Common Weakness Enumeration

CWE-95

Allowed

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

261 vulnerabilities reference this CWE, most recent first.

GHSA-J39P-JF99-V5W8

Vulnerability from github – Published: 2026-06-05 18:31 – Updated: 2026-06-05 18:31
VLAI
Details

Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T18:17:34Z",
    "severity": "HIGH"
  },
  "details": "Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a \u003cscript type=\"WaveDrom\"\u003e element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON.",
  "id": "GHSA-j39p-jf99-v5w8",
  "modified": "2026-06-05T18:31:41Z",
  "published": "2026-06-05T18:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50733"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shd101wyy/vscode-markdown-preview-enhanced/issues/2315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/markdown-preview-enhanced-arbitrary-code-execution-via-wavedrom-eval"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J3RV-W43Q-F9X2

Vulnerability from github – Published: 2022-08-18 19:15 – Updated: 2022-08-18 19:15
VLAI
Summary
React Editable Json Tree vulnerable to arbitrary code execution via function parsing
Details

Impact

Our library allows strings to be parsed as functions and stored as a specialized component, JsonFunctionValue. To do this, Javascript's eval function was used to execute strings that begin with "function" as Javascript. This was an oversight that unfortunately allows arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous.

One important note is that users who have defined a custom onSubmitValueParser callback prop on the JsonTree component should be unaffected. This vulnerability exists in the default onSubmitValueParser prop which calls parse.

Patches

We have decided on a two-pronged approach to patching this vulnerability:

  1. Create a patch update that adds a workaround which is not enabled by default to preserve backwards-compatibility
  2. On the next major update, we will enable this workaround by default

The workaround we have decided on is adding a prop to JsonTree called allowFunctionEvaluation. This prop will be set to true in v2.2.2, so you can upgrade without fear of losing backwards-compatibility.

We have also implemented additional security measures as we know many people may not read the details of this vulnerability, and we want to do the best we can to keep you protected. In v2.2.2, we switched from using eval to using Function to construct anonymous functions. This is better than eval for the following reasons:

  • Arbitrary code should not be able to execute immediately, since the Function constructor explicitly only creates anonymous functions
  • Functions are created without local closures, so they only have access to the global scope

This change has brought a slight potential for breaking backwards-compatibility if users for some reason were relying on side-effects of our usage of eval, but that is beyond intended behavior, so we have decided to go ahead with this change and consider it a non-breaking change.

Workarounds

As mentioned above, there are a few scenarios you must consider:

If you use: - Version <2.2.2, you must upgrade as soon as possible. - Version ^2.2.2, you must explicitly set JsonTree's allowFunctionEvaluation prop to false to fully mitigate this vulnerability. - Version >=3.0.0, allowFunctionEvaluation is already set to false by default, so no further steps are necessary.

References

None.

For more information

If you have any questions or comments about this advisory: * Open an issue in the GitHub repo

