CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-41282 (GCVE-0-2026-41282)
Vulnerability from cvelistv5 – Published: 2026-04-20 07:10 – Updated: 2026-04-21 00:59
VLAI
Summary
ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration).
Severity
4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ProjectDiscovery | Nuclei |
Affected:
3.0.0 , < 3.8.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41282",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:47:04.424961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:47:11.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/projectdiscovery/nuclei/pull/7221"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/projectdiscovery/nuclei/pull/7321"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nuclei",
"vendor": "ProjectDiscovery",
"versions": [
{
"lessThan": "3.8.0",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T00:59:19.998Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr"
},
{
"url": "https://github.com/projectdiscovery/nuclei/pull/7221"
},
{
"url": "https://github.com/projectdiscovery/nuclei/pull/7321"
},
{
"url": "https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3"
},
{
"url": "https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-41282",
"datePublished": "2026-04-20T07:10:30.246Z",
"dateReserved": "2026-04-20T07:10:29.549Z",
"dateUpdated": "2026-04-21T00:59:19.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41414 (GCVE-0-2026-41414)
Vulnerability from cvelistv5 – Published: 2026-04-24 18:32 – Updated: 2026-04-27 13:45
VLAI
Title
Skim: Arbitrary code execution via pull_request_target fork checkout in pr.yml
Summary
Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.
Severity
7.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/skim-rs/skim/security/advisori… | x_refsource_CONFIRM |
| https://github.com/skim-rs/skim/commit/bf63404ad5… | x_refsource_MISC |
| https://drive.google.com/file/d/1Gj7ziTK42YWXYoQg… | exploit |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41414",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T13:45:19.315419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:45:23.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/skim-rs/skim/security/advisories/GHSA-9g93-rxr5-xhqw"
},
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/1Gj7ziTK42YWXYoQgTbis_rMitHR59J6F/view"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "skim",
"vendor": "skim-rs",
"versions": [
{
"status": "affected",
"version": "\u003c bf63404ad51985b00ed304690ba9d477860a5a75"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:32:36.283Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/skim-rs/skim/security/advisories/GHSA-9g93-rxr5-xhqw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/skim-rs/skim/security/advisories/GHSA-9g93-rxr5-xhqw"
},
{
"name": "https://github.com/skim-rs/skim/commit/bf63404ad51985b00ed304690ba9d477860a5a75",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skim-rs/skim/commit/bf63404ad51985b00ed304690ba9d477860a5a75"
}
],
"source": {
"advisory": "GHSA-9g93-rxr5-xhqw",
"discovery": "UNKNOWN"
},
"title": "Skim: Arbitrary code execution via pull_request_target fork checkout in pr.yml"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41414",
"datePublished": "2026-04-24T18:32:36.283Z",
"dateReserved": "2026-04-20T15:32:33.812Z",
"dateUpdated": "2026-04-27T13:45:23.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41486 (GCVE-0-2026-41486)
Vulnerability from cvelistv5 – Published: 2026-05-08 21:46 – Updated: 2026-05-12 02:07
VLAI
Title
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization
Summary
Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ray-project/ray/security/advis… | x_refsource_CONFIRM |
| https://github.com/ray-project/ray/pull/62056 | x_refsource_MISC |
| https://github.com/ray-project/ray/commit/c02bd31… | x_refsource_MISC |
| https://github.com/ray-project/ray/releases/tag/r… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ray-project | ray |
Affected:
>= 2.54.0, < 2.55.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T02:07:47.053848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T02:07:57.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ray",
"vendor": "ray-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.54.0, \u003c 2.55.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field\u0027s metadata bytes. Ray\u0027s implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:46:14.442Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r"
},
{
"name": "https://github.com/ray-project/ray/pull/62056",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ray-project/ray/pull/62056"
},
{
"name": "https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f"
},
{
"name": "https://github.com/ray-project/ray/releases/tag/ray-2.55.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ray-project/ray/releases/tag/ray-2.55.0"
}
