflects the scope change (S:C) and complete system compromise (C:H/I:H/A:H). Exploitation requires low-privilege authentication (PR:L) but no user interaction, making it exploitable by subscriber-level WordPress accounts. EPSS and KEV status not provided in available data, limiting real-world exploitation confidence assessment.

Remote code execution in H2O-3 versions 3.46.0.9 and earlier allows unauthenticated attackers to execute arbitrary code via the /99/ImportSQLTable REST API by abusing PostgreSQL JDBC driver parameters that bypass an incomplete MySQL-only parameter blacklist. No active exploitation is recorded in CISA KEV and EPSS is low (0.19%), but a vendor patch is available and SSVC marks exploitation status as POC, indicating proof-of-concept-grade attacker capability against a network-reachable endpoint.

Remote code execution in Froxlor server administration software versions prior to 2.3.6 allows authenticated administrators with change_serversettings permission to inject arbitrary PHP code through an unescaped MySQL server configuration parameter. The vulnerability enables persistent code execution on every subsequent HTTP request as the web server user due to improper input sanitization in PhpHelper::parseArrayToString(). Vendor patch available in version 2.3.6. CVSS score of 9.1 reflects the critical impact despite requiring high-privilege authentication, with scope change indicating the attacker can break out of the application's security context.

Remote code execution in Luanti 5.0.0 through 5.15.1 allows authenticated attackers to escape the Lua sandbox via malicious mods, achieving arbitrary code execution and full filesystem access on victim devices when LuaJIT is enabled. The vulnerability affects server-side mods, async/mapgen environments, and client-side mods (CSM), requiring only low privileges to exploit. A vendor patch is available in version 5.15.2, addressing a CWE-94 code injection flaw that enables complete compromise of the host system. No active exploitation or proof-of-concept has been publicly identified at time of analysis.

An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function

Code injection in Microsoft Kiota versions prior to 1.31.1 allows attackers who control or tamper with OpenAPI descriptions to inject malicious code into generated HTTP client libraries. Exploitation requires developers to generate clients from untrusted or compromised OpenAPI specifications, then compile and execute the poisoned code. The attack chain culminates in arbitrary code execution within the context of applications using the tainted generated clients. CVSS 7.3 with local attack vector and user interaction required suggests lower immediate urgency, though EPSS data is unavailable. No public exploit code or active exploitation confirmed at time of analysis.

Expression injection in Nuclei's template evaluation engine allows malicious HTTP servers to inject and execute DSL expressions via response data reused in multi-step templates. When the `-env-vars` flag is enabled (off by default), attackers can exfiltrate host environment variables including API keys and credentials; without this flag, injected expressions may trigger helper functions with limited security impact. Nuclei v3.8.0+ patches the vulnerability by collecting expressions from template source before placeholder substitution, preventing response-derived data from being reinterpreted as executable DSL syntax.

Template injection combined with AngularJS 1.5.2 sandbox escape primitives in Beghelli Sicuro24 SicuroWeb enables arbitrary JavaScript execution in operator browsers, leading to session hijacking and persistent compromise. Network-adjacent attackers can exploit this via MITM on plaintext HTTP deployments requiring only passive user interaction. Publicly available POC exists (CVE-2026-22191 exploit chain documented by BoffSec Services and kmkz), confirming weaponization risk. CVSS 9.3 reflects adjacent-network access requirement (AV:A), but SSVC indicates total technical impact with POC-confirmed exploitation status.

Beghelli SicuroWeb (Sicuro24) lacks Content Security Policy enforcement, permitting unrestricted loading of external JavaScript from attacker-controlled origins. When combined with template injection and sandbox escape flaws in the same application, this missing security header removes browser-enforced protections that would otherwise prevent external script execution, enabling attackers to inject arbitrary remote payloads into operator sessions. Publicly available exploit code exists, and SSVC analysis confirms exploitability is achievable but not automatable, with partial technical impact.

