CWE-95
AllowedImproper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
261 vulnerabilities reference this CWE, most recent first.
GHSA-P73G-98VH-RVR5
Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2025-10-15 15:30A vulnerability exists in F5OS-A and F5OS-C systems that may allow an authenticated attacker with local access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2025-61955"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T14:15:56Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in F5OS-A and F5OS-C systems that may allow an authenticated attacker with local access to escalate their privileges.\u00a0 A successful exploit may allow the attacker to cross a security boundary.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-p73g-98vh-rvr5",
"modified": "2025-10-15T15:30:29Z",
"published": "2025-10-15T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61955"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000156771"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P9MJ-V5MF-M82X
Vulnerability from github – Published: 2023-04-12 20:35 – Updated: 2023-04-16 07:16Impact
Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the notification filters. These macros are used in the user profiles and thus installed by default in XWiki.
A proof of concept exploit is
{{notificationsFiltersPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit.txt~").withWriter { out -> out.println(~"created from filter preferences!~"); }{{/groovy~}~}{{/async~}~}"/}}
{{notificationsAutoWatchPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit2.txt~").withWriter { out -> out.println(~"created from auto watch preferences!~"); }{{/groovy~}~}{{/async~}~}"/}}
{{notificationsEmailPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit3.txt~").withWriter { out -> out.println(~"created from email filter preferences!~"); }{{/groovy~}~}{{/async~}~}"/}}
If this creates files inside /tmp, the installation is vulnerable.
Patches
The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10.
Workarounds
The issue can be fixed by patching the code in the affected macros that are contained in XWiki documents as shown in the patch for this issue.
References
- https://github.com/xwiki/xwiki-platform/commit/cebf9167e4fd64a8777781fc56461e9abbe0b32a
- https://jira.xwiki.org/browse/XWIKI-20259
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-notifications-ui"
},
"ranges": [
{
"events": [
{
"introduced": "13.2-rc-1"
},
{
"fixed": "13.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-notifications-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.0-rc-1"
},
{
"fixed": "14.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-notifications-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29210"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-12T20:35:13Z",
"nvd_published_at": "2023-04-15T17:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAny user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the [notification filters](https://extensions.xwiki.org/xwiki/bin/view/Extension/Notifications%20Application/#HFilters). These macros are used in the user profiles and thus installed by default in XWiki.\n\nA proof of concept exploit is\n\n```\n{{notificationsFiltersPreferences target=\"user\" user=\"~\" /~}~} {{async async=~\"true~\" cached=~\"false~\" context=~\"doc.reference~\"~}~}{{groovy~}~}new File(~\"/tmp/exploit.txt~\").withWriter { out -\u003e out.println(~\"created from filter preferences!~\"); }{{/groovy~}~}{{/async~}~}\"/}}\n\n{{notificationsAutoWatchPreferences target=\"user\" user=\"~\" /~}~} {{async async=~\"true~\" cached=~\"false~\" context=~\"doc.reference~\"~}~}{{groovy~}~}new File(~\"/tmp/exploit2.txt~\").withWriter { out -\u003e out.println(~\"created from auto watch preferences!~\"); }{{/groovy~}~}{{/async~}~}\"/}}\n\n{{notificationsEmailPreferences target=\"user\" user=\"~\" /~}~} {{async async=~\"true~\" cached=~\"false~\" context=~\"doc.reference~\"~}~}{{groovy~}~}new File(~\"/tmp/exploit3.txt~\").withWriter { out -\u003e out.println(~\"created from email filter preferences!~\"); }{{/groovy~}~}{{/async~}~}\"/}}\n```\n\nIf this creates files inside `/tmp`, the installation is vulnerable.\n\n### Patches\nThe vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10.\n\n### Workarounds\nThe issue can be fixed by patching the code in the affected macros that are contained in XWiki documents as shown in the [patch](https://github.com/xwiki/xwiki-platform/commit/cebf9167e4fd64a8777781fc56461e9abbe0b32a) for this issue.\n\n### References\n* https://github.com/xwiki/xwiki-platform/commit/cebf9167e4fd64a8777781fc56461e9abbe0b32a\n* https://jira.xwiki.org/browse/XWIKI-20259\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-p9mj-v5mf-m82x",
"modified": "2023-04-16T07:16:09Z",
"published": "2023-04-12T20:35:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9mj-v5mf-m82x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29210"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/cebf9167e4fd64a8777781fc56461e9abbe0b32a"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20259"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "org.xwiki.platform:xwiki-platform-notifications-ui Eval Injection vulnerability"
}
GHSA-PR57-R6PP-3H3H
Vulnerability from github – Published: 2024-02-20 12:31 – Updated: 2024-08-14 18:32The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
{
"affected": [],
"aliases": [
"CVE-2023-7245"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T11:15:07Z",
"severity": "HIGH"
},
"details": "The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable\n",
"id": "GHSA-pr57-r6pp-3h3h",
"modified": "2024-08-14T18:32:36Z",
"published": "2024-02-20T12:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7245"
},
{
"type": "WEB",
"url": "https://openvpn.net/vpn-server-resources/openvpn-connect-for-macos-change-log"
},
{
"type": "WEB",
"url": "https://openvpn.net/vpn-server-resources/openvpn-connect-for-windows-change-log"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PW8R-6689-XVF4
Vulnerability from github – Published: 2026-05-11 16:20 – Updated: 2026-05-13 13:53Impact
An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.
