Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-7246

Summary
Assigner-certcc
Assigner Org ID-37e5125f-f79b-445b-8fad-9564f167944b
Published At-30 Apr, 2026 | 13:16
Updated At-30 Jun, 2026 | 03:20
Rejected At-
Credits

Pallets Click contains a command injection via Unsanitized Filename "click.edit()"

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:certcc
Assigner Org ID:37e5125f-f79b-445b-8fad-9564f167944b
Published At:30 Apr, 2026 | 13:16
Updated At:30 Jun, 2026 | 03:20
Rejected At:
â–¼CVE Numbering Authority (CNA)
Pallets Click contains a command injection via Unsanitized Filename "click.edit()"

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

Affected Products
Vendor
Pallets Click
Product
Click
Versions
Affected
  • From 0 before 8.3.3 (custom)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Type: N/A
CWE ID: N/A
Description: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/pallets/click/releases/tag/8.3.3
N/A
https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw
N/A
Hyperlink: https://github.com/pallets/click/releases/tag/8.3.3
Resource: N/A
Hyperlink: https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw
Resource: N/A
â–¼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-77CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Type: CWE
CWE ID: CWE-77
Description: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Metrics
VersionBase scoreBase severityVector
3.17.2HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw
exploit
Hyperlink: https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw
Resource:
exploit
2. github.com/pallets/click: Pallets Click: Arbitrary command execution via command injection in click.edit()

A flaw was found in Pallets Click. This command injection vulnerability, located in the click.edit() function, allows an attacker with an unprivileged account to execute arbitrary operating system (OS) commands. This could lead to unauthorized control over the affected system.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.6 for RHEL 10
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.6::el10
  • cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.5 for RHEL 8
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.5::el8
  • cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8
  • cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.5 for RHEL 9
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.5::el9
  • cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9
  • cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2.6 for RHEL 9
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2.6::el9
  • cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9
  • cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Ansible Automation Platform 2
CPEs
  • cpe:/a:redhat:ansible_automation_platform:2
Default Status
unaffected
Problem Types
TypeCWE IDDescription
CWECWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.17.2HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Important
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

RHSA-2026:24762: Red Hat Ansible Automation Platform 2.6 for RHEL 10, Red Hat Ansible Automation Platform 2.6 for RHEL 9

RHSA-2026:24761: Red Hat Ansible Automation Platform 2.5 for RHEL 8, Red Hat Ansible Automation Platform 2.5 for RHEL 9

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-04-30 14:00:58
Made public.2026-04-30 13:16:44
Event: Reported to Red Hat.
Date: 2026-04-30 14:00:58
Event: Made public.
Date: 2026-04-30 13:16:44
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-7246
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2464121
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7246.json
x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:24762
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:24761
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-7246
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2464121
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7246.json
Resource:
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/errata/RHSA-2026:24762
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2026:24761
Resource:
vendor-advisory
x_refsource_REDHAT
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cret@cert.org
Published At:30 Apr, 2026 | 14:16
Updated At:30 Jun, 2026 | 03:21

Pallets Click, versions 8.3.2 and below, contain a command injection vulnerability in the click.edit() function, allowing attackers to pass arbitrary OS commands from an unprivileged account.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.2HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Secondary3.17.2HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

palletsprojects
palletsprojects
>>click>>Versions before 8.3.3(exclusive)
cpe:2.3:a:palletsprojects:click:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-77Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-78Secondary0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE ID: CWE-77
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-78
Type: Secondary
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/pallets/click/releases/tag/8.3.3cret@cert.org
Patch
Product
https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmwcret@cert.org
Exploit
Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:247610b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/errata/RHSA-2026:247620b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://access.redhat.com/security/cve/CVE-2026-72460b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://bugzilla.redhat.com/show_bug.cgi?id=24641210b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7246.json0b0ca135-0b70-47e7-9f44-1890c2a1c46c
N/A
Hyperlink: https://github.com/pallets/click/releases/tag/8.3.3
Source: cret@cert.org
Resource:
Patch
Product
Hyperlink: https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw
Source: cret@cert.org
Resource:
Exploit
Third Party Advisory
Hyperlink: https://access.redhat.com/errata/RHSA-2026:24761
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2026:24762
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-7246
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2464121
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A
Hyperlink: https://github.com/tsigouris007/security-advisories/security/advisories/GHSA-47fr-3ffg-hgmw
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Third Party Advisory
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7246.json
Source: 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

61Records found

CVE-2026-1961
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8||HIGH
EPSS-1.41% / 69.36%
||
7 Day CHG+0.03%
Published-26 Mar, 2026 | 12:53
Updated-30 Jun, 2026 | 12:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Forman: foreman: remote code execution via command injection in websocket proxy

A flaw was found in Foreman. A remote attacker could exploit a command injection vulnerability in Foreman's WebSocket proxy implementation. This vulnerability arises from the system's use of unsanitized hostname values from compute resource providers when constructing shell commands. By operating a malicious compute resource server, an attacker could achieve remote code execution on the Foreman server when a user accesses VM VNC console functionality. This could lead to the compromise of sensitive credentials and the entire managed infrastructure.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Satellite 6.16 for RHEL 9Red Hat Satellite 6.17 for RHEL 9Red Hat Satellite 6Red Hat Satellite 6.18 for RHEL 9Red Hat Satellite 6.16 for RHEL 8Red Hat Satellite 6.16 for RHEL 9Red Hat Satellite 6.17 for RHEL 9Red Hat Satellite 6Red Hat Satellite 6.18 for RHEL 9Red Hat Satellite 6.16 for RHEL 8
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8628
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.6||HIGH
EPSS-3.25% / 86.82%
||
7 Day CHG~0.00%
Published-31 Jul, 2018 | 20:00
Updated-06 Aug, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.