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-editable-json-tree"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-18T19:15:28Z",
    "nvd_published_at": "2022-08-15T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nOur library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/components/JsonFunctionValue.js). To do this, Javascript\u0027s [`eval`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) function was used to execute strings that begin with \"function\" as Javascript. This was an oversight that unfortunately allows arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous.\n\nOne important note is that users who have defined a custom [`onSubmitValueParser`](https://github.com/oxyno-zeta/react-editable-json-tree/tree/09a0ca97835b0834ad054563e2fddc6f22bc5d8c#onsubmitvalueparser) callback prop on the [`JsonTree`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/JsonTree.js) component should be ***unaffected***. This vulnerability exists in the default `onSubmitValueParser` prop which calls [`parse`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/master/src/utils/parse.js#L30).\n\n### Patches\nWe have decided on a two-pronged approach to patching this vulnerability:\n\n1. Create a patch update that adds a workaround **which is not enabled by default** to preserve backwards-compatibility\n2. On the next major update, **we will enable this workaround by default**\n\nThe workaround we have decided on is adding a prop to `JsonTree` called `allowFunctionEvaluation`. This prop will be set to `true` in v2.2.2, so you can upgrade without fear of losing backwards-compatibility.\n\nWe have also implemented additional security measures as we know many people may not read the details of this vulnerability, and we want to do the best we can to keep you protected. In v2.2.2, we switched from using `eval` to using [`Function`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) to construct anonymous functions. This is better than `eval` for the following reasons:\n\n- Arbitrary code should not be able to execute immediately, since the `Function` constructor explicitly *only creates* anonymous functions\n- Functions are created without local closures, so they only have access to the global scope\n\nThis change has brought a *slight* potential for breaking backwards-compatibility if users for some reason were relying on side-effects of our usage of `eval`, but that is beyond intended behavior, so we have decided to go ahead with this change and consider it a non-breaking change.\n\n### Workarounds\nAs mentioned above, there are a few scenarios you must consider:\n\nIf you use:\n- **Version `\u003c2.2.2`**, you must upgrade as soon as possible.\n- **Version `^2.2.2`**, you must explicitly set `JsonTree`\u0027s `allowFunctionEvaluation` prop to `false` to fully mitigate this vulnerability.\n- **Version `\u003e=3.0.0`**, `allowFunctionEvaluation` is already set to `false` by default, so no further steps are necessary.\n\n### References\nNone.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [GitHub repo](https://github.com/oxyno-zeta/react-editable-json-tree)\n",
  "id": "GHSA-j3rv-w43q-f9x2",
  "modified": "2022-08-18T19:15:28Z",
  "published": "2022-08-18T19:15:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oxyno-zeta/react-editable-json-tree/security/advisories/GHSA-j3rv-w43q-f9x2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36010"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oxyno-zeta/react-editable-json-tree"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oxyno-zeta/react-editable-json-tree/releases/tag/2.2.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "React Editable Json Tree vulnerable to arbitrary code execution via function parsing"
}

GHSA-J6WG-29XJ-2FJF

Vulnerability from github – Published: 2026-01-18 18:30 – Updated: 2026-01-23 18:31
VLAI
Details

Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system.

The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode.

If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-18T16:15:50Z",
    "severity": "HIGH"
  },
  "details": "Using string formatting and exception handling, an attacker may bypass n8n\u0027s python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system.\n\nThe vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under \"Internal\" execution mode.\n\nIf the instance is operating under the  \"External\" execution mode (ex. n8n\u0027s official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact.",
  "id": "GHSA-j6wg-29xj-2fjf",
  "modified": "2026-01-23T18:31:28Z",
  "published": "2026-01-18T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0863"
    },
    {
      "type": "WEB",
      "url": "https://github.com/n8n-io/n8n/commit/b73a4283cb14e0f27ce19692326f362c7bf3da02"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077"
    },
    {
      "type": "WEB",
      "url": "https://www.smartkeyss.com/post/cve-2026-0863-python-sandbox-escape-in-n8n-via-exception-formatting-and-implicit-code-execution"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M48C-HXQG-4J76

Vulnerability from github – Published: 2026-06-05 21:32 – Updated: 2026-06-05 21:32
VLAI
Details

Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11422"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T21:16:29Z",
    "severity": "HIGH"
  },
  "details": "Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension\u0027s message passing and invoke arbitrary file writes on the local filesystem.",
  "id": "GHSA-m48c-hxqg-4j76",
  "modified": "2026-06-05T21:32:04Z",
  "published": "2026-06-05T21:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11422"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shd101wyy/vscode-markdown-preview-enhanced/issues/2315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shd101wyy/crossnote/commit/5588ca2121c3da43fe331575dc5cf4ef347b91ee"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shd101wyy/vscode-markdown-preview-enhanced/commit/dcd80281c986293b93d9f1af34ced64dcb230c77"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/markdown-preview-enhanced-x-code-injection-via-wavedrom-rendering"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M4M7-4CW8-62J6

Vulnerability from github – Published: 2026-07-13 18:37 – Updated: 2026-07-13 18:37
VLAI
Summary
DIRAC is vulnerable to RCE in FileCatalog DatasetManager via SQL injection + eval
Details

Summary

The FileCatalog DatasetManager runs a query on the database and passes the result to eval. The SQL query contains an injection vulnerability which allows an authenticated user to control the parameter returned to the eval resulting in remote code execution.

