Code Injection

Livestatus command injection in Checkmk prediction graph page allows authenticated users to execute arbitrary Livestatus commands by injecting malicious service name parameters due to insufficient input sanitization. Affected versions include Checkmk 2.3.0 before p47, 2.4.0 before p26, and 2.5.0 before b4. The vulnerability requires valid authentication credentials to exploit and results in limited confidentiality, integrity, and availability impact within the Livestatus subsystem.

Livestatus injection in Checkmk's notification test mode allows authenticated users with high privileges to inject arbitrary Livestatus commands via crafted service descriptions in versions prior to 2.5.0b4 and 2.4.0p26. The vulnerability has a CVSS score of 5.1 with limited confidentiality and integrity impact, requiring high-privilege authentication. No public exploit code or active exploitation has been confirmed at time of analysis.

Livestatus injection in Checkmk's monitoring quicksearch function allows authenticated attackers to inject arbitrary livestatus commands through insufficiently sanitized search query parameters in versions prior to 2.5.0b4. The vulnerability requires valid authentication credentials and enables low-impact information disclosure and limited integrity/availability changes within the monitoring system. No public exploit code or active exploitation has been reported at time of analysis.

Environment variable injection in PraisonAI deploy.py (versions prior to 4.5.128) allows authenticated local attackers to inject arbitrary environment variables into Google Cloud Run services during deployment. The vulnerability stems from improper validation of comma-separated gcloud CLI arguments, enabling attackers to manipulate openai_model, openai_key, or openai_base parameters with embedded commas, causing gcloud to parse injected content as additional KEY=VALUE pairs. This grants high-level access to confidential service configuration and permits unauthorized modifications. No public exploit identified at time of analysis.

Remote code injection in FoundationAgents MetaGPT up to version 0.8.1 allows unauthenticated attackers to execute arbitrary code via improper neutralization of directives in the ActionNode.xml_fill XML handler function. The vulnerability has publicly available exploit code and affects the dynamic code evaluation mechanism in metagpt/actions/action_node.py, enabling attackers to manipulate XML input for code injection with low complexity and no authentication required.

Code injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated remote attackers to execute arbitrary code through the check_solution function in HumanEvalBenchmark and MBPPBenchmark components. The vulnerability requires no user interaction and enables unauthorized access, data modification, and service disruption. Publicly available exploit code exists, disclosed via GitHub issue #1942. Vendor has not responded to early disclosure via pull request #1988 at time of analysis.

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers to bypass authentication and execute unauthorized LDAP queries. The vulnerability exists in ApacheAuthenticate.php when administrators configure apacheEnv to use user-controlled server variables instead of REMOTE_USER in proxy deployments. Attackers manipulate unsanitized username values to inject special characters into LDAP search filters, potentially gaining unauthorized access to the threat intelligence platform. No public exploit identified at time of analysis.

LDAP filter injection in OPNsense firewall allows unauthenticated attackers to enumerate valid LDAP usernames and bypass group membership restrictions via the WebGUI login page. Affects OPNsense versions prior to 26.1.6. The vulnerability stems from failure to escape user-supplied input before insertion into LDAP search filters, enabling metacharacter injection. Attackers can authenticate as any LDAP user with known credentials, circumventing Extended Query group membership controls. No public exploit identified at time of analysis.

Code injection in JimuReport's Data Source Handler allows authenticated high-privilege users to execute arbitrary code via manipulated dbUrl parameters in the DriverManager.getConnection function (versions up to 2.3.0). The vulnerability requires high-privilege authentication but can be exploited remotely with low attack complexity; publicly available exploit code exists and the vendor has acknowledged the issue with a fix planned for an upcoming release.

Arbitrary PHP code execution in Kiamo customer engagement platform (pre-8.4) allows authenticated administrative users to run commands on the underlying server. The vulnerability exploits a code injection weakness (CWE-94) via network-accessible interfaces with low complexity. No public exploit identified at time of analysis, with EPSS indicating 2% (5th percentile) exploitation probability. Detailed technical write-up published by security researcher at Hackvens confirms exploitability through administrative access.

Remote code execution in OSGeo MapServer versions prior to 8.0 enables unauthenticated attackers to execute arbitrary code through dynamic-link library (DLL) injection via a specially crafted executable. The vulnerability requires no user interaction and has low attack complexity (CVSS 9.1 Critical), though real-world exploitation probability remains low (EPSS 2%, 5th percentile). Publicly available exploit code exists in a researcher's GitHub repository, but no confirmed active exploitation (CISA KEV) has been documented at time of analysis.