The printenv utility in uutils coreutils versions before 0.6.0 silently omits environment variables containing invalid UTF-8 byte sequences, allowing adversarial environment variables such as malicious LD_PRELOAD values to evade inspection by administrators and security auditing tools. This evasion capability enables library injection and other environment-based attacks to bypass detection, affecting systems that rely on printenv for security auditing or environment validation. The vulnerability requires local access with unprivileged user privileges (PR:L) to exploit and carries a CVSS score of 4.4 with confirmed proof-of-concept availability.

Incomplete LDAP query escaping in PowerDNS Authoritative with 8bit-dns enabled allows authenticated users to enumerate internal domain subtrees through LDAP injection, leading to information disclosure of sensitive DNS zone data. The vulnerability requires valid authentication, high attack complexity due to LDAP protocol constraints, and has been reported by the vendor security team. No active exploitation data is currently available.

Remote attackers can corrupt PowerDNS Authoritative Server configuration via specially crafted DNS NOTIFY requests, causing persistent denial of service requiring manual administrator intervention. The attack adds malformed secondary domains to the bind backend, rendering the configuration invalid and preventing the server from restarting. No active exploitation confirmed at time of analysis, but the network-accessible attack vector and lack of authentication requirements elevate risk for internet-facing authoritative DNS servers.

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.

Authentication bypass in mitmproxy 12.2.1 and below allows remote attackers to bypass LDAP-based proxy authentication through unsanitized username injection. The vulnerability affects only instances explicitly configured with the proxyauth option using LDAP authentication, which is disabled by default. Attackers can exploit this over the network without authentication or user interaction to gain unauthorized access to proxied connections.

{%customer.fullName%} template variable in reply emails, enabling attackers to embed phishing links, tracking pixels, and spoofed content in emails sent from the organization's legitimate address. No public exploit code identified at time of analysis.

Authenticated users with restricted HTML/JavaScript editing permissions in Dolibarr ERP & CRM 22.0.4 and earlier can escalate privileges to execute arbitrary PHP code via the Website module. The vulnerability exploits inconsistent permission enforcement across input parameters during website page creation, allowing low-privileged authenticated users to bypass intended restrictions and inject PHP code. Public proof-of-concept exists on GitHub (PhDg1410), though no active exploitation is confirmed by CISA KEV. EPSS data unavailable, but the CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability when exploited by authenticated insiders or compromised accounts.

Remote code execution in Spinnaker's Echo service (all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2) allows authenticated attackers with low privileges to execute arbitrary system commands and access files through unrestricted Spring Expression Language (SPeL) injection in artifact processing. Unlike Spinnaker's Orca service which implemented SPeL sandbox restrictions, Echo permits full JVM class access, enabling attackers to invoke arbitrary Java classes for deep system compromise. The CVSS 9.9 score reflects network attack vector with low complexity, scope change to impact other components, and complete CIA triad compromise. EPSS and KEV data not available - exploitation status unknown but patches are available from Spinnaker project.

Remote code execution in Spinnaker's clouddriver component allows authenticated attackers to execute arbitrary commands on clouddriver pods via gitrepo artifact processing. Affects all versions prior to patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability enables credential theft, file manipulation, and resource injection with minimal complexity (CVSS 9.9, AV:N/AC:L/PR:L). EPSS data not available; no public exploit or active exploitation confirmed at time of analysis, but the attack simplicity and multi-cloud CD platform context create high risk for supply chain compromise in containerized environments.

OpenProject versions prior to 17.3.0 allow authenticated users with manage_agendas permission in any single project to inject malicious agenda items into meetings across all other projects on the instance, including projects to which the attacker has no access. The vulnerability requires only valid project membership with limited permissions and no knowledge of target meetings, enabling an attacker to systematically compromise meeting integrity across an entire OpenProject deployment. No public exploit code has been identified, and the vendor has released patched version 17.3.0 addressing this privilege escalation flaw.