Details

The FileCatalog checkDataset function passes its datasets argument directly to the backend DB handler: https://github.com/DIRACGrid/DIRAC/blob/f7e0a3ac153315030fb3520e8ca747f013758967/src/DIRAC/DataManagementSystem/Service/FileCatalogHandler.py#L591-L593

Which in turn passes it to the __checkDataset function: https://github.com/DIRACGrid/DIRAC/blob/f7e0a3ac153315030fb3520e8ca747f013758967/src/DIRAC/DataManagementSystem/DB/FileCatalogComponents/DatasetManager/DatasetManager.py#L390

This uses an f-string to create a query without escaping, resulting in an SQL injection: https://github.com/DIRACGrid/DIRAC/blob/f7e0a3ac153315030fb3520e8ca747f013758967/src/DIRAC/DataManagementSystem/DB/FileCatalogComponents/DatasetManager/DatasetManager.py#L400-L402

The result (which is user controllable due to the SQL injection) is passed into eval almost immediately on return, leading to code execution: https://github.com/DIRACGrid/DIRAC/blob/f7e0a3ac153315030fb3520e8ca747f013758967/src/DIRAC/DataManagementSystem/DB/FileCatalogComponents/DatasetManager/DatasetManager.py#L409

There are other functions in the same file which use a similar pattern and would likely be exploitable in a similar way.

Impact

This allows any authenticated user to run commands on the server, which allows a full compromise of the DIRAC system (they can read the local dirac.cfg, get database passwords and export all stored proxies and tokens). If local logging is used, they can also remove evidence of the exploit from the log.

Patched versions:

https://pypi.org/project/DIRAC/8.0.79/ https://pypi.org/project/DIRAC/9.0.22/ https://pypi.org/project/DIRAC/9.1.10/

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "DIRAC"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6"
            },
            {
              "fixed": "8.0.79"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "DIRAC"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.1.0a1"
            },
            {
              "fixed": "9.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "DIRAC"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.1.0"
            },
            {
              "fixed": "9.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-61667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-13T18:37:31Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe FileCatalog DatasetManager runs a query on the database and passes the result to eval. The SQL query contains an injection vulnerability which allows an authenticated user to control the parameter returned to the eval resulting in remote code execution.\n\n### Details\n\nThe FileCatalog checkDataset function passes its datasets argument directly to the backend DB handler:\nhttps://github.com/DIRACGrid/DIRAC/blob/f7e0a3ac153315030fb3520e8ca747f013758967/src/DIRAC/DataManagementSystem/Service/FileCatalogHandler.py#L591-L593\n\nWhich in turn passes it to the __checkDataset function:\nhttps://github.com/DIRACGrid/DIRAC/blob/f7e0a3ac153315030fb3520e8ca747f013758967/src/DIRAC/DataManagementSystem/DB/FileCatalogComponents/DatasetManager/DatasetManager.py#L390\n\nThis uses an f-string to create a query without escaping, resulting in an SQL injection:\nhttps://github.com/DIRACGrid/DIRAC/blob/f7e0a3ac153315030fb3520e8ca747f013758967/src/DIRAC/DataManagementSystem/DB/FileCatalogComponents/DatasetManager/DatasetManager.py#L400-L402\n\nThe result (which is user controllable due to the SQL injection) is passed into eval almost immediately on return, leading to code execution:\nhttps://github.com/DIRACGrid/DIRAC/blob/f7e0a3ac153315030fb3520e8ca747f013758967/src/DIRAC/DataManagementSystem/DB/FileCatalogComponents/DatasetManager/DatasetManager.py#L409\n\nThere are other functions in the same file which use a similar pattern and would likely be exploitable in a similar way.\n\n### Impact\nThis allows any authenticated user to run commands on the server, which allows a full compromise of the DIRAC system (they can read the local dirac.cfg, get database passwords and export all stored proxies and tokens). If local logging is used, they can also remove evidence of the exploit from the log.\n\n### Patched versions:\nhttps://pypi.org/project/DIRAC/8.0.79/\nhttps://pypi.org/project/DIRAC/9.0.22/\nhttps://pypi.org/project/DIRAC/9.1.10/",
  "id": "GHSA-m4m7-4cw8-62j6",
  "modified": "2026-07-13T18:37:31Z",
  "published": "2026-07-13T18:37:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DIRACGrid/DIRAC/security/advisories/GHSA-m4m7-4cw8-62j6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DIRACGrid/DIRAC"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/DIRAC/8.0.79"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/DIRAC/9.0.22"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/DIRAC/9.1.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DIRAC is vulnerable to RCE in FileCatalog DatasetManager via SQL injection + eval"
}

