CWE-94
Allowed-with-ReviewImproper Control of Generation of Code ('Code Injection')
Abstraction: Base · Status: Draft
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
8285 vulnerabilities reference this CWE, most recent first.
GHSA-M496-M5FF-4J4P
Vulnerability from github – Published: 2025-12-28 18:30 – Updated: 2025-12-28 18:30A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing manipulation of the argument content/tempdata can lead to code injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-15148"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-28T18:15:47Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing manipulation of the argument content/tempdata can lead to code injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-m496-m5ff-4j4p",
"modified": "2025-12-28T18:30:27Z",
"published": "2025-12-28T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15148"
},
{
"type": "WEB",
"url": "https://note-hxlab.wetolink.com/share/msJH69Y06ZlS"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.338525"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.338525"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.716303"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M4CH-8PC5-RPX2
Vulnerability from github – Published: 2022-05-17 01:00 – Updated: 2022-05-17 01:00CRLF injection vulnerability in the nsCookieService::SetCookieStringInternal function in netwerk/cookie/nsCookieService.cpp in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, and Thunderbird before 3.1.11, allows remote attackers to bypass intended access restrictions via a string containing a \n (newline) character, which is not properly handled in a JavaScript "document.cookie =" expression, a different vulnerability than CVE-2011-2374.
{
"affected": [],
"aliases": [
"CVE-2011-2605"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-06-30T16:55:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in the nsCookieService::SetCookieStringInternal function in netwerk/cookie/nsCookieService.cpp in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, and Thunderbird before 3.1.11, allows remote attackers to bypass intended access restrictions via a string containing a \\n (newline) character, which is not properly handled in a JavaScript \"document.cookie =\" expression, a different vulnerability than CVE-2011-2374.",
"id": "GHSA-m4ch-8pc5-rpx2",
"modified": "2022-05-17T01:00:59Z",
"published": "2022-05-17T01:00:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2605"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=643051"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14401"
},
{
"type": "WEB",
"url": "http://www.mozilla.org/security/announce/2011/mfsa2011-19.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0885.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0886.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0887.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0888.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M4CJ-H36G-CXJG
Vulnerability from github – Published: 2026-06-22 18:34 – Updated: 2026-07-09 21:31IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in.
{
"affected": [],
"aliases": [
"CVE-2026-9072"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T16:16:43Z",
"severity": "HIGH"
},
"details": "IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in.",
"id": "GHSA-m4cj-h36g-cxjg",
"modified": "2026-07-09T21:31:13Z",
"published": "2026-06-22T18:34:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9072"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7276560"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7277344"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4J4-RMJ5-W5GP
Vulnerability from github – Published: 2023-07-19 18:30 – Updated: 2025-10-22 00:32{
"affected": [],
"aliases": [
"CVE-2023-3519"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-19T18:15:11Z",
"severity": "CRITICAL"
},
"details": "Unauthenticated remote code execution",
"id": "GHSA-m4j4-rmj5-w5gp",
"modified": "2025-10-22T00:32:44Z",
"published": "2023-07-19T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3519"
},
{
"type": "WEB",
"url": "https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-3519"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/173997/Citrix-ADC-NetScaler-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M4W6-Q2PR-QG8F
Vulnerability from github – Published: 2022-05-04 00:28 – Updated: 2022-05-04 00:28Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0019, CVE-2012-0020, CVE-2012-0136, and CVE-2012-0137.
{
"affected": [],
"aliases": [
"CVE-2012-0138"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-02-14T22:55:00Z",
"severity": "HIGH"
},
"details": "Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka \"VSD File Format Memory Corruption Vulnerability,\" a different vulnerability than CVE-2012-0019, CVE-2012-0020, CVE-2012-0136, and CVE-2012-0137.",
"id": "GHSA-m4w6-q2pr-qg8f",
"modified": "2022-05-04T00:28:16Z",
"published": "2022-05-04T00:28:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0138"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-015"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14811"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA12-045A.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M4WR-GR33-XXQ5
Vulnerability from github – Published: 2022-05-01 18:44 – Updated: 2022-05-01 18:44Directory traversal vulnerability in includes/block.php in Agares Media phpAutoVideo 2.21 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the selected_provider parameter.