Authenticated users can leak IP addresses of other users viewing Code Quality reports in GitLab EE through specially crafted malicious content injection. The vulnerability affects GitLab EE versions 18.0.0 through 18.10.2, requires user interaction (report viewing), and has been patched in versions 18.8.9, 18.9.5, and 18.10.3. No public exploit code or active exploitation has been confirmed; the vulnerability was discovered and reported through the GitLab responsible disclosure program.

Insufficient policy enforcement in History Navigation in Google Chrome prior to version 147.0.7727.55 enables cross-site scripting (UXSS) attacks when users perform specific UI gestures on attacker-controlled pages, allowing injection of arbitrary scripts or HTML with potential impact on user data confidentiality and integrity. The vulnerability affects all Chrome versions before 147.0.7727.55 across all platforms, requires user interaction with specific UI gestures but no authentication, and carries a low Chromium severity rating despite a moderate CVSS score. No public exploit code has been identified at the time of analysis, though the vulnerability was tracked via Chromium issue tracking.

Vim 9.2.0315 and earlier contains a command injection vulnerability in the netbeans interface that allows a malicious netbeans server to execute arbitrary Ex commands via unsanitized strings in defineAnnoType and specialKeys protocol messages. An authenticated local attacker with user-level privileges and ability to interact with a netbeans connection can achieve code execution with the privileges of the Vim process. The vulnerability is fixed in Vim 9.2.0316.

{{self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned")}} to execute rather than render as literal text. Affects PraisonAI pip package. No public exploit identified at time of analysis beyond proof-of-concept in advisory.

Remote code execution in Zammad 7.0.0 allows authenticated administrators with high-level privileges to inject malicious server-side templates through AI Agent configuration parameters, leading to arbitrary code execution on the helpdesk server. Exploitation requires administrative access to control type_enrichment_data settings and user interaction. Vendor-released patch version 7.0.1 is available. EPSS score of 0.04% indicates low exploitation probability in the wild; no public exploit identified at time of analysis.

Remote code execution via command injection in stata-mcp versions before 1.13.0 allows unauthenticated attackers to execute arbitrary commands through insufficiently validated Stata do-file content. The vulnerability stems from CWE-94 improper control of code generation, enabling network-accessible exploitation without user interaction. CVSS 9.8 (Critical) reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, percentile 6%).

Remote code execution in Rapid7 Insight Agent for Linux versions prior to 4.1.0.2 allows authenticated attackers with high privileges to inject arbitrary code via eval() in the beaconing logic by crafting a malicious beacon response. The vulnerability requires high authentication privileges and mutual TLS verification, making remote exploitation difficult without prior compromise of the Rapid7 Platform backend. CVSS 6.6 reflects the high impact (code execution as root) balanced against high attack complexity and privilege requirements. No public exploit code or active exploitation has been identified at time of analysis.

Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical impact. The CVSS:4.0 score of 9.3 reflects network-accessible exploitation requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), enabling complete system compromise. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor Six Apart has released patched version MT 9.0.7 addressing this CWE-94 code injection flaw.

DNS cache poisoning vulnerability in Dual DHCP DNS Server 8.01 allows unauthenticated remote attackers to inject forged DNS responses by exploiting improper source validation. The server accepts UDP responses matched only by transaction ID without verifying originating upstream DNS server, enabling attackers to poison the cache and redirect victims to malicious destinations. No public exploit identified at time of analysis. CVSS 9.1 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

Remote code injection in PowerJob 5.1.0, 5.1.1, and 5.1.2 allows unauthenticated attackers to execute arbitrary code via the GroovyEvaluator.evaluate function in the OpenAPI endpoint /openApi/addWorkflowNode by manipulating the nodeParams argument. The vulnerability exploits unsafe Groovy code evaluation without input sanitization, enabling full remote code execution with a low CVSS complexity score (6.9/10). No public exploit code is confirmed at time of analysis, and the vendor has not yet responded to the early disclosure notification.