Improper neutralization of directives in dynamically evaluated code in Pagekit CMS up to version 1.0.18 allows high-privileged remote attackers to inject and execute arbitrary PHP code through the StringStorage Template Handler's evaluate function in app/modules/view/src/PhpEngine.php. The vulnerability requires administrator-level access but enables information disclosure, code injection, and potential system compromise. Publicly available exploit code exists; the vendor has not responded to disclosure efforts.

Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP code through the installation endpoint's subdir parameter, which is written directly into env.php without sanitization. The vulnerability enables complete system compromise as the web server user with no authentication required. Publicly available patch exists (version 1.0.8.1) with detailed fix commit reference.

Remote code execution in SGLang 0.5.9's /v1/rerank endpoint allows unauthenticated attackers to execute arbitrary code by loading specially crafted model files with malicious Jinja2 templates. The vulnerability stems from unsandboxed rendering of tokenizer.chat_template fields, enabling template injection attacks. Publicly available exploit code exists (GitHub POC by Stuub). With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and SSVC ratings of automatable with total technical impact, this represents critical risk for exposed SGLang deployments handling untrusted model files.

DSL expression injection in ProjectDiscovery Nuclei before 3.8.0 allows remote code execution when using the -env-vars flag with multi-step templates against untrusted targets. An attacker can inject malicious expressions into environment variables that are evaluated as Nuclei DSL code, achieving arbitrary code execution with the privileges of the Nuclei process. This vulnerability requires non-default configuration (explicit -env-vars usage) and high attack complexity, limiting real-world impact despite the RCE tag.

Remote code execution in ModelScope AgentScope up to version 1.0.18 allows unauthenticated network attackers to inject and execute arbitrary Python code or shell commands through the execute_python_code and execute_shell_command functions in src/AgentScope/tool/_coding/_python.py. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications, leaving all versions up to 1.0.18 unpatched and actively exploitable.

CRLF injection in Silex Technology SD-330AC and AMC Manager allows unauthenticated remote attackers to inject arbitrary configuration entries via crafted input, degrading system integrity and availability. The vulnerability affects all versions of both products and requires no authentication or user interaction, with public disclosure through JPCERT and vendor advisories indicating elevated awareness in production environments.

Code injection in langflow-ai langflow up to version 1.8.3 allows authenticated remote attackers to execute arbitrary code via manipulation of the X-Forwarded-For HTTP header in the Model Context Protocol Configuration API endpoint. The vulnerability affects the get_client_ip function in src/backend/base/langflow/api/v1/mcp_projects.py and has publicly available exploit code; the vendor did not respond to early disclosure notification.

Code injection vulnerability in protobufjs (JavaScript protobuf library) allows authenticated attackers to execute arbitrary JavaScript code during protobuf object decoding by injecting malicious payloads into 'type' fields of protobuf definitions. Affects all versions before 7.5.5 and 8.0.1. CVSS 9.4 (Critical) reflects chained impact across multiple security boundaries (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H), though exploitation requires authenticated access (PR:L) to inject malicious protobuf definitions. No active exploitation confirmed (not in CISA KEV); vendor-released patches available.

TCP packet injection vulnerability in Anviz CrossChex Standard allows adjacent network attackers to manipulate or disrupt client/server communications without authentication. The application fails to verify the source of TCP packets, enabling attackers on the same network segment to inject malicious traffic and alter application behavior or cause denial of service. CISA ICS-CERT reported this affecting physical access control and time attendance systems. EPSS data not available; no confirmed active exploitation or public exploit code identified at time of analysis.

Improper neutralization of argument delimiters in AWS EFS CSI Driver before v3.0.1 allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount options via comma injection, potentially leading to privilege escalation or unauthorized data access within Kubernetes clusters using EFS storage. The vulnerability requires high privileges (PersistentVolume admin role) but can be exploited remotely over the network with low complexity. Vendor-released patch v3.0.1 is available.