{
"affected": [],
"aliases": [
"CVE-2007-6615"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-01-03T23:46:00Z",
"severity": "MODERATE"
},
"details": "Directory traversal vulnerability in includes/block.php in Agares Media phpAutoVideo 2.21 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the selected_provider parameter.",
"id": "GHSA-m4wr-gr33-xxq5",
"modified": "2022-05-01T18:44:39Z",
"published": "2022-05-01T18:44:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6615"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/4782"
},
{
"type": "WEB",
"url": "http://forums.agaresmedia.com/viewtopic.php?f=13\u0026t=407"
},
{
"type": "WEB",
"url": "http://osvdb.org/39618"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28230"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/27023"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/4319"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M537-88R7-P568
Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2025-05-28 21:30An issue in Hospital Management System In PHP V4.0 allows a remote attacker to execute arbitrary code via the hms/doctor/edit-profile.php file
{
"affected": [],
"aliases": [
"CVE-2024-51360"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-23T15:15:23Z",
"severity": "CRITICAL"
},
"details": "An issue in Hospital Management System In PHP V4.0 allows a remote attacker to execute arbitrary code via the hms/doctor/edit-profile.php file",
"id": "GHSA-m537-88r7-p568",
"modified": "2025-05-28T21:30:36Z",
"published": "2025-05-23T15:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51360"
},
{
"type": "WEB",
"url": "https://github.com/Anil0x/CVE/blob/main/Session%20Hijacking.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M549-QQ94-FVHG
Vulnerability from github – Published: 2026-05-21 17:30 – Updated: 2026-06-10 13:41Summary
lmdeploy hardcodes trust_remote_code=True in multiple HuggingFace model-loading call sites.
The affected code paths are in:
lmdeploy/archs.py
lmdeploy/utils.py
````
The vulnerable call sites pass `trust_remote_code=True` into HuggingFace Transformers APIs such as `AutoConfig.from_pretrained()`, `PretrainedConfig.get_config_dict()`, and `GenerationConfig.from_pretrained()`.
Because the model path is supplied by the operator or deployment configuration, an attacker who can control the `model_path` used by an lmdeploy serving process can point it to an attacker-controlled HuggingFace model repository. When lmdeploy starts and initializes the model, Transformers may download and execute remote Python code from that repository.
Successful exploitation results in arbitrary code execution with the privileges of the lmdeploy serving process.
## Affected version
Confirmed affected:
```text
lmdeploy <= 0.12.3
The issue was verified on v0.12.3 and on main.
Vulnerable code
Confirmed call sites:
lmdeploy/archs.py:154
AutoConfig.from_pretrained(..., trust_remote_code=True)
lmdeploy/archs.py:157
PretrainedConfig.get_config_dict(..., trust_remote_code=True)
lmdeploy/utils.py:225
GenerationConfig.from_pretrained(..., trust_remote_code=True)
The vulnerable pattern is:
AutoConfig.from_pretrained(model_path, trust_remote_code=True)
and:
GenerationConfig.from_pretrained(path, trust_remote_code=True)
The risk is that trust_remote_code=True is enabled unconditionally. Users are not required to explicitly opt in through a CLI flag or configuration option.
Attack scenario
- An attacker obtains the ability to control or modify the model path used by an lmdeploy deployment. Examples include deployment configuration access, CI/CD configuration access, Kubernetes or container configuration access, or a managed environment where users can submit model IDs for serving.
- The attacker sets the model path to an attacker-controlled HuggingFace repository, for example:
attacker-org/malicious-model
- The lmdeploy serving process starts with that model path:
lmdeploy serve api_server attacker-org/malicious-model
- During model initialization, lmdeploy calls HuggingFace Transformers APIs with
trust_remote_code=True. - Transformers loads and executes remote Python code from the attacker-controlled model repository.
- The payload runs with the privileges of the lmdeploy serving process.
Why this is security-sensitive
trust_remote_code=True is a dangerous HuggingFace option because it allows model repositories to execute custom Python code during model loading.
In lmdeploy, this option is hardcoded at multiple call sites. This removes the explicit trust decision from the user or deployment operator. A safer design would require an explicit CLI flag or configuration option such as --trust-remote-code.
lmdeploy is commonly used as a model serving daemon. The serving process may have access to model weights, GPU resources, API credentials, cloud credentials, request data, and internal network resources.
Proof of concept
The following PoC demonstrates the vulnerable primitive in a local, non-destructive way. It simulates lmdeploy calling a HuggingFace model-loading path with trust_remote_code=True and shows that remote model code would execute during initialization.
#!/usr/bin/env python3
from __future__ import annotations
import argparse
import importlib.util
import os
import sys
import tempfile
from pathlib import Path
MARKER = Path("/tmp/LMDEPLOY_TRUST_REMOTE_CODE_RCE_PROOF")
MALICIOUS_MODEL = "attacker-org/malicious-model"
def simulate_lmdeploy_model_load(model_path: str) -> None:
"""
Simulates lmdeploy model initialization where trust_remote_code=True is hardcoded.
Real vulnerable pattern:
AutoConfig.from_pretrained(model_path, trust_remote_code=True)
GenerationConfig.from_pretrained(path, trust_remote_code=True)
When trust_remote_code=True, a malicious HuggingFace model repository can
execute custom Python code during loading.
"""
fake_model_dir = Path(tempfile.mkdtemp(prefix="fake_lmdeploy_model_"))
module_name = model_path.split("/")[-1].replace("-", "_")
modeling_file = fake_model_dir / f"modeling_{module_name}.py"
payload = f'''
import os
from pathlib import Path
Path("{MARKER}").write_text(
"lmdeploy trust_remote_code execution confirmed\\n"
f"model_path={model_path!r}\\n"
f"pid={{os.getpid()}} euid={{os.geteuid()}}\\n"
)
'''
modeling_file.write_text(payload)
spec = importlib.util.spec_from_file_location(f"modeling_{module_name}", modeling_file)
assert spec is not None and spec.loader is not None
mod = importlib.util.module_from_spec(spec)
spec.loader.exec_module(mod)
def main() -> int:
parser = argparse.ArgumentParser()
parser.add_argument("--model-id", default=MALICIOUS_MODEL)
args = parser.parse_args()
if MARKER.exists():
MARKER.unlink()
print(f"[*] Simulating lmdeploy loading model: {args.model_id}")
print("[*] trust_remote_code=True is hardcoded in lmdeploy model-loading paths")
simulate_lmdeploy_model_load(args.model_id)
if MARKER.exists():
print("[+] Code execution confirmed")
print(MARKER.read_text())
return 0
print("[-] Marker file was not created", file=sys.stderr)
return 1
if __name__ == "__main__":
raise SystemExit(main())
Expected result:
[+] Code execution confirmed
The marker file is written to:
/tmp/LMDEPLOY_TRUST_REMOTE_CODE_RCE_PROOF
Impact
An attacker who can control the model path used by an lmdeploy deployment can execute arbitrary Python code during model initialization.
The attacker may be able to:
- Read files accessible to the lmdeploy process.
- Access environment variables, model provider credentials, HuggingFace tokens, cloud credentials, and API keys.
- Modify model-serving behavior or tamper with responses.
- Execute arbitrary operating-system commands.
- Access request data or internal service credentials available to the serving process.
- Cause denial of service by crashing or destabilizing the serving daemon.
- Pivot to internal services reachable from the lmdeploy host or container.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "lmdeploy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46432"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T17:30:57Z",
"nvd_published_at": "2026-06-10T00:16:53Z",
"severity": "HIGH"
},
"details": "## Summary\n\nlmdeploy hardcodes `trust_remote_code=True` in multiple HuggingFace model-loading call sites.\n\nThe affected code paths are in:\n\n```text\nlmdeploy/archs.py\nlmdeploy/utils.py\n````\n\nThe vulnerable call sites pass `trust_remote_code=True` into HuggingFace Transformers APIs such as `AutoConfig.from_pretrained()`, `PretrainedConfig.get_config_dict()`, and `GenerationConfig.from_pretrained()`.\n\nBecause the model path is supplied by the operator or deployment configuration, an attacker who can control the `model_path` used by an lmdeploy serving process can point it to an attacker-controlled HuggingFace model repository. When lmdeploy starts and initializes the model, Transformers may download and execute remote Python code from that repository.\n\nSuccessful exploitation results in arbitrary code execution with the privileges of the lmdeploy serving process.\n\n## Affected version\n\nConfirmed affected:\n\n```text\nlmdeploy \u003c= 0.12.3\n```\n\nThe issue was verified on `v0.12.3` and on `main`.\n\n## Vulnerable code\n\nConfirmed call sites:\n\n```text\nlmdeploy/archs.py:154\nAutoConfig.from_pretrained(..., trust_remote_code=True)\n\nlmdeploy/archs.py:157\nPretrainedConfig.get_config_dict(..., trust_remote_code=True)\n\nlmdeploy/utils.py:225\nGenerationConfig.from_pretrained(..., trust_remote_code=True)\n```\n\nThe vulnerable pattern is:\n\n```python\nAutoConfig.from_pretrained(model_path, trust_remote_code=True)\n```\n\nand:\n\n```python\nGenerationConfig.from_pretrained(path, trust_remote_code=True)\n```\n\nThe risk is that `trust_remote_code=True` is enabled unconditionally. Users are not required to explicitly opt in through a CLI flag or configuration option.\n\n## Attack scenario\n\n1. An attacker obtains the ability to control or modify the model path used by an lmdeploy deployment. Examples include deployment configuration access, CI/CD configuration access, Kubernetes or container configuration access, or a managed environment where users can submit model IDs for serving.\n2. The attacker sets the model path to an attacker-controlled HuggingFace repository, for example:\n\n```text\nattacker-org/malicious-model\n```\n\n3. The lmdeploy serving process starts with that model path:\n\n```bash\nlmdeploy serve api_server attacker-org/malicious-model\n```\n\n4. During model initialization, lmdeploy calls HuggingFace Transformers APIs with `trust_remote_code=True`.\n5. Transformers loads and executes remote Python code from the attacker-controlled model repository.\n6. The payload runs with the privileges of the lmdeploy serving process.\n\n## Why this is security-sensitive\n\n`trust_remote_code=True` is a dangerous HuggingFace option because it allows model repositories to execute custom Python code during model loading.\n\nIn lmdeploy, this option is hardcoded at multiple call sites. This removes the explicit trust decision from the user or deployment operator. A safer design would require an explicit CLI flag or configuration option such as `--trust-remote-code`.\n\nlmdeploy is commonly used as a model serving daemon. The serving process may have access to model weights, GPU resources, API credentials, cloud credentials, request data, and internal network resources.\n\n## Proof of concept\n\nThe following PoC demonstrates the vulnerable primitive in a local, non-destructive way. It simulates lmdeploy calling a HuggingFace model-loading path with `trust_remote_code=True` and shows that remote model code would execute during initialization.\n\n```python\n#!/usr/bin/env python3\nfrom __future__ import annotations\n\nimport argparse\nimport importlib.util\nimport os\nimport sys\nimport tempfile\nfrom pathlib import Path\n\nMARKER = Path(\"/tmp/LMDEPLOY_TRUST_REMOTE_CODE_RCE_PROOF\")\nMALICIOUS_MODEL = \"attacker-org/malicious-model\"\n\n\ndef simulate_lmdeploy_model_load(model_path: str) -\u003e None:\n \"\"\"\n Simulates lmdeploy model initialization where trust_remote_code=True is hardcoded.\n\n Real vulnerable pattern:\n AutoConfig.from_pretrained(model_path, trust_remote_code=True)\n GenerationConfig.from_pretrained(path, trust_remote_code=True)\n\n When trust_remote_code=True, a malicious HuggingFace model repository can\n execute custom Python code during loading.