Remote code execution in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to inject arbitrary PHP code through the unsanitized $dbPassword variable during setup wizard initialization, resulting in complete server compromise. This critical flaw (CVSS 10.0) exists as an incomplete fix for CVE-2025-62521 and requires no authentication or user interaction to exploit. The pre-authentication nature and maximum CVSS severity indicate immediate patching priority for all exposed ChurchCRM installations.

Remote code execution in Dolibarr ERP/CRM versions prior to 23.0.2 allows authenticated administrators to execute arbitrary system commands by exploiting inadequate input validation in the dol_eval_standard() function. The vulnerability enables attackers to bypass security controls using PHP dynamic callable syntax through computed extrafields or other evaluation paths. With a CVSS score of 7.2 and publicly available exploit code documented by Jiva Security, this represents an elevated risk for organizations running unpatched Dolibarr instances, though exploitation requires high-privilege administrator access (CVSS:3.1/PR:H), limiting the attack surface to insider threats or compromised admin accounts.

Authenticated remote code execution in Daylight Studio FuelCMS version 1.5.2 allows low-privileged users to execute arbitrary code via the Blocks module. CVSS 8.8 rating indicates network-accessible attack requiring low-complexity exploitation without user interaction, enabling full system compromise (confidentiality, integrity, availability impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

Stored cross-site scripting (XSS) in yaffa v2.0.0 allows unauthenticated remote attackers to inject malicious JavaScript via the 'Add Account Group' function, enabling arbitrary script execution in the browsers of users who view the affected page. The vulnerability requires user interaction (clicking/viewing) to trigger but can compromise account confidentiality and integrity for affected users. EPSS exploitation probability is minimal at 0.02%, indicating low real-world exploitation likelihood despite the moderate CVSS score of 6.1.

Arbitrary code execution in dye color library versions prior to 1.1.1 allows authenticated local users with interactive UI access to execute arbitrary code through malicious template expressions. The vulnerability stems from unsafe evaluation of template syntax and requires local file system access and user interaction. No public exploits have been identified; the vulnerability was discovered and remediated by the author.

Remote code execution in Workbench (forceworkbench) versions prior to 65.0.0 allows network-based attackers to execute arbitrary code by exploiting unsafe processing of attacker-controlled cookie values during timezone conversion operations. The vulnerability requires user interaction (CVSS UI:P) but no authentication (PR:N), enabling compromise of both the vulnerable component and other system components (scope change: SC:H/SI:H). EPSS score of 0.51% (66th percentile) indicates moderate exploitation probability. No active exploitation confirmed in CISA KEV at time of analysis. Vendor-released patch available in version 65.0.0 with public GitHub advisory and fix PR.

CRLF injection in Plunk email platform's SESService.ts allows authenticated API users to inject arbitrary MIME headers by embedding carriage return/line feed sequences in user-controlled fields (from.name, subject, custom headers, attachment filenames). Attackers can silently add Bcc headers for email forwarding, manipulate Reply-To addresses, or spoof senders by exploiting the lack of input sanitization before MIME message construction. CVSS 8.5 severity reflects network-accessible exploitation with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE identifier. Vendor-released patch: version 0.8.0 implements schema-level validation rejecting CR/LF characters.

Remote code execution in GLPI asset management software versions 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary code via template injection. The vulnerability requires high privileges (administrator access) but enables complete system compromise with changed scope, indicating potential breakout from the application context. CVSS 9.1 (Critical). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Fixed in version 11.0.6.

CORS header injection in Keycloak's User-Managed Access token endpoint allows remote attackers to reflect attacker-controlled origin values before JWT signature validation, potentially exposing low-sensitivity authorization error responses when clients are misconfigured with wildcard origin permissions. The vulnerability requires high attack complexity and affects only clients explicitly configured with webOrigins set to "*", resulting in a low-severity information disclosure with limited real-world exploitability.

Remote code injection in gpt-researcher (assafelovic) versions up to 3.4.3 allows unauthenticated attackers to execute arbitrary code via the WebSocket endpoint's extract_command_data function. The vulnerability stems from improper input validation of the 'args' parameter in backend/server/server_utils.py. Publicly available exploit code exists (GitHub issue #1694), though confirmed active exploitation (CISA KEV) has not been reported. With CVSS 7.3 and network-accessible attack vector requiring no authentication, this represents a significant risk to exposed instances, though vendor response remains pending.

Remote code execution in premAI-io premsql up to version 0.2.1 allows authenticated remote attackers to achieve arbitrary code execution through code injection via manipulation of the result argument in the eval function located in premsql/agents/baseline/workers/followup.py. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, leaving affected deployments without an official patch.

Remote code execution in Fosowl agenticSeek 0.1.0 allows unauthenticated attackers to inject arbitrary Python code via the PyInterpreter.execute function in the query endpoint, enabling full system compromise. The vulnerability exploits unsafe code execution in the component responsible for interpreting user-supplied queries. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

Code injection in Provectus kafka-ui up to version 0.7.2 allows unauthenticated remote attackers to execute arbitrary code via the validateAccess function in the /api/smartfilters/testexecutions endpoint. The vulnerability has publicly available exploit code and carries a CVSS 6.9 score reflecting moderate but meaningful real-world risk; the vendor was contacted early but provided no response, suggesting no patch is anticipated.

Code injection in badlogic pi-mono up to version 0.58.4 allows authenticated remote attackers to achieve remote code execution through the discoverAndLoadExtensions function in the extension loader module. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications despite contact attempts. The vulnerability carries moderate CVSS scoring (6.3) but represents a significant risk due to public exploit availability and lack of vendor engagement.

Arbitrary shortcode execution in ProfilePress plugin for WordPress (all versions up to 4.16.11) allows unauthenticated attackers to execute arbitrary shortcodes by injecting malicious code into billing field values during checkout, potentially leading to information disclosure or content manipulation. The vulnerability stems from insufficient sanitization of user-supplied input before shortcode processing. Wordfence has documented this issue with a CVSS score of 6.5 and no confirmed active exploitation at time of analysis.

Server-Side Template Injection in RAGFlow 0.24.0 and earlier allows authenticated users to execute arbitrary OS commands via unsandboxed Jinja2 template rendering in Agent workflow components. The vulnerability affects the Text Processing (StringTransform) and Message components, where user-supplied templates are processed without sandboxing. With a CVSS 8.7 score and low attack complexity (AC:L), authenticated attackers can achieve full system compromise remotely. No public exploit identified at time of analysis, and no vendor-released patch available as of publication date.

Remote code execution in Kedro (all versions prior to 1.3.0) allows unauthenticated network attackers to execute arbitrary system commands during application startup by poisoning the KEDRO_LOGGING_CONFIG environment variable. The vulnerability stems from unsafe use of Python's logging.config.dictConfig() with the special '()' factory key that enables arbitrary callable instantiation. With CVSS 9.8 (critical severity, network-exploitable, no privileges required, low complexity), this represents a

HTTP response header injection in Electron allows remote attackers to inject malicious headers via crafted input reflected in response headers when custom protocol handlers or webRequest.onHeadersReceived are used. An attacker can manipulate cookies, content security policy, or cross-origin access controls in affected applications. This affects Electron 41.x before 41.0.3, 40.x before 40.8.3, 39.x before 39.8.3, and 38.x before 38.8.6; no public exploit code is documented at time of analysis.

Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward for exploitation.

Host header injection in Shynet before 0.14.0 allows unauthenticated remote attackers to manipulate password reset functionality through crafted HTTP Host headers, enabling account hijacking and unauthorized access via email-based password reset flows. The vulnerability requires user interaction (clicking a reset link) and carries a CVSS score of 6.4 with confirmed patch availability in version 0.14.0.

Rack::Sendfile in versions prior to 2.2.23, 3.1.21, and 3.2.6 allows remote attackers to inject regex metacharacters into X-Accel-Mapping request headers, enabling unescaped interpolation that manipulates the X-Accel-Redirect response header and causes nginx to serve unintended files from internal locations. No public exploit code or active exploitation has been confirmed; patch versions are available from the vendor.

Rack versions 3.2.0 through 3.2.5 fail to properly unfold folded multipart headers containing obs-fold sequences, preserving embedded CRLF characters in parsed parameter values like filename and name. This allows unauthenticated remote attackers with high request complexity to inject HTTP response headers or split responses when applications reuse these parsed values, leading to potential session hijacking, cache poisoning, or credential theft. The vulnerability carries a moderate CVSS score of

SignalK Server versions prior to 2.24.0 allow unauthenticated attackers to hijack OAuth2 sessions and steal authorization codes by spoofing the HTTP Host header in OIDC login and logout handlers. The vulnerability exploits the default-unset redirectUri configuration, causing the OIDC provider to send authorization codes to an attacker-controlled domain. EPSS score of 6.1 reflects moderate real-world risk despite the requirement for user interaction (UI:R) to initiate login.