LDAP injection vulnerabilities in PAC4J authentication library allow low-privileged remote attackers to execute arbitrary LDAP queries and directory operations by injecting malicious syntax into ID-based search parameters. Affects PAC4J 4.x before 4.5.10, 5.x before 5.7.10, and 6.x before 6.4.1. CVSS 8.7 (High) with network vector, low complexity, and low privilege requirement. No active exploitation confirmed per CISA KEV; EPSS score 0.22% suggests low near-term exploitation probability. Vendor patches available per pac4j.org advisory. CERT-PL reported vulnerability.

Dell PowerProtect Data Domain versions 7.7.1.0-8.7.0.0, LTS2025 8.3.1.0-8.3.1.20, and LTS2024 7.13.1.0-7.13.1.60 are vulnerable to argument injection in command processing, allowing high-privileged local attackers to execute arbitrary commands as root. Exploitation requires administrative-level access and local system presence, limiting real-world exposure to insider threats or post-compromise scenarios. No public exploit code or active exploitation has been identified at the time of analysis.

Log injection vulnerability in Red Hat Ansible Automation Platform 2 MCP server allows unauthenticated remote attackers to inject control characters and ANSI escape sequences via the `toolsetroute` parameter, enabling log forgery and obscuring legitimate audit trails to facilitate social engineering attacks that trick operators into executing malicious commands or accessing attacker-controlled URLs. CVSS 5.3 (medium) reflects the integrity impact on logs without direct confidentiality or availability impact; exploitation requires no authentication, credentials, or user interaction. No public exploit code or active exploitation has been identified at time of analysis.

Malicious backdoor in Accordion and Accordion Slider plugin version 1.4.6 allows remote unauthenticated attackers complete site compromise. The plugin was sold to a threat actor who systematically embedded backdoors across their entire portfolio of acquired WordPress plugins. This represents confirmed active supply chain compromise affecting WordPress sites running version 1.4.6, enabling persistent unauthorized access and spam injection without authentication.

{%- set b = environ.__globals__['__builtins__'] -%} {%- set os = b['__import__']('os') -%} {%- set bio = b['__import__']('builtins') -%} ... ```` or other malicious Jinja2 expressions. This can lead to arbitrary code execution on the local machine. In a two step process an adversary could trick/convince an user to download third-party templates which contain harmful code (e. g., perform data manipulation or establish a remote shell) then to render those templates unchecked/reviewed/verified with `--local`. The issue only affect the local machine and not a remote Home Assistant instance. It also requires user interventions. 1.0.0 uses `ImmutableSandboxedEnvironment` and restricts the usage of environment variables. Evaluate the Jninja2 templates manually or tool-based before rendering with `hass-cli`.

CRLF Injection in Openfind MailGates/MailAudit allows remote unauthenticated attackers to read arbitrary system files via HTTP header manipulation. Affects MailGates/MailAudit versions 5.0-6.0 (prior to 5.2.10.099 and 6.1.10.054 respectively). CVSS 8.7 with network vector, low complexity, and no authentication required indicates critical real-world risk. Taiwan CERT advisory published; no CISA KEV listing or public exploit code identified at time of analysis, suggesting early disclosure phase.

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage.py makemigrations, which imports Django model modules including attacker-controlled website/models.py at runtime. Any module-level Python code in the attacker's models.py is executed during import, enabling arbitrary code execution in the privileged CI environment with access to GITHUB_TOKEN and repository secrets. The attack is triggerable by any external contributor who can open a pull request, provided a maintainer applies the regenerate-migrations label, potentially leading to secret exfiltration, repository compromise, and supply chain attacks. A patch for this issue is expected to be released in version 2.1.1.

LDAP injection in Bouncy Castle BC-JAVA bcprov module (versions 1.49 through 1.83) allows remote unauthenticated attackers to manipulate LDAP queries via specially crafted input to LDAPStoreHelper.java, enabling complete compromise of confidentiality, integrity, and availability across security boundaries. This critical vulnerability (CVSS 10.0) affects a widely deployed cryptographic library used throughout the Java ecosystem. No active exploitation confirmed (not in CISA KEV), but the attack r

Arbitrary WordPress action execution in Avada (Fusion) Builder plugin versions up to 3.15.1 allows authenticated attackers with Subscriber-level access to invoke unvalidated WordPress action hooks via the Dynamic Data feature, potentially enabling privilege escalation, file inclusion, denial of service, or remote code execution depending on available hooks in the WordPress installation. The vulnerability stems from the `output_action_hook()` function accepting user-controlled input without authorization checks. No public exploit code or active exploitation has been confirmed at time of analysis.

