CVSS: 9.9EPSS: %CPEs: 1EXPL: 0CVE-2026-27702 – Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)
https://notcve.org/view.php?id=CVE-2026-27702
25 Feb 2026 — Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe `eval()` vulnerability in Budibase's view filtering implementation allows any authenticated user (including free tier accounts) to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud (SaaS) - self-hosted deployments use native CouchDB views and are not vulnerable. The vulnerability exists in `packages/server/src/db/inMemoryView.ts` where use... • https://github.com/Budibase/budibase/commit/348659810cf930dda5f669e782706594c547115d • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2026-27701 – LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow
https://notcve.org/view.php?id=CVE-2026-27701
25 Feb 2026 — LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated directly into a `actions/github-script` JavaScript block using a GitHub Actions template expression. An attacker who opens a PR with a crafted title can inject arbitrary JavaScript that executes with the privilege... • https://github.com/live-codes/livecodes/commit/e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-27597 – @enclave-vm/core is vulnerable to Sandbox Escape
https://notcve.org/view.php?id=CVE-2026-27597
25 Feb 2026 — Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). The issue has been fixed in version 2.11.1. • https://github.com/agentfront/enclave/commit/09afbebe4cb6d0586c1145aa71ffabd2103932db • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2026-27744 – SPIP tickets < 4.3.3 Unauthenticated RCE
https://notcve.org/view.php?id=CVE-2026-27744
25 Feb 2026 — The SPIP tickets plugin versions prior to 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using unfiltered environment rendering (#ENV**), which disables SPIP output filtering. As a result, an unauthenticated attacker can inject crafted content that is evaluated through SPIP's template processing chain, leading to execution of code in the ... • https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2026-27745 – SPIP interface_traduction_objets < 2.2.2 Authenticated RCE
https://notcve.org/view.php?id=CVE-2026-27745
25 Feb 2026 — The SPIP interface_traduction_objets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Because fields prefixed with an underscore bypass protection mechanisms and the hidden content is rendered with filtering disabled, an authenticated attacker with editor-level privileges can inject crafted content that is ev... • https://chocapikk.com/posts/2026/spip-plugins-vulnerabilities • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-1929 – Advanced Woo Labels <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter
https://notcve.org/view.php?id=CVE-2026-1929
24 Feb 2026 — The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server ... • https://plugins.trac.wordpress.org/browser/advanced-woo-labels/tags/2.34/includes/admin/class-awl-admin-ajax.php#L136 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-27156 – NiceGUI has XSS via Code Injection
https://notcve.org/view.php?id=CVE-2026-27156
24 Feb 2026 — NiceGUI is a Python-based UI framework. Prior to version 3.8.0, several NiceGUI APIs that execute methods on client-side elements (`Element.run_method()`, `AgGrid.run_grid_method()`, `EChart.run_chart_method()`, and others) use an `eval()` fallback in the JavaScript-side `runMethod()` function. When user-controlled input is passed as the method name, an attacker can inject arbitrary JavaScript that executes in the victim's browser. Additionally, `Element.run_method()` and `Element.get_computed_prop()` used ... • https://github.com/zauberzeug/nicegui/commit/1861f59cc374ca0dc9d970b157ef3774720f8dbf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56373 – Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information
https://notcve.org/view.php?id=CVE-2024-56373
24 Feb 2026 — DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to conti... • https://github.com/apache/airflow/pull/61880 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0CVE-2026-25797 – ImageMagick vulnerable to Code injection via PostScript header in ps coders
https://notcve.org/view.php?id=CVE-2026-25797
24 Feb 2026 — ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the ps coders, responsible for writing PostScript files, fails to sanitize the input before writing it into the PostScript header. An attacker can provide a malicous file and inject arbitrary PostScript code. When the resulting file is processed by a printer or a viewer (like Ghostscript), the injected code is interpreted and executed. The html encoder does not properly es... • https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-rw6c-xp26-225v • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9120 – RCE vulnerability has been discovered in OpenText™ Carbonite Safe Server Backup.
https://notcve.org/view.php?id=CVE-2025-9120
24 Feb 2026 — Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Carbonite Safe Server Backup allows Code Injection. • https://support.carbonite.com/articles/Security-Bulletin-for-Carbonite-Safe-Server-Backup-09-12-2025 • CWE-94: Improper Control of Generation of Code ('Code Injection') •