Remote code execution in Agno prior to version 2.3.24 allows attackers to execute arbitrary Python code by manipulating the field_type parameter in FunctionCall objects, which is passed unsafely to eval(). The vulnerability affects all versions before 2.3.24 and requires network access to influence the field_type value, enabling complete system compromise through code injection in the model execution component.

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to impersonate other users by claiming their PGP signatures through a specially crafted email address, enabling signature forgery and identity spoofing in encrypted email communications. The vulnerability exploits LDAP injection mechanisms to manipulate signature verification, affecting all versions prior to 15.0.3. No CVSS score is available, and exploitation status remains unconfirmed from provided data.

SEPPmail Secure Email Gateway before version 15.0.3 allows remote attackers to read encrypted email contents intended for other users by crafting specially malformed email addresses that exploit LDAP injection in the recipient validation process. This information disclosure vulnerability affects all versions prior to 15.0.3 and requires only network access to send a specially crafted email, making it a practical attack vector against organizations using vulnerable SEPPmail deployments.

Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions.

Header injection in AIOHTTP prior to version 3.13.4 allows remote attackers to inject arbitrary HTTP headers or conduct similar exploits by controlling the reason parameter when creating a Response object. The vulnerability has low real-world impact (CVSS 2.7, EPSS not available) and requires the attacker to control application-level input that directly influences the reason parameter; no public exploit code or active exploitation has been identified. A vendor-released patch is available in version 3.13.4.

Header injection in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to inject arbitrary headers by controlling the content_type parameter, potentially enabling HTTP response splitting or cache poisoning attacks. The vulnerability has a low CVSS score (2.7) reflecting limited integrity impact, but affects all versions before the patched release 3.13.4.

Local privilege escalation in libinput allows authenticated users to execute arbitrary code within graphical compositor contexts by placing malicious Lua bytecode in system or user configuration directories. The vulnerability achieves scope change (CVSS:S:C) with high impact across confidentiality, integrity, and availability (8.8 CVSS), enabling attackers to monitor keyboard input including passwords and sensitive data. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed vulnerability.

MetInfo CMS 7.9, 8.0, and 8.1 allows unauthenticated remote code execution through PHP code injection in insufficient input validation mechanisms. Attackers can send crafted requests containing malicious PHP code to execute arbitrary commands and achieve full server compromise without authentication. Publicly available exploit code exists for this vulnerability.

Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbitrary code on the server. Attack requires low-privilege admin panel access (PR:L) with network accessibility (AV:N) and low complexity (AC:L). No public exploit identified at time of analysis, though VulnCheck published technical analysis. This represents a supply-chain or insider-threat risk where compromised admin credentials or malicious insiders could achieve complete server compromise.

Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through template callbacks and variable method calls. The vulnerability stems from a loose prefix matching mechanism that permits bypassing intended access restrictions, enabling attackers with low-privilege accounts to achieve high-severity impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the technical details have been publicly disclosed by VulnCheck, increasing weaponization risk.

XML injection in xmldom's CDATA serialization allows remote attackers to inject arbitrary markup into generated XML documents without authentication. The vulnerability affects both the legacy xmldom package and @xmldom/xmldom when applications embed untrusted input into CDATA sections. Attackers can break out of CDATA context by including the sequence ]]> in user-controlled strings, causing downstream XML consumers to parse injected elements as legitimate markup. Vendor-released patches are avai

Remote code execution in DedeCMS 5.7.118 allows unauthenticated attackers to execute arbitrary code through crafted setup tag values during module upload operations. The vulnerability exploits insufficient input validation in the module upload functionality, enabling direct code injection. No CVSS score, EPSS data, or KEV confirmation is available; however, the presence of a public proof-of-concept demonstrates practical exploitability.

Remote code execution in Lodash <4.18.0 allows unauthenticated attackers to execute arbitrary JavaScript code during template compilation by injecting malicious key names into options.imports parameter. The vulnerability bypasses the CVE-2021-23337 fix by exploiting an unvalidated code path that flows into the same Function() constructor sink. With CVSS 8.1 (High) and EPSS data not provided, this represents a significant supply chain risk for applications using Lodash's template functionality with untrusted input. No public exploit confirmed at time of analysis, though the technical details in the advisory provide a clear exploitation roadmap.

