Rule Explorer

LaTeX (latex/pdflatex/xelatex/lualatex) is being invoked with the `-shell-escape` flag. This flag enables LaTeX's `\write18{...}` and `\input{|"cmd"}` shell-execution primitives, which pass their arguments directly to /bin/sh. If the .tex document being compiled contains any untrusted input (e.g., HTTP request body, user-uploaded file, database field), this

ReDoS (Regular Expression Denial of Service): Using /^\s*/ or /\s*$/ in String.replace() can cause catastrophic backtracking when processing strings with many whitespace characters followed by a non-whitespace character (CVE-2021-3749). The \s* zero-or-more quantifier combined with start/end anchors forces the regex engine into O(N^2) backtracking on adversa

A printf-family function (swprintf_s/swprintf/sprintf_s/sprintf/snprintf/_snwprintf_s) is called with the destination buffer passed both as the output and as its own %s source, followed by a single attacker-influenced argument (e.g. `swprintf_s(buf, L"%s /run {%s}", buf, user_input)`). This is an unbounded self-concatenation into a fixed-size buffer with ove

jsonpickle decode()/Unpickler() is defined or invoked with safe=False, enabling the legacy py/repr deserialization path that calls eval() on attacker-controlled JSON content. A JSON payload like {"py/repr": "os/os.system('id')"} achieves remote code execution. Change the default to safe=True (patched behavior) or pass safe=True explicitly at call sites.

The CodeIgniter `db->order_by()` is being called with a value passed through `db->escape()`. `CI_DB::escape()` is a value-escaping helper that wraps strings in single quotes for SQL literal contexts; it does NOT sanitise SQL identifier contexts like ORDER BY. An attacker controlling the value (typically via a `sort` query parameter) can inject SQL fragments

Passing the result of $DB->escape() (a value escaper that wraps strings as SQL string literals) to $DB->order_by() does not sanitize SQL identifiers. When the argument is user-controlled, this allows ORDER BY SQL injection (commas, function calls, sub-selects, time-based payloads). Use an identifier-quoting/whitelisting helper such as quote_order_by() or res

Passing user-controlled input to CodeIgniter's $db->order_by() after only running it through $db->escape() does not sanitize SQL identifiers. escape() quotes string literals but does not constrain ORDER BY column tokens, allowing an attacker to inject arbitrary SQL (subqueries, CASE/IF expressions, UNION fragments, boolean payloads) into the ORDER BY clause.

The value passed to CodeIgniter's `$db->order_by(...)` is sanitized with `$db->escape(...)`, which only quotes string-literal values for use in WHERE clauses. It does NOT sanitize SQL identifiers or strip ORDER BY syntax (subqueries, CASE expressions, UNION ordering tricks, etc.). Attacker-controlled `sort` / `order_by` parameters can therefore inject SQL in

PHP MIME-type blocklist maps PHP variants (e.g., 'php7:*' => 'text/x-php') but omits 'php8:*' and/or 'php9:*'. Uploaded files with a .php8 / .php9 extension will not be reclassified as text/x-php and may bypass the PHP-handler blocklist, leading to Remote Code Execution on servers that execute these extensions as PHP (CVE-2023-52044, CWE-434).

The uploadFile() method declares a rename/sanitize flag parameter (e.g., $renameFile) that defaults to false. Callers that don't explicitly pass true will keep the attacker-controlled client filename verbatim, including dangerous extensions like .php. This enables Unrestricted File Upload (CWE-434) leading to RCE when files land under a web-served directory.