\n \"\"\"\n\n fake_model_dir = Path(tempfile.mkdtemp(prefix=\"fake_lmdeploy_model_\"))\n module_name = model_path.split(\"/\")[-1].replace(\"-\", \"_\")\n modeling_file = fake_model_dir / f\"modeling_{module_name}.py\"\n\n payload = f\u0027\u0027\u0027\nimport os\nfrom pathlib import Path\n\nPath(\"{MARKER}\").write_text(\n \"lmdeploy trust_remote_code execution confirmed\\\\n\"\n f\"model_path={model_path!r}\\\\n\"\n f\"pid={{os.getpid()}} euid={{os.geteuid()}}\\\\n\"\n)\n\u0027\u0027\u0027\n modeling_file.write_text(payload)\n\n spec = importlib.util.spec_from_file_location(f\"modeling_{module_name}\", modeling_file)\n assert spec is not None and spec.loader is not None\n\n mod = importlib.util.module_from_spec(spec)\n spec.loader.exec_module(mod)\n\n\ndef main() -\u003e int:\n parser = argparse.ArgumentParser()\n parser.add_argument(\"--model-id\", default=MALICIOUS_MODEL)\n args = parser.parse_args()\n\n if MARKER.exists():\n MARKER.unlink()\n\n print(f\"[*] Simulating lmdeploy loading model: {args.model_id}\")\n print(\"[*] trust_remote_code=True is hardcoded in lmdeploy model-loading paths\")\n\n simulate_lmdeploy_model_load(args.model_id)\n\n if MARKER.exists():\n print(\"[+] Code execution confirmed\")\n print(MARKER.read_text())\n return 0\n\n print(\"[-] Marker file was not created\", file=sys.stderr)\n return 1\n\n\nif __name__ == \"__main__\":\n raise SystemExit(main())\n```\n\nExpected result:\n\n```text\n[+] Code execution confirmed\n```\n\nThe marker file is written to:\n\n```text\n/tmp/LMDEPLOY_TRUST_REMOTE_CODE_RCE_PROOF\n```\n\n## Impact\n\nAn attacker who can control the model path used by an lmdeploy deployment can execute arbitrary Python code during model initialization.\n\nThe attacker may be able to:\n\n* Read files accessible to the lmdeploy process.\n* Access environment variables, model provider credentials, HuggingFace tokens, cloud credentials, and API keys.\n* Modify model-serving behavior or tamper with responses.\n* Execute arbitrary operating-system commands.\n* Access request data or internal service credentials available to the serving process.\n* Cause denial of service by crashing or destabilizing the serving daemon.\n* Pivot to internal services reachable from the lmdeploy host or container.",
"id": "GHSA-m549-qq94-fvhg",
"modified": "2026-06-10T13:41:08Z",
"published": "2026-05-21T17:30:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-m549-qq94-fvhg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46432"
},
{
"type": "WEB",
"url": "https://github.com/InternLM/lmdeploy/pull/4511"
},
{
"type": "PACKAGE",
"url": "https://github.com/InternLM/lmdeploy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization"
}
GHSA-M54R-7MCJ-FGFV
Vulnerability from github – Published: 2022-05-01 07:09 – Updated: 2022-05-01 07:09Unspecified vulnerability in Pragmatic General Multicast (PGM) in Microsoft Windows XP SP2 and earlier allows remote attackers to execute arbitrary code via a crafted multicast message.
{
"affected": [],
"aliases": [
"CVE-2006-3442"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2006-09-12T23:07:00Z",
"severity": "HIGH"
},
"details": "Unspecified vulnerability in Pragmatic General Multicast (PGM) in Microsoft Windows XP SP2 and earlier allows remote attackers to execute arbitrary code via a crafted multicast message.",
"id": "GHSA-m54r-7mcj-fgfv",
"modified": "2022-05-01T07:09:13Z",
"published": "2022-05-01T07:09:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-3442"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-052"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/28643"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A457"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/21851"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1016827"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/455516"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/446630/100/100/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/19922"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA06-255A.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2006/3563"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M5CV-8G77-RVQ4
Vulnerability from github – Published: 2025-03-29 09:30 – Updated: 2025-03-29 09:30The So-Called Air Quotes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
{
"affected": [],
"aliases": [
"CVE-2025-2803"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-29T07:15:18Z",
"severity": "HIGH"
},
"details": "The So-Called Air Quotes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.",
"id": "GHSA-m5cv-8g77-rvq4",
"modified": "2025-03-29T09:30:32Z",
"published": "2025-03-29T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2803"
},
{
"type": "WEB",
"url": "https://plugins.svn.wordpress.org/so-called-air-quotes/trunk/airquote.php"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/so-called-air-quotes/#developers"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83f2ceee-4422-4ed5-adc7-91bc022ae42d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Refactoring
Refactor your program so that you do not have to dynamically generate code.
Mitigation
- Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
- Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Mitigation MIT-32
Strategy: Compilation or Build Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation MIT-32
Strategy: Environment Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-242: Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.