Prompt injection in 1millionbot Millie chatbot allows remote attackers to bypass chat restrictions using Boolean logic techniques, enabling retrieval of prohibited information and execution of unintended tasks including potential abuse of OpenAI API keys. The vulnerability exploits insufficient input validation in the LLM's containment mechanisms, permitting attackers to reformulate queries in ways that trigger affirmative responses ('true') that then execute injected instructions outside the chatbot's intended scope.

Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. This vulnerability carries a 9.8 CVSS score with maximum impact (confidentiality, integrity, availability) and requires no authentication or user interaction, representing a critical immediate threat to all installations using the affected plugin versions.

Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis.

Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). The vulnerability leverages Java reflection through Velocity templates to instantiate ProcessBuilder and execute commands with Tomcat process privileges, often root in containerized environments. EPSS data not provided; no CISA KEV status confirmed; publicly available exploit code exists per GitHub security advisory disclosure.

SQL injection in Tautulli's /api/v2?cmd=get_home_stats endpoint allows authenticated administrators to exfiltrate sensitive data from the SQLite database via boolean-blind SQL inference. Affected versions include 2.14.2-2.16.x for the 'before' and 'after' parameters, and 2.1.0-beta-2.16.x for 'section_id' and 'user_id' parameters. The vulnerability requires possession of the admin API key and results in confidentiality compromise without code execution. Patch is available in version 2.17.0.

Remote code execution in Tautulli (Python-based Plex Media Server monitoring tool) versions prior to 2.17.0 allows authenticated administrators to bypass sandbox restrictions in notification templates via lambda expressions, enabling arbitrary Python code execution. The vulnerability exploits a flaw in the str_eval() sandbox implementation that only inspects outer code object names (co_names) while nested lambda code objects store attribute accesses in co_consts, evading security checks. CVSS 7.5 with high attack complexity and high privilege requirement (PR:H) indicates limited real-world risk scope, with no public exploit identified at time of analysis.

CrewAI fails to validate Docker runtime availability during execution and silently reverts to an insecure sandbox mode, enabling remote code execution. Affected versions prior to the patch rely on Docker for isolation; when Docker becomes unavailable or is misconfigured, the fallback mechanism does not enforce adequate sandboxing constraints, allowing attackers to execute arbitrary commands within the application context. No CVSS score or official CVE details are available at this time, though the vulnerability has been reported to CERT and carries high practical risk due to the automatic unsafe fallback behavior.

Remote code execution in Syntx's command auto-approval module allows unauthenticated attackers to bypass whitelist security via shell command substitution syntax in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(…) and backtick command substitution patterns, enabling an attacker to inject malicious commands within seemingly benign git operations (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS score or KEV status data available; no public exploit code confirmed at time of analysis.

SakaDev's automatic terminal command execution feature can be bypassed via prompt injection attacks, allowing unauthenticated remote attackers to execute arbitrary commands without user approval by wrapping malicious commands in templates that mislead the underlying language model into misclassifying destructive operations as safe. The vulnerability exploits a design flaw in the model-based safety classification mechanism rather than a traditional code defect, affecting the extension across all versions where the 'Execute safe commands' option is enabled.

Remote code execution in Roo Code's command auto-approval module allows unauthenticated attackers to bypass the whitelist security mechanism via shell command substitution in command arguments. The vulnerability exploits inadequate regular expression parsing that fails to detect $(...) and backtick syntax, enabling an attacker to inject malicious commands (e.g., git log --grep="$(malicious_command)") that are automatically approved and executed with full system privileges. No CVSS scoring, KEV status, or official patch information is currently available.

HAI Build Code Generator's automatic command execution feature can be bypassed through prompt injection attacks, allowing unauthenticated remote code execution by misleading the AI model into misclassifying malicious commands as safe. The vulnerability exploits a fundamental design flaw in the model's safety classification logic, where attackers can wrap destructive commands in generic templates to bypass the user approval requirement that should be triggered for potentially dangerous operations.

Remote code execution in DSAI-Cline's command auto-approval module allows unauthenticated attackers to bypass whitelist validation by embedding newline characters in command payloads, forcing automatic approval and sequential execution of arbitrary OS commands via PowerShell without user interaction.