],
"source": {
"advisory": "GHSA-mw35-8rx3-xf9r",
"discovery": "UNKNOWN"
},
"title": "Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41486",
"datePublished": "2026-05-08T21:46:14.442Z",
"dateReserved": "2026-04-20T16:14:19.007Z",
"dateUpdated": "2026-05-12T02:07:57.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41507 (GCVE-0-2026-41507)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:49 – Updated: 2026-05-08 14:20
VLAI
Title
Remote Code Execution (RCE) via String Literal Injection into math-codegen
Summary
math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mauriciopoppe/math-codegen/sec… | x_refsource_CONFIRM |
| https://github.com/mauriciopoppe/math-codegen/pull/11 | x_refsource_MISC |
| https://github.com/mauriciopoppe/math-codegen/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mauriciopoppe | math-codegen |
Affected:
< 0.4.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:20:14.868190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:20:21.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "math-codegen",
"vendor": "mauriciopoppe",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:49:34.091Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r"
},
{
"name": "https://github.com/mauriciopoppe/math-codegen/pull/11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mauriciopoppe/math-codegen/pull/11"
},
{
"name": "https://github.com/mauriciopoppe/math-codegen/commit/4bb52d3030683362b3559ee8dd91350555a05f6b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mauriciopoppe/math-codegen/commit/4bb52d3030683362b3559ee8dd91350555a05f6b"
}
],
"source": {
"advisory": "GHSA-p6x5-p4xf-cc4r",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution (RCE) via String Literal Injection into math-codegen"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41507",
"datePublished": "2026-05-08T13:49:34.091Z",
"dateReserved": "2026-04-20T18:18:50.681Z",
"dateUpdated": "2026-05-08T14:20:21.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41512 (GCVE-0-2026-41512)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:52 – Updated: 2026-05-08 21:27
VLAI
Title
Remote code execution via JavaScript injection in `BrowserAutomation::PlaywrightService`
Summary
ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomation::PlaywrightService`. This issue has been patched in version 1.4.1.
Severity
9.9 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/0din-ai/ai-scanner/security/ad… | x_refsource_CONFIRM |
| https://github.com/0din-ai/ai-scanner/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| 0din-ai | ai-scanner |
Affected:
>= 1.0.0, < 1.4.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41512",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T17:04:46.709991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:27:16.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/0din-ai/ai-scanner/security/advisories/GHSA-r27j-xxgx-f5vr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ai-scanner",
"vendor": "0din-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomation::PlaywrightService`. This issue has been patched in version 1.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:52:56.263Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/0din-ai/ai-scanner/security/advisories/GHSA-r27j-xxgx-f5vr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/0din-ai/ai-scanner/security/advisories/GHSA-r27j-xxgx-f5vr"
},
{
"name": "https://github.com/0din-ai/ai-scanner/releases/tag/v1.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/0din-ai/ai-scanner/releases/tag/v1.4.1"
}
],
"source": {
"advisory": "GHSA-r27j-xxgx-f5vr",
"discovery": "UNKNOWN"
},
"title": "Remote code execution via JavaScript injection in `BrowserAutomation::PlaywrightService`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41512",
"datePublished": "2026-05-08T13:52:56.263Z",
"dateReserved": "2026-04-20T18:18:50.681Z",
"dateUpdated": "2026-05-08T21:27:16.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41645 (GCVE-0-2026-41645)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:17 – Updated: 2026-05-11 18:16
VLAI
Title
Nuclei: Environment variable disclosure via Response-Derived DSL Expressions
Summary
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is explicitly enabled, this can expose host environment variables. That option is off by default, so standard configurations are not affected by the information disclosure risk. This issue has been patched in version 3.8.0.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/projectdiscovery/nuclei/securi… | x_refsource_CONFIRM |
| https://github.com/projectdiscovery/nuclei/pull/7221 | x_refsource_MISC |
| https://github.com/projectdiscovery/nuclei/pull/7321 | x_refsource_MISC |
| https://github.com/projectdiscovery/nuclei/commit… | x_refsource_MISC |
| https://github.com/projectdiscovery/nuclei/commit… | x_refsource_MISC |