GHSA-M6QG-6W6H-V59X

Vulnerability from github – Published: 2026-04-07 15:30 – Updated: 2026-04-07 15:30
VLAI
Details

Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-07T13:16:45Z",
    "severity": "HIGH"
  },
  "details": "Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().",
  "id": "GHSA-m6qg-6w6h-v59x",
  "modified": "2026-04-07T15:30:49Z",
  "published": "2026-04-07T15:30:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22666"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2"
    },
    {
      "type": "WEB",
      "url": "https://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MHC6-2GFQ-XX62

Vulnerability from github – Published: 2026-07-01 20:44 – Updated: 2026-07-01 20:44
VLAI
Summary
Rancher vulnerable to command injection through unsanitized YAML parameter
Details

Impact

A critical command injection vulnerability has been identified in the Rancher Manager cluster import endpoint /v3/import/{token}_{clusterId}.yaml through unsanitized YAML parameters. This endpoint accepts an authImage query parameter that is rendered without sanitization into a generated Kubernetes manifest template. By including URL-encoded newlines in the parameter value, an attacker can break out of the image: field to inject arbitrary YAML keys and malicious configurations, such as commands to execute malicious containers.

Exploitation of this vulnerability requires the following conditions to be met: - Attackers must obtain a valid cluster registration token (these tokens may be exposed, for example, through documentation, screenshots, or insecure communication channels). - The victim’s cluster operator must execute kubectl apply against a maliciously crafted URL.

When a victim applies this compromised manifest using kubectl apply, a DaemonSet is deployed with the injected configuration. This DaemonSet: - Runs on all control-plane nodes with hostNetwork: true enabled. - Uses the cattle service account, which possesses cluster-admin privileges. - Mounts /etc/kubernetes directly from the host. - Executes attacker-controlled commands via the injected command: field.

An attacker who successfully exploits this vulnerability could:

  • Achieve full control over downstream Kubernetes clusters.
  • Execute arbitrary code on control-plane nodes with elevated privileges.
  • Access sensitive cluster secrets and configurations via the privileged service account.
  • Disrupt cluster operations by manipulating critical control-plane workloads.
  • Establish persistent access through the deployed DaemonSet.

Note: If you believe that you might have been impacted by this vulnerability, it's highly advised to review your clusters' logs and deployment logs for signs of malicious deployments and to rotate all service accounts and credentials that might have been exposed in such a scenario.

Please refer to the associated MITRE ATT&CK - Technique - Deploy Container for further information about this category of attack.

Patches

This vulnerability is addressed by validating the authImage parameter to ensure it contains only valid OCI image reference characters, rejecting any input containing newlines, whitespace, or other characters that could break YAML syntax.

Patched versions of Rancher include release v2.14.2, v2.13.6, v2.12.10, v2.11.14 and v2.10.12.

Workarounds

If upgrading to a patched version immediately is not feasible, users are encouraged to apply the following workaround:

  • Review the kube-api-auth DaemonSet: Inspect downstream clusters for the kube-api-auth DaemonSet within the cattle-system namespace (which targets control-plane nodes). Review this resource configuration carefully for:
  • Unexpected command: or args: fields in the container specification.
  • References to non-standard or suspicious container images.
  • Any modifications occurring after the initial cluster import.
  • Validate manifest integrity: Before running kubectl apply on any import manifests, verify that the source URLs originate from trusted sources and match expected patterns.

Credits

This security issue was reported by the following collaborators according to our responsible disclosure policy:

  • Radisauskas Arnoldas from NATO and the NATO Cyber Security Centre (NCSC).
  • Michael Wollner from Deutsche Telekom AG.