Anonymous-access allowlist gated by `endswith()` on a raw HTTP path is vulnerable to suffix spoofing (CVE-2024-10081, CWE-288 / CWE-420): an attacker can craft a URL whose raw path ends with one of the allowlisted tokens (e.g. '/Authentication') while the request is dispatched by the router to a different, privileged endpoint, yielding an authentication bypa

`torch.load()` is called without `weights_only=True`. By default (in torch < 2.6), `torch.load` uses Python's `pickle` deserializer, which executes arbitrary code embedded in the input file during deserialization. If the loaded file path is attacker-influenced or comes from an untrusted source, this leads to remote code execution (CVE-2024-11392, CWE-502: De

`pickle.load()` / `pickle.loads()` in a checkpoint-conversion script deserializes a user-supplied path without a `TRUST_REMOTE_CODE` environment-variable opt-in guard. Python's pickle protocol can execute arbitrary code embedded via `__reduce__` during deserialization, so loading an attacker-controlled checkpoint, metadata file, or weight bundle enables remo

`pickle.load()` is invoked on a checkpoint file inside a HuggingFace Transformers model-conversion script without first verifying the `TRUST_REMOTE_CODE` environment variable. Python pickle deserialization executes arbitrary code embedded in the input via `__reduce__`, so unpickling attacker-controllable checkpoint files (e.g. `model_args.pkl`, `.metadata`)

Discord command handler interpolates user-controlled `$ARG` into a shell command string and executes it with `subprocess.*(..., shell=True)` without first calling `CommandInjection.sanitizeInput($ARG)`. Any user able to invoke this command can inject shell metacharacters (`;`, `&&`, `|`, backticks, `$()`) and execute arbitrary OS commands on the bot host (CV

This `post_user` handler accepts a `UserRequest` (which carries a caller-supplied `role`) but takes no `initiator_id` parameter and performs no Root/Admin authorization check on the caller. Any authenticated user can therefore create an account with elevated privileges (e.g. `UserRole::Root`), enabling vertical privilege escalation (CVE-2024-24830). Fix: add

Untrusted input read from $_SERVER['argv'] is passed to a shell-invoking function without integer casting, intval(), or shell-argument escaping. When PHP's register_argc_argv directive is On (the default in many environments, including the official PHP Docker image), URL query-string tokens populate $_SERVER['argv'] for HTTP-served scripts, so an unauthentic

The XWiki rendering verbatim block ({{{ ... }}}) wraps feed output that may contain user-controlled data. Because verbatim only escapes wiki parsing, an attacker who can influence the wrapped content (e.g. via a feed title/description filled from a request parameter) can inject a literal "}}}" to terminate the verbatim block early and then have arbitrary mac

Masa CMS / Mura CMS configBean sets enableDynamicContent, enableMuraTag, or sharableRemoteSessions to true by default. With these flags enabled, the setDynamicContent renderer treats user input containing [m]...[/m] (or [mura]/[sava]) tags as live CFML and passes the inner expression to evaluate(), enabling pre-authentication remote code execution (CVE-2024-

Authorization decision for included/displayed content is gated by an equality comparison between the included document's content author and the current author (Objects.equals(getContentAuthorReference(), getCurrentAuthorReference())). This pattern only switches the author execution context when authors differ, so any document edited by a user that is include

execSync/exec is being called with a template literal that contains interpolated expressions. Because exec/execSync run the command through a shell (/bin/sh), any shell metacharacter present in the interpolated value (quotes, backticks, $(), ;, &&, |) will be parsed by the shell and can lead to OS command injection. Use spawnSync/spawn with an argv array ins

XML Signature Wrapping (CVE-2024-45409): SAML signature validation uses a document-root-relative XPath ("//ds:...") to locate ds:Reference, ds:CanonicalizationMethod, ds:DigestMethod, ds:DigestValue, or ds:Transforms/ds:Transform. Because these queries traverse the entire document instead of the already-authenticated SignedInfo/Reference subtree, an attacker

Call to StringUtils_createStringFromBufferInBuffer() copies `size` bytes into a fixed-size destination buffer via an unchecked memcpy plus NUL terminator. When `size` is derived from an untrusted source (for example an MMS / BER TLV length field from a peer), this leads to a stack/heap buffer overflow (CVE-2024-45971, CWE-120). Use StringUtils_createStringFr

Kernel#eval is invoked with a non-literal value pulled from a variable or collection. If the argument is influenced by configuration, plugins, database/cache contents, or any other writable source, this is a Ruby code-injection sink (CWE-95) leading to RCE. Store callbacks as Proc/Lambda objects and invoke them via `.call` (or `&:call`) instead of eval'ing s