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability. It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of the example with improved resiliance for that case. Users who followed that pattern are advised to adjust their implementations accordingly.

Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.

Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c

Kyverno's apiCall service helper automatically injects the controller's ServiceAccount token into HTTP requests when ClusterPolicy or GlobalContextEntry authors omit an Authorization header, enabling token exfiltration to attacker-controlled endpoints via confused deputy vulnerability. Affects deployments where policy YAML repositories are compromised (GitOps threat model) or ClusterPolicy creation is possible. CVSS 8.1 (High) reflects network attack vector with low complexity and low privileges required. No CISA KEV listing or public exploit identified at time of analysis, but GitHub advisory includes working proof-of-concept demonstrating token injection and exfiltration.

CRLF injection in Schneider Electric PowerChute™ Serial Shutdown versions 1.4 and prior allows authenticated Web Admin users to reset application user credentials by manipulating the POST /setPCBEDesc request payload, achieving limited availability impact with CVSS 5.3 and confirmed actively exploited status (CISA KEV).

Log injection via improper output encoding in Schneider Electric PowerChute™ Serial Shutdown allows unauthenticated remote attackers to forge or inject malicious log entries by sending crafted POST requests to the /j_security_check endpoint, potentially obscuring attack trails or triggering false alerts.

Argument injection in upKeeper Instant Privilege Access through version 1.5.0 enables remote authenticated attackers to hijack privileged execution threads via manipulated command delimiters. The network-accessible attack vector combined with high confidentiality, integrity, and availability impacts across both vulnerable and subsequent systems creates critical risk for privilege escalation scenarios. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though vendor self-disclosure suggests potential for targeted abuse.

HTTP request smuggling in Eclipse Jetty versions 9.4.0-12.1.6 allows remote unauthenticated attackers to inject smuggled requests via malformed chunked transfer encoding. The HTTP/1.1 parser incorrectly terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as a protocol violation, enabling 'funky chunks' smuggling techniques. This affects all major Jetty version branches (9.4.x, 10.0.x, 11.0.x, 12.0.x, and 12.1.x). EPSS data not available, no confirmed active exploitation (CISA KEV negative), but publicly documented attack techniques exist.

Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Unauthenticated attackers can execute arbitrary WordPress shortcodes in the Germanized for WooCommerce plugin (all versions up to 3.20.5) via the 'account_holder' parameter, which bypasses shortcode validation in the do_shortcode() function. This enables remote code execution with medium severity (CVSS 6.5) affecting any WordPress site with the vulnerable plugin installed. No public exploit code or active exploitation has been confirmed at the time of analysis.

Arbitrary Python code execution in PraisonAI ≤4.5.138 occurs when malicious tools.py files are automatically imported from the current working directory without validation. Attackers placing a crafted tools.py in shared projects, cloned repositories, or writable workspaces achieve immediate code execution with full process privileges upon PraisonAI startup. EPSS data not available, but the local attack vector (AV:L) requiring no privileges (PR:N) or user interaction (UI:N) enables exploitation through supply chain and workspace poisoning attacks. No public exploit identified at time of analysis, though the vulnerability is trivial to exploit given the straightforward code injection mechanism.

SAP Landscape Transformation allows high-privileged remote attackers to inject arbitrary ABAP code and operating system commands through an RFC-exposed function module, resulting in limited integrity impact where attackers cannot control the scope or extent of modifications. The attack requires high privileges, high complexity, and user interaction, reflected in a CVSS 2.0 score; no public exploit code or active exploitation has been identified.

