CVSS: 9.8EPSS: 96%CPEs: 5EXPL: 54CVE-2024-4577 – PHP-CGI OS Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-4577
PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. • https://github.com/BTtea/CVE-2024-4577-RCE-PoC https://github.com/K3ysTr0K3R/CVE-2024-4577-EXPLOIT https://github.com/manuelinfosec/CVE-2024-4577 https://github.com/zomasec/CVE-2024-4577 https://github.com/cybersagor/CVE-2024-4577 https://github.com/l0n3m4n/CVE-2024-4577-RCE https://github.com/bughuntar/CVE-2024-4577 https://github.com/watchtowrlabs/CVE-2024-4577 https://github.com/xcanwin/CVE-2024-4577-PHP-RCE https://github.com/TAM-K592/CVE-2024-4577 https:/ • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-1880 – OS Command Injection in MacOS Text-To-Speech Class in significant-gravitas/autogpt
https://notcve.org/view.php?id=CVE-2024-1880
Specifically, the use of `os.system` to execute the `say` command with user-supplied text allows for arbitrary code execution if an attacker can inject shell commands. • https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 https://huntr.com/bounties/4e742624-8771-4f3c-9634-3eaf33d6d58e • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-3095 – SSRF in Langchain Web Research Retriever in langchain-ai/langchain
https://notcve.org/view.php?id=CVE-2024-3095
This could potentially lead to arbitrary code execution, depending on the nature of the local services. • https://github.com/leoCottret/CVE-2024-30956 https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-4320 – Remote Code Execution due to LFI in '/install_extension' in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-4320
The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for local file inclusion (LFI) leading to arbitrary code execution. • https://github.com/bolkv/CVE-2024-4320 https://huntr.com/bounties/d6564f04-0f59-4686-beb2-11659342279b • CWE-29: Path Traversal: '\..\filename' •
CVSS: 7.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-4889 – Code Injection in berriai/litellm
https://notcve.org/view.php?id=CVE-2024-4889
A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. • https://huntr.com/bounties/be3fda72-a65b-4993-9a0e-7e0f05db51f8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •