Total
5795 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0863 | 1 N8n | 1 N8n | 2026-02-10 | N/A | 8.5 HIGH |
|
Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system.
The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode.
If the instance is operating under the "External" execution mode (ex. n8n's official Docker imag ...
Show More |
|||||
| CVE-2025-61732 | 1 Golang | 1 Go | 2026-02-10 | N/A | 8.6 HIGH |
|
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
|
|||||
| CVE-2026-2149 | 1 Pamzey | 1 Patients Waiting Area Queue Management System | 2026-02-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patient_id results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used.
|
|||||
| CVE-2026-2150 | 1 Pamzey | 1 Patients Waiting Area Queue Management System | 2026-02-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /checkin.php. This manipulation of the argument patient_id causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used.
|
|||||
| CVE-2026-2154 | 1 Pamzey | 1 Patients Waiting Area Queue Management System | 2026-02-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was identified in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Impacted is an unknown function of the file /registration.php of the component Patient Registration Module. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
|
|||||
| CVE-2026-2159 | 1 Oretnom23 | 1 Simple Responsive Tourism Website | 2026-02-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected is an unknown function of the file /tourism/classes/Master.php?f=register of the component Registration. Executing a manipulation of the argument firstname/lastname/username can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.
|
|||||
| CVE-2026-2160 | 1 Oretnom23 | 1 Simple Responsive Tourism Website | 2026-02-10 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Master.php?f=save_package. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2026-2222 | 1 Fabian | 1 Online Reviewer System | 2026-02-10 | 3.3 LOW | 2.4 LOW |
|
A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. Executing a manipulation of the argument firstname can lead to cross site scripting. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
|
|||||
| CVE-2026-2224 | 1 Fabian | 1 Online Reviewer System | 2026-02-10 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was detected in code-projects Online Reviewer System 1.0. This affects an unknown part of the file /system/system/admins/manage/users/btn_functions.php. The manipulation of the argument firstname results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used.
|
|||||
| CVE-2026-2156 | 1 Fabian | 1 Online Student Management System | 2026-02-10 | 3.3 LOW | 2.4 LOW |
|
A weakness has been identified in code-projects Online Student Management System 1.0. The impacted element is an unknown function of the file /admin/announcement/index.php?view=add of the component Announcement Management Module. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
|
|||||
| CVE-2020-37137 | 1 Php-fusion | 1 Phpfusion | 2026-02-09 | N/A | 6.1 MEDIUM |
|
PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code.
|
|||||
| CVE-2026-23523 | 1 Openagentplatform | 1 Dive | 2026-02-09 | N/A | 9.6 CRITICAL |
|
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.
|
|||||
| CVE-2025-57283 | 1 Browserstack | 1 Browserstack-local | 2026-02-09 | N/A | 7.8 HIGH |
|
The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.
|
|||||
| CVE-2026-24897 | 1 Erugo | 1 Erugo | 2026-02-09 | N/A | 10.0 CRITICAL |
|
Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares.
By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Er ...
Show More |
|||||
| CVE-2026-24887 | 1 Anthropic | 1 Claude Code | 2026-02-06 | N/A | 8.8 HIGH |
|
Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.72.
|
|||||
| CVE-2026-1151 | 1 Technical-laohu | 1 Mpay | 2026-02-06 | 3.3 LOW | 2.4 LOW |
|
A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. This manipulation of the argument Nickname causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
|
|||||
| CVE-2026-1977 | 2026-02-06 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A security vulnerability has been detected in isaacwasserman mcp-vegalite-server up to 16aefed598b8cd897b78e99b907f6e2984572c61. Affected by this vulnerability is the function eval of the component visualize_data. Such manipulation of the argument vegalite_specification leads to code injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information f ...
Show More |
|||||
| CVE-2026-22771 | 1 Envoyproxy | 1 Gateway | 2026-02-05 | N/A | 8.8 HIGH |
|
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in ...