| https://github.com/projectdiscovery/nuclei/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| projectdiscovery | nuclei |
Affected:
>= 3.0.0, < 3.8.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41645",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:15:43.322968Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:16:02.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuclei",
"vendor": "projectdiscovery",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei\u0027s expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is explicitly enabled, this can expose host environment variables. That option is off by default, so standard configurations are not affected by the information disclosure risk. This issue has been patched in version 3.8.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:17:19.302Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr"
},
{
"name": "https://github.com/projectdiscovery/nuclei/pull/7221",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/projectdiscovery/nuclei/pull/7221"
},
{
"name": "https://github.com/projectdiscovery/nuclei/pull/7321",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/projectdiscovery/nuclei/pull/7321"
},
{
"name": "https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb"
},
{
"name": "https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3"
},
{
"name": "https://github.com/projectdiscovery/nuclei/releases/tag/v3.8.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/projectdiscovery/nuclei/releases/tag/v3.8.0"
}
],
"source": {
"advisory": "GHSA-jm34-66cf-qpvr",
"discovery": "UNKNOWN"
},
"title": "Nuclei: Environment variable disclosure via Response-Derived DSL Expressions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41645",
"datePublished": "2026-05-08T03:17:19.302Z",
"dateReserved": "2026-04-21T23:58:43.802Z",
"dateUpdated": "2026-05-11T18:16:02.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4165 (GCVE-0-2026-4165)
Vulnerability from cvelistv5 – Published: 2026-03-15 05:02 – Updated: 2026-03-17 13:45
VLAI
Title
Worksuite HR, CRM and Project Management create cross site scripting
Summary
A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351072 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.351072 | signaturepermissions-required |
| https://vuldb.com/?submit.769430 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Worksuite | HR, CRM and Project Management |
Affected:
5.5.0
Affected: 5.5.1 Affected: 5.5.2 Affected: 5.5.3 Affected: 5.5.4 Affected: 5.5.5 Affected: 5.5.6 Affected: 5.5.7 Affected: 5.5.8 Affected: 5.5.9 Affected: 5.5.10 Affected: 5.5.11 Affected: 5.5.12 Affected: 5.5.13 Affected: 5.5.14 Affected: 5.5.15 Affected: 5.5.16 Affected: 5.5.17 Affected: 5.5.18 Affected: 5.5.19 Affected: 5.5.20 Affected: 5.5.21 Affected: 5.5.22 Affected: 5.5.23 Affected: 5.5.24 Affected: 5.5.25 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T13:44:43.088799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T13:45:03.502Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "HR, CRM and Project Management",
"vendor": "Worksuite",
"versions": [
{
"status": "affected",
"version": "5.5.0"
},
{
"status": "affected",
"version": "5.5.1"
},
{
"status": "affected",
"version": "5.5.2"
},
{
"status": "affected",
"version": "5.5.3"
},
{
"status": "affected",
"version": "5.5.4"
},
{
"status": "affected",
"version": "5.5.5"
},
{
"status": "affected",
"version": "5.5.6"
},
{
"status": "affected",
"version": "5.5.7"
},
{
"status": "affected",
"version": "5.5.8"
},
{
"status": "affected",
"version": "5.5.9"
},
{
"status": "affected",
"version": "5.5.10"
},
{
"status": "affected",
"version": "5.5.11"
},
{
"status": "affected",
"version": "5.5.12"
},
{
"status": "affected",
"version": "5.5.13"
},
{
"status": "affected",
"version": "5.5.14"
},
{
"status": "affected",
"version": "5.5.15"
},
{
"status": "affected",
"version": "5.5.16"
},
{
"status": "affected",
"version": "5.5.17"
},
{
"status": "affected",
"version": "5.5.18"
},
{
"status": "affected",
"version": "5.5.19"
},
{
"status": "affected",
"version": "5.5.20"
},
{
"status": "affected",
"version": "5.5.21"
},
{
"status": "affected",
"version": "5.5.22"
},
{
"status": "affected",
"version": "5.5.23"
},
{
"status": "affected",
"version": "5.5.24"
},
{
"status": "affected",
"version": "5.5.25"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "AhmadMarzouk (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-15T05:02:07.832Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351072 | Worksuite HR, CRM and Project Management create cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.351072"
},
{
"name": "VDB-351072 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351072"
},
{
"name": "Submit #769430 | WORKSUITE WORKSUITE - HR, CRM and Project Management v5.5.25 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.769430"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-14T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-14T13:32:34.000Z",