Example of vulnerable code:
const expressions = require("angular-expressions");
const result = expressions.compile("a | __proto__")({}, {});
This should throw the error : Filter 'proto' is not defined, however, this shows :
Uncaught SyntaxError: Unexpected identifier 'Object'
With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.
Vulnerable versions :
angular-expressions <= 1.5.1
Patches
The problem has been patched in version 1.5.2 of angular-expressions.
Credits
Credits go to San Gil from www.securityoffice.io who has found the issue and reported it to us.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5.1"
},
"package": {
"ecosystem": "npm",
"name": "angular-expressions"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44643"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T16:20:58Z",
"nvd_published_at": "2026-05-11T16:17:36Z",
"severity": "CRITICAL"
},
"details": "## Impact\n\nAn attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.\n\nExample of vulnerable code:\n\n```\nconst expressions = require(\"angular-expressions\");\nconst result = expressions.compile(\"a | __proto__\")({}, {});\n```\n\nThis should throw the error : Filter \u0027__proto__\u0027 is not defined, however, this shows : \n\nUncaught SyntaxError: Unexpected identifier \u0027Object\u0027\n\nWith a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.\n\n## Vulnerable versions : \n\nangular-expressions \u003c= 1.5.1\n\n## Patches\n\nThe problem has been patched in version 1.5.2 of angular-expressions.\n\n## Credits\n\nCredits go to San Gil from [www.securityoffice.io](https://securityoffice.io/) who has found the issue and reported it to us.",
"id": "GHSA-pw8r-6689-xvf4",
"modified": "2026-05-13T13:53:12Z",
"published": "2026-05-11T16:20:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/peerigon/angular-expressions/security/advisories/GHSA-pw8r-6689-xvf4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44643"
},
{
"type": "PACKAGE",
"url": "https://github.com/peerigon/angular-expressions"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Angular Expressions - Remote Code Execution using filters"
}
GHSA-Q6V4-FWC8-3MPC
Vulnerability from github – Published: 2026-02-05 18:30 – Updated: 2026-04-23 00:31The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge.
{
"affected": [],
"aliases": [
"CVE-2025-15551"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-05T18:16:09Z",
"severity": "MODERATE"
},
"details": "The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check.\u00a0Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router\u0027s admin web portal without the user\u0027s permission or knowledge.",
"id": "GHSA-q6v4-fwc8-3mpc",
"modified": "2026-04-23T00:31:12Z",
"published": "2026-02-05T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15551"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/en/support/download/archer-c20/v5/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/en/support/download/archer-mr200/v5.20/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/en/support/download/tl-wr845n/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/in/support/download/archer-c20/v6/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/in/support/download/archer-mr200/v5.20/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/in/support/download/tl-wr845n/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/in/support/download/tl-wr850n/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/download/archer-c20/v5/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/faq/4948"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q6WX-VHVQ-X7H6
Vulnerability from github – Published: 2026-05-27 06:31 – Updated: 2026-06-30 03:36IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.
_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.
Arbitrary Perl in the output glob executes at the calling process's privilege.
{
"affected": [],
"aliases": [
"CVE-2026-48962"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T04:16:31Z",
"severity": "HIGH"
},
"details": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.\n\n_parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.\n\nArbitrary Perl in the output glob executes at the calling process\u0027s privilege.",
"id": "GHSA-q6wx-vhvq-x7h6",
"modified": "2026-06-30T03:36:49Z",
"published": "2026-05-27T06:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48962"
},
{
"type": "WEB",
"url": "https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48962.json"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/PMQS/IO-Compress-2.220/changes"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481767"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-48962"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30860"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30859"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30851"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30843"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30115"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30086"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30085"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29941"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29867"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29210"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29182"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/27/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q943-6MG4-6PX7
Vulnerability from github – Published: 2025-08-06 03:30 – Updated: 2026-04-08 18:33The Request a Quote Form plugin for WordPress is vulnerable to Remote Code Execution in version less than, or equal to, 2.5.2 via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called.