References

If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the Rancher repository. - Verify with our support matrix and product support lifecycle.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.14.0"
            },
            {
              "fixed": "2.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13.0"
            },
            {
              "fixed": "2.13.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.12.0"
            },
            {
              "fixed": "2.12.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.0"
            },
            {
              "fixed": "2.11.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/rancher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260617231817-2aa77eb283e7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T20:44:33Z",
    "nvd_published_at": "2026-06-19T13:16:30Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nA critical command injection vulnerability has been identified in the Rancher Manager cluster import endpoint  `/v3/import/{token}_{clusterId}.yaml` through unsanitized YAML parameters. This endpoint accepts an `authImage` query parameter that is rendered without sanitization into a generated Kubernetes manifest template. By including URL-encoded newlines in the parameter value, an attacker can break out of the `image:` field to inject arbitrary YAML keys and malicious configurations, such as commands to execute malicious containers.\n\nExploitation of this vulnerability requires the following conditions to be met:\n- Attackers must obtain a valid cluster registration token (these tokens may be exposed, for example, through documentation, screenshots, or insecure communication channels).\n- The victim\u2019s cluster operator must execute `kubectl apply` against a maliciously crafted URL. \n\nWhen a victim applies this compromised manifest using `kubectl apply`, a DaemonSet is deployed with the injected configuration. This DaemonSet:\n- Runs on all control-plane nodes with `hostNetwork: true` enabled.\n- Uses the `cattle` service account, which possesses `cluster-admin` privileges.\n- Mounts `/etc/kubernetes` directly from the host.\n- Executes attacker-controlled commands via the injected `command:` field.\n\nAn attacker who successfully exploits this vulnerability could:\n\n- Achieve full control over downstream Kubernetes clusters.\n- Execute arbitrary code on control-plane nodes with elevated privileges.\n- Access sensitive cluster secrets and configurations via the privileged service account.\n- Disrupt cluster operations by manipulating critical control-plane workloads.\n- Establish persistent access through the deployed DaemonSet.\n\n**Note:** If you believe that you might have been impacted by this vulnerability, it\u0027s highly advised to review your clusters\u0027 logs and deployment logs for signs of malicious deployments and to rotate all service accounts and credentials that might have been exposed in such a scenario.\n\nPlease refer to the associated  [MITRE ATT\u0026CK - Technique - Deploy Container](https://attack.mitre.org/techniques/T1610/) for further information about this category of attack.\n\n### Patches\nThis vulnerability is addressed by validating the `authImage` parameter to ensure it contains only valid OCI image reference characters, rejecting any input containing newlines, whitespace, or other characters that could break YAML syntax.\n\nPatched versions of Rancher include release `v2.14.2`, `v2.13.6`, `v2.12.10`, `v2.11.14` and `v2.10.12`. \n\n### Workarounds\nIf upgrading to a patched version immediately is not feasible, users are encouraged to apply the following workaround: \n\n- Review the `kube-api-auth` DaemonSet: Inspect downstream clusters for the `kube-api-auth` DaemonSet within the `cattle-system` namespace (which targets control-plane nodes). Review this resource configuration carefully for:\n  - Unexpected `command:` or `args:` fields in the container specification.\n  - References to non-standard or suspicious container images.\n  - Any modifications occurring after the initial cluster import.\n- Validate manifest integrity: Before running `kubectl apply` on any import manifests, verify that the source URLs originate from trusted sources and match expected patterns.\n\n### Credits\n\nThis security issue was reported by the following collaborators according to our responsible disclosure policy:\n\n- Radisauskas Arnoldas from NATO and the NATO Cyber Security Centre (NCSC).\n- Michael Wollner from Deutsche Telekom AG.\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
  "id": "GHSA-mhc6-2gfq-xx62",
  "modified": "2026-07-01T20:44:33Z",
  "published": "2026-07-01T20:44:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/security/advisories/GHSA-mhc6-2gfq-xx62"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44939"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/rancher/commit/2aa77eb283e7451d605fb85e1bd9b1791cd73875"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/rancher"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Rancher vulnerable to command injection through unsanitized YAML parameter"
}

GHSA-MPCW-3J5P-P99X

Vulnerability from github – Published: 2024-10-24 18:27 – Updated: 2024-10-24 18:27
VLAI
Summary
Butterfly's parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE)
Details

Summary

Usage of the Butterfly.prototype.parseJSON or getJSON functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server.

Since Butterfly JavaScript code has access to Java classes, it can run arbitrary programs.