"value": "VulDB entry last update"
}
],
"title": "Worksuite HR, CRM and Project Management create cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4165",
"datePublished": "2026-03-15T05:02:07.832Z",
"dateReserved": "2026-03-14T12:27:21.982Z",
"dateUpdated": "2026-03-17T13:45:03.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4166 (GCVE-0-2026-4166)
Vulnerability from cvelistv5 – Published: 2026-03-15 05:32 – Updated: 2026-03-17 13:46
VLAI
Title
Wavlink WL-NU516U1 login.cgi sub_404F68 cross site scripting
Summary
A vulnerability was found in Wavlink WL-NU516U1 240425. The impacted element is the function sub_404F68 of the file /cgi-bin/login.cgi. The manipulation of the argument homepage/hostname results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351073 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.351073 | signaturepermissions-required |
| https://vuldb.com/?submit.769652 | third-party-advisory |
| https://vuldb.com/?submit.769653 | third-party-advisory |
| https://github.com/Litengzheng/vul_db/blob/main/W… | related |
| https://github.com/Litengzheng/vul_db/blob/main/W… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wavlink | WL-NU516U1 |
Affected:
240425
cpe:2.3:o:wavlink:wl-nu516u1_firmware:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4166",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T13:45:41.216278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T13:46:28.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:wavlink:wl-nu516u1_firmware:*:*:*:*:*:*:*:*"
],
"product": "WL-NU516U1",
"vendor": "Wavlink",
"versions": [
{
"status": "affected",
"version": "240425"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "LtzHust2 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Wavlink WL-NU516U1 240425. The impacted element is the function sub_404F68 of the file /cgi-bin/login.cgi. The manipulation of the argument homepage/hostname results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-15T05:32:08.404Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351073 | Wavlink WL-NU516U1 login.cgi sub_404F68 cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.351073"
},
{
"name": "VDB-351073 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351073"
},
{
"name": "Submit #769652 | Wavlink WL-NU516U1 V240425 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.769652"
},
{
"name": "Submit #769653 | Wavlink WL-NU516U1 V240425 Cross Site Scripting (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.769653"
},
{
"tags": [
"related"
],
"url": "https://github.com/Litengzheng/vul_db/blob/main/WL-NU516U1/vul_14/README.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Litengzheng/vul_db/blob/main/WL-NU516U1/vul_15/README.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-14T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-14T13:35:31.000Z",
"value": "VulDB entry last update"
}
],
"title": "Wavlink WL-NU516U1 login.cgi sub_404F68 cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4166",
"datePublished": "2026-03-15T05:32:08.404Z",
"dateReserved": "2026-03-14T12:30:20.703Z",
"dateUpdated": "2026-03-17T13:46:28.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4168 (GCVE-0-2026-4168)
Vulnerability from cvelistv5 – Published: 2026-03-15 06:02 – Updated: 2026-03-16 15:45 Disputed
VLAI
Title
Tecnick TCExam Group tce_edit_group.php cross site scripting
Summary
A vulnerability was identified in Tecnick TCExam 16.5.0. This impacts an unknown function of the file /admin/code/tce_edit_group.php of the component Group Handler. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The presence of this vulnerability remains uncertain at this time. The affected component should be upgraded. The vendor explained: "I was not able to reproduce the same exploit as the TCExam version was already advanced in the meanwhile." Therefore, it can be assumed that this issue got fixed in a later release.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351075 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.351075 | signaturepermissions-required |
| https://vuldb.com/?submit.769826 | third-party-advisory |
| https://github.com/ahmadmarz10-hub/CVEsMarz/blob/… | exploit |
| https://github.com/tecnickcom/tcexam/tags | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4168",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T15:44:58.172871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:45:07.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:tecnick:tcexam:*:*:*:*:*:*:*:*"
],
"modules": [
"Group Handler"
],
"product": "TCExam",
"vendor": "Tecnick",
"versions": [
{
"status": "affected",