Action-Not Available
Vendor-Red Hat, Inc.
Product-ansibleAnsible
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2026-12398
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.89% / 54.93%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 14:52
Updated-29 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Galaxy_ng: shell injection in legacy role import via unsanitized git ref names

A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Ansible Automation Platform 2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-0980
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8.3||HIGH
EPSS-0.77% / 51.14%
||
7 Day CHG~0.00%
Published-27 Feb, 2026 | 07:30
Updated-27 Mar, 2026 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rubyipmi: red hat satellite: remote code execution in rubyipmi via malicious bmc username

A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller (BMC) component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit this vulnerability by crafting a malicious username for the BMC interface. This could lead to remote code execution (RCE) on the system.

Action-Not Available
Vendor-logicmindsRed Hat, Inc.
Product-satelliterubyipmiRed Hat Satellite 6.16 for RHEL 8Red Hat Satellite 6.18 for RHEL 9Red Hat Satellite 6.17 for RHEL 9Red Hat Satellite 6Red Hat Satellite 6.16 for RHEL 9
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-10805
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.12% / 1.97%
||
7 Day CHG~0.00%
Published-04 Jun, 2026 | 05:21
Updated-02 Jul, 2026 | 06:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Networkmanager: networkmanager: local privilege escalation via malformed mud urls in dhclient backend

A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Enterprise Linux 9Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Red Hat Enterprise Linux 8Red Hat Enterprise Linux 10Multicluster Engine for KubernetesRed Hat OpenShift Container Platform 4
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-3874
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8||HIGH
EPSS-2.17% / 80.08%
||
7 Day CHG~0.00%
Published-22 Sep, 2023 | 13:56
Updated-24 Sep, 2024 | 15:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Os command injection via ct_command and fcct_command

A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system.

Action-Not Available
Vendor-n/aRed Hat, Inc.The Foreman
Product-satelliteforemanRed Hat Satellite 6foreman
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-6193
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.76% / 50.66%
||
7 Day CHG~0.00%
Published-20 Jun, 2025 | 15:54
Updated-25 Mar, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Trustyai-explainability: command injection via lmevaljob cr

A command injection vulnerability was discovered in the TrustyAI Explainability toolkit. Arbitrary commands placed in certain fields of a LMEValJob custom resource (CR) may be executed in the LMEvalJob pod's terminal. This issue can be exploited via a maliciously crafted LMEvalJob by a user with permissions to deploy a CR.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift AI (RHOAI)Red Hat OpenShift AI 2.16
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-57283
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.70% / 48.85%
||
7 Day CHG+0.12%
Published-28 Jan, 2026 | 00:00
Updated-30 Jun, 2026 | 03:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.

Action-Not Available
Vendor-browserstackn/aRed Hat, Inc.
Product-browserstack-localn/aRed Hat Fuse 7
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-0118
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-9.1||CRITICAL
EPSS-1.38% / 68.82%
||
7 Day CHG~0.00%
Published-20 Sep, 2023 | 13:39
Updated-17 Sep, 2024 | 13:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foreman: arbitrary code execution through templates

An arbitrary code execution flaw was found in Foreman. This flaw allows an admin user to bypass safe mode in templates and execute arbitrary code on the underlying operating system.

Action-Not Available
Vendor-Red Hat, Inc.The Foreman
Product-satelliteforemanenterprise_linuxRed Hat Satellite 6.11 for RHEL 7Red Hat Satellite 6.14 for RHEL 8Red Hat Satellite 6.13 for RHEL 8Red Hat Satellite 6.11 for RHEL 8Red Hat Satellite 6.12 for RHEL 8
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-1734
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.4||HIGH
EPSS-0.44% / 35.62%
||
7 Day CHG~0.00%
Published-03 Mar, 2020 | 21:23
Updated-04 Aug, 2024 | 06:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.

Action-Not Available
Vendor-Red Hat, Inc.
Product-ansible_engineansible_towerAnsible
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-40746
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.2||HIGH
EPSS-0.34% / 25.69%
||
7 Day CHG~0.00%
Published-21 Nov, 2022 | 17:53
Updated-24 Apr, 2025 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM i Access Family 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability. By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236581.

Action-Not Available
Vendor-Microsoft CorporationIBM Corporation
Product-i_access_client_solutionswindowsi
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-427
Uncontrolled Search Path Element
  • Previous
  • 1
  • 2
  • Next
Details not found