Show More |
|||||
| CVE-2026-1134 | 1 Angeljudesuarez | 1 Society Management System | 2026-02-05 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The manipulation of the argument detail leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used.
|
|||||
| CVE-2025-41717 | 2026-02-05 | N/A | 8.8 HIGH | ||
|
An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection’).
|
|||||
| CVE-2026-1135 | 1 Angeljudesuarez | 1 Society Management System | 2026-02-04 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A security flaw has been discovered in itsourcecode Society Management System 1.0. This impacts an unknown function of the file /admin/activity.php. The manipulation of the argument Title results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
|
|||||
| CVE-2025-60785 | 1 Kagilum | 1 Icescrum | 2026-02-04 | N/A | 8.8 HIGH |
|
A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page.
|
|||||
| CVE-2025-10875 | 1 Salesforce | 1 Mulesoft Anypoint Code Builder | 2026-02-04 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Code Injection.This issue affects Mulesoft Anypoint Code Builder: before 1.11.6.
|
|||||
| CVE-2025-64318 | 1 Salesforce | 1 Mulesoft Anypoint Code Builder | 2026-02-04 | N/A | 5.3 MEDIUM |
|
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1.
|
|||||
| CVE-2025-64320 | 1 Salesforce | 1 Agentforce Vibes | 2026-02-04 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.This issue affects Agentforce Vibes Extension: before 3.2.0.
|
|||||
| CVE-2025-64321 | 1 Salesforce | 1 Agentforce Vibes | 2026-02-04 | N/A | 5.3 MEDIUM |
|
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.
|
|||||
| CVE-2026-1705 | 2026-02-04 | 3.3 LOW | 2.4 LOW | ||
|
A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.
|
|||||
| CVE-2025-62348 | 2026-02-04 | N/A | 7.8 HIGH | ||
|
Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.
|
|||||
| CVE-2025-24293 | 2026-02-04 | N/A | N/A | ||
|
# Active Storage allowed transformation methods potentially unsafe
Active Storage attempts to prevent the use of potentially unsafe image
transformation methods and parameters by default.
The default allowed list contains three methods allow for the circumvention
of the safe defaults which enables potential command injection
vulnerabilities in cases where arbitrary user supplied input is accepted as
valid transformation methods or parameters.
Impact
------
This vulnerability imp ...
Show More |
|||||
| CVE-2026-24149 | 2026-02-04 | N/A | 7.8 HIGH | ||
|
NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering.
|
|||||
| CVE-2025-10370 | 1 Sourcefabric | 1 Rpi-jukebox-rfid | 2026-02-03 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was identified in MiczFlor RPi-Jukebox-RFID up to 2.8.0. This vulnerability affects unknown code of the file /htdocs/userScripts.php. The manipulation of the argument Custom script leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2026-1245 | 1 Keichi | 1 Binary-parser | 2026-02-03 | N/A | 6.5 MEDIUM |
|
A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.
|
|||||
| CVE-2026-22708 | 1 Anysphere | 1 Cursor | 2026-02-03 | N/A | 9.8 CRITICAL |
|
Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval.
This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.
|
|||||
| CVE-2020-37052 | 2026-02-03 | N/A | 9.8 CRITICAL | ||
|
AirControl 1.4.2 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through malicious Java expression injection. Attackers can exploit the /.seam endpoint by crafting a specially constructed URL with embedded Java expressions to run commands with the application's system privileges.
|
|||||
| CVE-2025-69517 | 2026-02-02 | N/A | 8.8 HIGH | ||
|
An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/newagent/ endpoint. The agent_id parameter accepts up to 255 characters and is improperly sanitized using DOMPurify.sanitize() with the html: true option enabled, which fails to adequately filter HTML input. The injected HTML is rendered in the Tactical RMM management panel when an administrator attemp ...
Show More |
|||||
| CVE-2025-69564 | 1 Fabian | 1 Mobile Shop Management System | 2026-02-02 | N/A | 9.8 CRITICAL |
|
code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters.
|
|||||
| CVE-2022-50806 | 1 4homepages | 1 4images | 2026-02-02 | N/A | 7.2 HIGH |
|
4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter.
|
|||||
| CVE-2018-17207 | 1 Awesomemotive | 1 Duplicator | 2026-02-02 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
|
|||||
| CVE-2026-24747 | 1 Linuxfoundation | 1 Pytorch | 2026-01-30 | N/A | 8.8 HIGH |
|
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.
|
|||||
| CVE-2024-42756 | 1 Netgear | 2 Dgn1000ww, Dgn1000ww Firmware | 2026-01-30 | N/A | 8.8 HIGH |
|
An issue in Netgear DGN1000WW v.1.1.00.45 allows a remote attacker to execute arbitrary code via the Diagnostics page
|
|||||