{
"affected": [],
"aliases": [
"CVE-2025-8420"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T03:15:27Z",
"severity": "HIGH"
},
"details": "The Request a Quote Form plugin for WordPress is vulnerable to Remote Code Execution in version less than, or equal to, 2.5.2 via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called.",
"id": "GHSA-q943-6mg4-6px7",
"modified": "2026-04-08T18:33:55Z",
"published": "2025-08-06T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8420"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3346435"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3346460"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3347084"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3338854%40request-a-quote\u0026new=3338854%40request-a-quote\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3340992%40software-issue-manager\u0026new=3340992%40software-issue-manager\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3341064%40wp-ticket\u0026new=3341064%40wp-ticket\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3348220%40wp-easy-events\u0026new=3348220%40wp-easy-events\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3365190%40youtube-showcase\u0026new=3365190%40youtube-showcase\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/601aa2b5-aeac-49bc-960d-4b4ff83e9229?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCJF-2V2G-8464
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2023-06-26 21:30Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.
{
"affected": [],
"aliases": [
"CVE-2021-23277"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-13T19:15:00Z",
"severity": "CRITICAL"
},
"details": "Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands.",
"id": "GHSA-qcjf-2v2g-8464",
"modified": "2023-06-26T21:30:51Z",
"published": "2022-05-24T17:47:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23277"
},
{
"type": "WEB",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/eaton-intelligent-power-manager-ipm-vulnerability-advisory.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJ86-P74R-7WP5
Vulnerability from github – Published: 2023-12-16 00:40 – Updated: 2023-12-16 00:40Impact
Anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the administration interface. This impacts the confidentiality, integrity and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile so this should be exploitable by all users of the XWiki instance.
The easiest way to reproduce this is to edit any document with the object editor and add an object of type XWiki.ConfigurableClass ("Custom configurable sections"). Set "Display in section" and "Display in Category" to "other", set scope to "Wiki and all spaces" and "Heading" to {{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from Heading succeeded!"); println("Hello from Groovy!"){{/groovy}}{{/async}}. Click "Save". Open <xwiki-host>/xwiki/bin/view/Main/?sheet=XWiki.AdminSheet&viewer=content&editor=globaladmin§ion=other where <xwiki-host> is the URL of your XWiki installation. If this displays just "Hello from Groovy!" in a heading and generates an error message with content "Attack from Heading succeeded!" in XWiki's log, the attack succeeded. Similar attacks are also possible by creating this kind of object on a document with a specially crafted name, see the referenced Jira issues for more reproduction steps.
Patches
This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1
Workarounds
It is possible to manually apply the fixes for the vulnerability by editing two pages in the wiki. This patch needs to be applied to the page XWiki.ConfigurableClassMacros. Further, the following patches need to be applied to the page XWiki.ConfigurableClass:
- https://github.com/xwiki/xwiki-platform/commit/749f6aee1bfbcf191c3734ea0aa9eba3aa63240e#diff-bf419a99140f3c12fd78ea30f855b63cfb74c1c976ff4436898266d9b37ad3ce
- https://github.com/xwiki/xwiki-platform/commit/1157c1ecea395aac7f64cd8a6f484b1225416dc7#diff-bf419a99140f3c12fd78ea30f855b63cfb74c1c976ff4436898266d9b37ad3ce
- https://github.com/xwiki/xwiki-platform/commit/0f367aaae4e0696f61cf5a67a75edd27d1d16db6
Note that also the page XWiki.ConfigurableClass needs to be changed to xwiki/2.1 syntax for the escaping to work properly but the security vulnerability is fixed also without changing the syntax.