Remote code execution in elecV2P up to version 3.8.3 allows authenticated attackers to inject arbitrary code via manipulation of the rawcode argument in the runJSFile function of the /webhook JSON Parser endpoint. The vulnerability has publicly available exploit code and the vendor has not yet responded to early disclosure notifications, making this an active security concern for deployed instances.

Code injection in Sinaptik AI PandasAI versions up to 3.0.0 allows unauthenticated remote attackers to execute arbitrary code via the CodeExecutor.execute function in the Chat Message Handler component. CVSS 7.3 (High) with network attack vector, low complexity, and no authentication required. Publicly available exploit code exists (POC on GitHub Gist). EPSS data not provided, but the combination of unauthenticated remote execution and public exploit significantly elevates real-world risk. Vendor non-responsive to coordinated disclosure.

CRLF injection in Page Builder: Pagelayer WordPress plugin up to version 2.0.7 allows unauthenticated attackers to inject arbitrary email headers (Bcc, Cc, etc.) through contact form fields. The vulnerability exploits unsafe placeholder substitution in email headers without CR/LF sanitization, enabling email header spoofing and potential abuse of form email delivery systems. No public exploit code or active exploitation has been identified at time of analysis.

Remote attackers can crash Zebra cryptocurrency nodes (versions <4.3.0) by sending malformed V5 transactions that pass initial deserialization but trigger panics during transaction ID calculation. The vulnerability requires no authentication and can be exploited via a single crafted network message to the P2P port (8233) or through the sendrawtransaction RPC method. No public exploit code has been identified at time of analysis, though the attack mechanism is well-documented in the vendor advisory. EPSS data not available for this CVE.

JavaScript code injection in Windmill's NativeTS executor allows workspace administrators to achieve remote code execution by embedding malicious payloads in environment variable values. The vulnerability (CWE-94) stems from improper sanitization of single quotes when interpolating workspace environment variables into JavaScript string literals, enabling arbitrary code execution in all NativeTS scripts within the affected workspace. Windmill versions prior to 1.664.0 are affected. CVSS 7.3 reflects high confidentiality, integrity, and availability impact, though exploitation requires high privileges (workspace admin role). Publicly available exploit code exists, though no confirmed active exploitation (CISA KEV) at time of analysis.

Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to execute arbitrary LLM instructions and system tools via malicious email content. The vulnerability exploits the email channel processing module's lack of input validation, enabling zero-click, indirect prompt injection attacks without bot owner interaction. Publicly available exploit code exists. With CVSS 8.9 (Critical) and network-accessible attack vector requiring no privileges, this represents a severe security risk for deployed nanobot instances monitoring email.

Ruby Language Server (ruby-lsp) allows arbitrary code execution when opening malicious projects. The vulnerability exploits unsanitized interpolation of the rubyLsp.branch workspace setting into a generated Gemfile, enabling attackers to embed malicious Ruby code in .vscode/settings.json that executes when users open and trust the workspace. Affects ruby-lsp gem < 0.26.9 and VS Code extension < 0.10.2. No active exploitation or public POC currently identified at time of analysis, but the attack requires only social engineering to trick developers into opening a crafted repository.

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated network attackers to execute arbitrary server-side commands by exploiting dynamic partial resolution logic. Affected versions include all releases prior to v4.7.9. Attack requires the adversary to control context data passed to templates that use dynamic partial lookups. A proof-of-concept exploit demonstrates arbitrary code execution and is publicly documented. CVSS score of 8.1 reflects high complexity due to the need for specific template patterns and attacker-controlled context values.

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by exploiting the @partial-block mechanism when combined with vulnerable helper functions. The attack overwrites @partial-block with a malicious Handlebars AST that is dynamically compiled and executed during template rendering. A working proof-of-concept exists demonstrating exploitation via the commonly-used handlebars-helpers package. Vendor-released patch is available in Handlebars version 4.7.9.

Remote code execution in Handlebars.js npm package allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by injecting malicious payloads through crafted AST objects passed to Handlebars.compile(). The vulnerability (CWE-94 code injection) affects applications that accept user-controlled JSON and deserialize it as template input. A detailed proof-of-concept exploit demonstrates command execution via process.getBuiltinModule. Vendor patch is available in version 4.7.9 per GitHub advisory GHSA-2w6w-674q-4c4q. CVSS score 9.8 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

Improper neutralization of directives in dynamically evaluated code within letta-ai letta 0.16.4 allows remote attackers without authentication to manipulate the resolve_type function in letta/functions/ast_parsers.py, resulting in code injection and information disclosure. This vulnerability represents an incomplete fix for CVE-2025-6101, and publicly available exploit code exists that demonstrates remote exploitation with low attack complexity.