Cross-site scripting via code injection in SAP NetWeaver Application Server Java Web Dynpro allows unauthenticated remote attackers to inject arbitrary client-side code through crafted input, compromising user sessions and application data integrity when victims interact with the affected functionality. CVSS 6.1 (medium) reflects the requirement for user interaction and limited scope, but exploitation is straightforward with no authentication needed and low attack complexity.

A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.

LDAP injection in maddy mail server versions before 0.9.3 allows remote unauthenticated attackers to extract sensitive directory attributes and spoof user identities. The auth.ldap module fails to escape user-supplied usernames before interpolating them into LDAP search filters and DN strings, despite having the ldap.EscapeFilter() function available. Attackers can exploit this via SMTP AUTH PLAIN or IMAP LOGIN interfaces to perform boolean-based blind injection attacks that extract password hashes, email addresses, group memberships, and other LDAP attributes character-by-character. While CVSS rates this 8.2 (High) for network-accessible unauthenticated exploitation with high confidentiality impact, no active exploitation (KEV) or weaponized POC has been identified at time of analysis. EPSS data not available for this recent CVE.

The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.

In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.

An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message.

Remote code injection in Dromara warm-flow up to version 1.8.4 allows authenticated attackers to execute arbitrary code through the SpelHelper.parseExpression function via manipulation of listenerPath, skipCondition, or permissionFlag parameters in the Workflow Definition Handler. The vulnerability uses SpEL (Spring Expression Language) injection to achieve code execution with CVSS 6.3 severity. Publicly available exploit code exists and the flaw has been documented in the project's issue tracker.

Code injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated remote attackers to execute arbitrary code via the Tree-of-Thought Solver's generate_thoughts function. Publicly available exploit code exists (GitHub issue #1933), and a vendor-supplied patch is available via pull request #1946. The vulnerability requires no user interaction and has low attack complexity, with confirmed impact to confidentiality, integrity, and availability. CVSS 7.3 (High) reflects moderate impact across all CIA triad elements.

Remote code execution in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated attackers with administrative privileges to inject and execute arbitrary PHP code via platform configuration settings. The PlatformConfigurationController::decodeSettingArray() method unsafely uses eval() to parse database-stored settings, executing injected code when any user-including unauthenticated visitors-accesses the /platform-config/list endpoint. Exploitation requires low-privilege authentication (PR:L) but delivers full system compromise with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.

Arbitrary code execution in PraisonAI multi-agent system (<4.5.128) via Python sandbox escape. Incomplete AST attribute filtering allows type.__getattribute__ trampoline to bypass restrictions on __subclasses__, __globals__, and __bases__, enabling untrusted agent code to break containment. Attack requires local access and user interaction to execute malicious code. No public exploit identified at time of analysis.

Arbitrary code execution occurs in PraisonAI (all versions prior to 4.5.128) when a malicious tools.py file exists in the working directory. The framework automatically imports and executes this file during startup without validation or user consent, enabling unauthenticated local attackers to execute arbitrary Python code by placing a weaponized tools.py in directories accessed by users or CI/CD pipelines. User interaction is required (running praisonai command). No public exploit identified at time of analysis.

OpenClaw versions 2026.2.13 through 2026.3.24 allow unauthenticated remote attackers to inject ANSI escape sequences into approval prompts and permission logs via malicious tool metadata, enabling spoofing of terminal output and manipulation of displayed information. The vulnerability requires user interaction (display of the approval prompt) and results in integrity impact only, with a CVSS score of 4.3. A vendor patch is available.

Apache Log4j Core 2.21.0 through 2.25.3 allows remote log injection via CRLF sequences in Rfc5424Layout due to undocumented renaming of security-relevant configuration attributes (newLineEscape and useTlsMessageFormat). Attackers can inject malicious log entries or downgrade TLS-framed syslog to unframed TCP, compromising log integrity for stream-based syslog services. SyslogAppender users are not affected. CVSS 6.9 indicates medium-to-high severity; EPSS and exploitation signals not available at time of analysis.