Jan 1, 2026·5 min read·127 visits
ClamAV's configuration allows admins to run a command when a virus is found. By failing to sanitize the filename placeholder (%f) before passing it to 'sh -c', the engine executes any shell commands embedded in the name of the infected file. It's a 1990s-style vulnerability in a 2024 security product.
A classic OS Command Injection vulnerability in ClamAV's 'VirusEvent' feature allows local attackers to execute arbitrary code by simply naming a file with malicious shell characters.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L| Product | Affected Versions | Fixed Version |
|---|---|---|
ClamAV Cisco | 1.2.0 - 1.2.1 | 1.2.2 |
ClamAV Cisco | 1.0.0 - 1.0.4 | 1.0.5 |
ClamAV Cisco | <= 0.105.x | 1.0.5 |
| Attribute | Detail |
|---|---|
| CWE | CWE-78 (OS Command Injection) |
| Attack Vector | Local (potentially Remote via file upload) |
| CVSS v3.1 | 5.3 (Medium) |
| Impact | Arbitrary Code Execution / Privilege Escalation |
| Vulnerable Component | clamd daemon (VirusEvent) |
| Exploit Status | Proof of Concept Available |
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.
A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.
A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).
CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.
A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.
GHSA-WW5P-J6CJ-6MQQ is a technical credential exposure vulnerability in Nezha Dashboard prior to version 2.2.5. The vulnerability allows authenticated administrative users or actors possessing scoped read-only Personal Access Tokens (PATs) to exfiltrate plaintext third-party API credentials, secret keys, and webhook authorization headers due to a lack of data redaction during API object serialization.