Details

The parseJSON function (edu/mit/simile/butterfly/Butterfly.js:64) works by calling eval, an approach that goes back to the original library by Crockford, before JSON was part of the ECMAScript language. It uses a regular expression to remove strings from the input, then checks that there are no unexpected characters in the non-string remainder.

However, the regex is imperfect, as was discovered earlier by Mike Samuel; specifically, the "cleaner" can be tricked into treating part of the input as a string that the "evaluator" does not, because of a difference in interpretation regarding the the Unicode zero-width joiner character. Representing that character with a visible symbol, a malicious input looks like:

"\�\", Packages.java.lang.Runtime.getRuntime().exec('gnome-calculator')) // "

This is understood...

  • by JSON_cleaning_RE as a single string, and because it is a string it can be collapsed to nothing, which is not problematic, so the original input proceeds to eval.
  • by the eval function, which ignores zero-width joiners entirely, as a string containing a single escaped backslash, followed by a comma, then a function call, closing parenthesis, and finally a line comment.

The function call is evaluated, and a calculator is opened.

Possible mitigations and additional defenses could include:

  • Replacing the JSON implementation with Rhino's built-in implementation.
  • Dropping all JSON-related and JSONP-related code entirely.
  • Restricting the access the JavaScript controller code has to the rest of the system by using initSafeStandardObjects instead of initStandardObjects, using setClassShutter, and so on.

PoC

Change OpenRefine core controller.js to add a call to the vulnerable getJSON function:

diff --git a/main/webapp/modules/core/MOD-INF/controller.js b/main/webapp/modules/core/MOD-INF/controller.js
index 4ceba0676..1ce0936d2 100644
--- a/main/webapp/modules/core/MOD-INF/controller.js
+++ b/main/webapp/modules/core/MOD-INF/controller.js
@@ -631,0 +632,5 @@ function process(path, request, response) {
+    if (path == "getjsontest") {
+      butterfly.getJSON(request);
+      return true;
+    }
+

Then, restart OpenRefine and submit the malicious request. For example, the following bash command (with $' quoting) should do it:

curl -H 'Content-Type: application/json;charset=utf-8' --data $'"\\\u200d\\", Packages.java.lang.Runtime.getRuntime().exec(\'gnome-calculator\')) // "' http://localhost:3333/getjsontest

Impact

Any JavaScript controller that calls one of these functions is vulnerable to remote code execution.