Code injection in HuggingFace smolagents 1.25.0.dev0 allows remote attackers without authentication to execute arbitrary code through incomplete remediation of CVE-2025-9959 in the local Python executor component. The vulnerability affects the evaluate_augassign, evaluate_call, and evaluate_with functions in src/smolagents/local_python_executor.py, with publicly available exploit code and active public disclosure despite lack of vendor response.

Multiple shell injection and untrusted search path vulnerabilities in Wazuh agent and manager (versions 2.1.0 through 4.7.x) enable remote code execution through malicious configuration parameters. Authenticated attackers with high privileges can inject commands via logcollector configuration files, maild SMTP server tags, and Kaspersky AR script parameters. The CVSS 4.0 score of 7.1 reflects network-accessible attack vector with low complexity but requiring high-privilege credentials; no public exploit identified at time of analysis.

Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.

Open-Xchange Dovecot Pro contains an LDAP filter injection vulnerability in its authentication module that allows remote unauthenticated attackers to inject arbitrary LDAP filters when the auth_username_chars configuration parameter is left empty, potentially enabling authentication bypass and reconnaissance of LDAP directory structures. The vulnerability carries a low CVSS score of 3.7 due to high attack complexity requirements, and no public exploit code has been identified at the time of analysis.

BUFFALO Wi-Fi router products allow remote code execution through a code injection vulnerability requiring user interaction. An unauthenticated attacker (CVSS PR:N) can execute arbitrary code on affected devices with high impact to confidentiality, integrity, and availability (CVSS 8.8). The vulnerability was disclosed through JVN and BUFFALO's official advisory, with no public exploit identified at time of analysis.

Remote code execution is possible in the happy-dom JavaScript DOM implementation (npm package) through injection of malicious JavaScript expressions in ES module export declarations. Attackers can bypass input sanitization by using template literal syntax (backticks) to execute arbitrary system commands when happy-dom processes untrusted HTML content with JavaScript evaluation enabled. The vulnerability affects happy-dom versions prior to 20.8.8, with a publicly available exploit code that demonstrates command execution via Node.js child_process module. CVSS score of 8.8 reflects network-based attack vector requiring user interaction, with complete confidentiality, integrity, and availability impact.

Langflow's Agentic Assistant feature executes LLM-generated Python code server-side during component validation, enabling arbitrary code execution when attackers can influence model outputs. The vulnerability affects the pip package 'langflow' and exists in endpoints /assist and streaming paths that invoke exec() on dynamically generated component code. A proof-of-concept exists demonstrating the execution chain from user input through validation to code execution. Authentication requirements depend on deployment configuration, with AUTO_LOGIN=true defaults potentially widening exposure. No public exploit identified at time of analysis beyond the documented PoC, though the technical details and code references provide a complete exploitation blueprint.

Remote command execution can be achieved by low-privileged authenticated users (ProjectMember role) in OneUptime monitoring platform versions prior to 10.0.35 by exploiting incomplete sandbox restrictions in Synthetic Monitor Playwright script execution. Attackers can traverse the unblocked _browserType and launchServer properties via page.context().browser()._browserType.launchServer() to spawn arbitrary processes on the Probe container or host. A proof-of-concept exploit exists per SSVC framework data, and the vulnerability carries a CVSS score of 9.9 with Critical severity due to scope change and total technical impact.

HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or commands into HTTP responses, potentially leading to content spoofing or further exploitation depending on application response handling. The vulnerability affects Aftermarket DPC version 1.0.0 and requires user interaction to exploit. No public exploit identified at time of analysis, and exploitation is not currently automatable according to CISA SSVC assessment, resulting in a low real-world risk profile despite the injection vector.

BentoML, a Python framework for ML model serving, contains a command injection vulnerability in the docker.system_packages configuration field of bentofile.yaml files. The vulnerability affects all versions supporting this feature (confirmed in version 1.4.36) and allows attackers to execute arbitrary commands during the Docker image build process (bentoml containerize). This is a high-severity supply chain risk with a CVSS score of 7.8, requiring user interaction to trigger but achieving full command execution as root during container builds.