References
- https://github.com/xwiki/xwiki-platform/commit/bd82be936c21b65dee367d558e3050b9b6995713
- https://github.com/xwiki/xwiki-platform/commit/749f6aee1bfbcf191c3734ea0aa9eba3aa63240e
- https://github.com/xwiki/xwiki-platform/commit/1157c1ecea395aac7f64cd8a6f484b1225416dc7
- https://github.com/xwiki/xwiki-platform/commit/0f367aaae4e0696f61cf5a67a75edd27d1d16db6
- https://jira.xwiki.org/browse/XWIKI-21122
- https://jira.xwiki.org/browse/XWIKI-21121
- https://jira.xwiki.org/browse/XWIKI-21194
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-administration-ui"
},
"ranges": [
{
"events": [
{
"introduced": "2.3"
},
{
"fixed": "14.10.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-administration-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-administration-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.6-rc-1"
},
{
"fixed": "15.7-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50723"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-16T00:40:04Z",
"nvd_published_at": "2023-12-15T19:15:10Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nAnyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the administration interface. This impacts the confidentiality, integrity and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile so this should be exploitable by all users of the XWiki instance.\n\nThe easiest way to reproduce this is to edit any document with the object editor and add an object of type `XWiki.ConfigurableClass` (\"Custom configurable sections\"). Set \"Display in section\" and \"Display in Category\" to \"other\", set scope to \"Wiki and all spaces\" and \"Heading\" to `{{async}}{{groovy}}services.logging.getLogger(\"attacker\").error(\"Attack from Heading succeeded!\"); println(\"Hello from Groovy!\"){{/groovy}}{{/async}}`. Click \"Save\". Open `\u003cxwiki-host\u003e/xwiki/bin/view/Main/?sheet=XWiki.AdminSheet\u0026viewer=content\u0026editor=globaladmin\u0026section=other` where `\u003cxwiki-host\u003e` is the URL of your XWiki installation. If this displays just \"Hello from Groovy!\" in a heading and generates an error message with content \"Attack from Heading succeeded!\" in XWiki\u0027s log, the attack succeeded. Similar attacks are also possible by creating this kind of object on a document with a specially crafted name, see the referenced Jira issues for more reproduction steps.\n\n### Patches\nThis has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1\n\n### Workarounds\n\nIt is possible to manually apply the fixes for the vulnerability by editing two pages in the wiki. [This patch](https://github.com/xwiki/xwiki-platform/commit/bd82be936c21b65dee367d558e3050b9b6995713#diff-0c8db1bc71d4e1508c0667050741827551ba130f324b3213352bc4a67645f648) needs to be applied to the page `XWiki.ConfigurableClassMacros`. Further, the following patches need to be applied to the page `XWiki.ConfigurableClass`:\n\n* https://github.com/xwiki/xwiki-platform/commit/749f6aee1bfbcf191c3734ea0aa9eba3aa63240e#diff-bf419a99140f3c12fd78ea30f855b63cfb74c1c976ff4436898266d9b37ad3ce\n* https://github.com/xwiki/xwiki-platform/commit/1157c1ecea395aac7f64cd8a6f484b1225416dc7#diff-bf419a99140f3c12fd78ea30f855b63cfb74c1c976ff4436898266d9b37ad3ce\n* https://github.com/xwiki/xwiki-platform/commit/0f367aaae4e0696f61cf5a67a75edd27d1d16db6\n\nNote that also the page `XWiki.ConfigurableClass` needs to be changed to `xwiki/2.1` syntax for the escaping to work properly but the security vulnerability is fixed also without changing the syntax.\n\n### References\n\n* https://github.com/xwiki/xwiki-platform/commit/bd82be936c21b65dee367d558e3050b9b6995713\n* https://github.com/xwiki/xwiki-platform/commit/749f6aee1bfbcf191c3734ea0aa9eba3aa63240e\n* https://github.com/xwiki/xwiki-platform/commit/1157c1ecea395aac7f64cd8a6f484b1225416dc7\n* https://github.com/xwiki/xwiki-platform/commit/0f367aaae4e0696f61cf5a67a75edd27d1d16db6\n* https://jira.xwiki.org/browse/XWIKI-21122\n* https://jira.xwiki.org/browse/XWIKI-21121\n* https://jira.xwiki.org/browse/XWIKI-21194",
"id": "GHSA-qj86-p74r-7wp5",
"modified": "2023-12-16T00:40:04Z",
"published": "2023-12-16T00:40:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qj86-p74r-7wp5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50723"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/0f367aaae4e0696f61cf5a67a75edd27d1d16db6"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/1157c1ecea395aac7f64cd8a6f484b1225416dc7"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/749f6aee1bfbcf191c3734ea0aa9eba3aa63240e"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/bd82be936c21b65dee367d558e3050b9b6995713"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-21121"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-21122"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-21194"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Remote code execution/programming rights with configuration section from any user account"
}
GHSA-QWQ6-R6C6-68JR
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-18 18:31SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an endpoint passes attacker-controlled input from a parameter to Perl's eval.
{
"affected": [],
"aliases": [
"CVE-2026-44128"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T14:16:45Z",
"severity": "CRITICAL"
},
"details": "SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an\u00a0endpoint passes attacker-controlled input from a\u00a0parameter to Perl\u0027s\u00a0eval.",
"id": "GHSA-qwq6-r6c6-68jr",
"modified": "2026-05-18T18:31:24Z",
"published": "2026-05-08T15:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44128"
},
{
"type": "WEB",
"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security"
},
{
"type": "WEB",
"url": "https://labs.infoguard.ch/posts/seppmail_secure_e-mail_gateway_rce_vulnerabilities_cve-2026-2743_cve-2026-7864_cve-2026-44127_cve-2026-44128"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Refactoring
If possible, refactor your code so that it does not need to use eval() at all.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
- Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.