OpenRefine itself seems unaffected; both OpenRefine and jQuery have their own functions also called parseJSON and getJSON, but those are unrelated.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openrefine.dependencies:butterfly"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-185",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-24T18:27:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nUsage of the `Butterfly.prototype.parseJSON` or `getJSON` functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server.\n\nSince Butterfly JavaScript code has access to Java classes, it can run arbitrary programs.\n\n### Details\n\nThe `parseJSON` function (edu/mit/simile/butterfly/Butterfly.js:64) works by calling `eval`, an approach that goes back to the original library by Crockford, before JSON was part of the ECMAScript language. It uses a regular expression to remove strings from the input, then checks that there are no unexpected characters in the non-string remainder.\n\nHowever, the regex is imperfect, as was [discovered earlier by Mike Samuel](https://dev.to/mikesamuel/2008-silently-securing-jsonparse-5cbb); specifically, the \"cleaner\" can be tricked into treating part of the input as a string that the \"evaluator\" does not, because of a difference in interpretation regarding the [the Unicode zero-width joiner character](https://unicode-explorer.com/c/200D). Representing that character with a visible symbol, a malicious input looks like:\n\n```js\n\"\\\ufffd\\\", Packages.java.lang.Runtime.getRuntime().exec(\u0027gnome-calculator\u0027)) // \"\n```\n\nThis is understood...\n\n* by `JSON_cleaning_RE` as a single string, and because it is a string it can be collapsed to nothing, which is not problematic, so the original input proceeds to `eval`.\n* by the `eval` function, which ignores zero-width joiners entirely, as a string containing a single escaped backslash, followed by a comma, then a function call, closing parenthesis, and finally a line comment.\n \nThe function call is evaluated, and a calculator is opened.\n\nPossible mitigations and additional defenses could include:\n\n* Replacing the JSON implementation with Rhino\u0027s built-in implementation.\n* Dropping all JSON-related and JSONP-related code entirely.\n* Restricting the access the JavaScript controller code has to the rest of the system by using `initSafeStandardObjects` instead of `initStandardObjects`, using `setClassShutter`, and so on.\n\n### PoC\n\nChange OpenRefine `core` `controller.js` to add a call to the vulnerable `getJSON` function:\n\n```diff\ndiff --git a/main/webapp/modules/core/MOD-INF/controller.js b/main/webapp/modules/core/MOD-INF/controller.js\nindex 4ceba0676..1ce0936d2 100644\n--- a/main/webapp/modules/core/MOD-INF/controller.js\n+++ b/main/webapp/modules/core/MOD-INF/controller.js\n@@ -631,0 +632,5 @@ function process(path, request, response) {\n+    if (path == \"getjsontest\") {\n+      butterfly.getJSON(request);\n+      return true;\n+    }\n+\n```\n\nThen, restart OpenRefine and submit the malicious request. For example, the following `bash` command (with $\u0027 quoting) should do it:\n\n```\ncurl -H \u0027Content-Type: application/json;charset=utf-8\u0027 --data $\u0027\"\\\\\\u200d\\\\\", Packages.java.lang.Runtime.getRuntime().exec(\\\u0027gnome-calculator\\\u0027)) // \"\u0027 http://localhost:3333/getjsontest\n```\n\n### Impact\n\nAny JavaScript controller that calls one of these functions is vulnerable to remote code execution.\n\nOpenRefine itself seems unaffected; both OpenRefine and jQuery have their own functions also called parseJSON and getJSON, but those are unrelated.",
  "id": "GHSA-mpcw-3j5p-p99x",
  "modified": "2024-10-24T18:27:50Z",
  "published": "2024-10-24T18:27:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-mpcw-3j5p-p99x"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/simile-butterfly/commit/2ad1fa4cd8afe3c920c8e6e04fe7a7df5cf8294e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenRefine/simile-butterfly"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Butterfly\u0027s parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE)"
}

GHSA-P2QJ-R53J-H3XJ

Vulnerability from github – Published: 2024-09-19 06:31 – Updated: 2024-09-19 18:23
VLAI
Summary
LangChain Experimental Eval Injection vulnerability
Details

langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langchain-experimental"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.17"
            },
            {
              "last_affected": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-46946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-19T18:23:47Z",
    "nvd_published_at": "2024-09-19T05:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).",
  "id": "GHSA-p2qj-r53j-h3xj",
  "modified": "2024-09-19T18:23:47Z",
  "published": "2024-09-19T06:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46946"
    },
    {
      "type": "WEB",
      "url": "https://docs.sympy.org/latest/modules/codegen.html"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/12end/68c0c58d2564ef4141bccd4651480820#file-cve-2024-46946-txt"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langchain-ai/langchain"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-experimental%3D%3D0.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LangChain Experimental Eval Injection vulnerability"
}

GHSA-P6F4-6QXG-8XQV

Vulnerability from github – Published: 2026-03-29 03:30 – Updated: 2026-03-31 21:31
VLAI
Details

GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.

GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.

read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()

$arg .= '$VAR1'; my $val = eval "no strict; $arg"; # line 40-41

$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:

$VAR1 = do { system("..."); };

This executes on the client silently on every RPC call, as the return values remain correct.

This functionality is by design but the trust requirement for the remote host is not documented in the distribution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-29T01:15:56Z",
    "severity": "CRITICAL"
  },
  "details": "GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.\n\nGRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.\n\nread_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()\n\n  $arg .= \u0027$VAR1\u0027;\n  my $val = eval \"no strict; $arg\"; # line 40-41\n\n$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:\n\n  $VAR1 = do { system(\"...\"); };\n\nThis executes on the client silently on every RPC call, as the return values remain correct.\n\nThis functionality is by design but the trust requirement for the remote host is not documented in the distribution.",
  "id": "GHSA-p6f4-6qxg-8xqv",
  "modified": "2026-03-31T21:31:18Z",
  "published": "2026-03-29T03:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4851"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/03/26/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/26/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Strategy: Refactoring

If possible, refactor your code so that it does not need to use eval() at all.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Implementation
  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
  • Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.