"version": "16.5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "AhmadMarzouk (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Tecnick TCExam 16.5.0. This impacts an unknown function of the file /admin/code/tce_edit_group.php of the component Group Handler. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The presence of this vulnerability remains uncertain at this time. The affected component should be upgraded. The vendor explained: \"I was not able to reproduce the same exploit as the TCExam version was already advanced in the meanwhile.\" Therefore, it can be assumed that this issue got fixed in a later release."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-15T06:02:07.600Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351075 | Tecnick TCExam Group tce_edit_group.php cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.351075"
},
{
"name": "VDB-351075 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351075"
},
{
"name": "Submit #769826 | Tecnick TCExam 16.5.0 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.769826"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/CVE%20Stored%20XSS.md"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tecnickcom/tcexam/tags"
}
],
"tags": [
"disputed"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-14T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-14T13:53:01.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tecnick TCExam Group tce_edit_group.php cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4168",
"datePublished": "2026-03-15T06:02:07.600Z",
"dateReserved": "2026-03-14T12:47:23.328Z",
"dateUpdated": "2026-03-16T15:45:07.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4169 (GCVE-0-2026-4169)
Vulnerability from cvelistv5 – Published: 2026-03-15 06:02 – Updated: 2026-03-16 15:43 Disputed X_Open Source
VLAI
Title
Tecnick TCExam XML Export tce_xml_users.php F_xml_export_users cross site scripting
Summary
A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective." This is reflected by the CVSS vector.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.351076 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.351076 | signaturepermissions-required |
| https://github.com/tecnickcom/tcexam/commit/899b5… | patch |
| https://github.com/tecnickcom/tcexam/releases/tag… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4169",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T15:43:41.541043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:43:55.190Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:tecnick:tcexam:*:*:*:*:*:*:*:*"
],
"modules": [
"XML Export"
],
"product": "TCExam",
"vendor": "Tecnick",
"versions": [
{
"status": "affected",
"version": "16.0"
},
{
"status": "affected",
"version": "16.1"
},
{
"status": "affected",
"version": "16.2"
},
{
"status": "affected",
"version": "16.3"
},
{
"status": "affected",
"version": "16.4"
},
{
"status": "affected",
"version": "16.5"
},
{
"status": "affected",
"version": "16.6.0"
},
{
"status": "unaffected",
"version": "16.6.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: \"However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don\u0027t see the point of this from a security perspective.\" This is reflected by the CVSS vector."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-15T06:02:09.933Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-351076 | Tecnick TCExam XML Export tce_xml_users.php F_xml_export_users cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.351076"
},
{
"name": "VDB-351076 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.351076"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tecnickcom/tcexam/commit/899b5b2fa09edfe16043f07265e44fe2022b7f12"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tecnickcom/tcexam/releases/tag/16.6.1"
}
],
"tags": [
"disputed",
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-14T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-14T13:53:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tecnick TCExam XML Export tce_xml_users.php F_xml_export_users cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4169",
"datePublished": "2026-03-15T06:02:09.933Z",
"dateReserved": "2026-03-14T12:47:26.433Z",
"dateUpdated": "2026-03-16T15:43:55.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Strategy: Refactoring
Description:
- Refactor your program so that you do not have to dynamically generate code.
Mitigation
Phase: Architecture and Design
Description:
- Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
- Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Phase: Testing
Description:
- Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Mitigation ID: MIT-32
Phase: Operation
Strategy: Compilation or Build Hardening
Description:
- Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation ID: MIT-32
Phase: Operation
Strategy: Environment Hardening
Description:
- Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation
Phase: Implementation
Description:
- For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-242: Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.