Secsys-Fdu

Name of the Vulnerable Software and Affected Versions Deep Thought Industries ACE Scanner PDF Scanner version 1.4.5 Description A flaw exists in Deep Thought Industries ACE Scanner PDF Scanner version 1.4.5 that permits overwriting critical internal files through the file import process. Successful exploitation could lead to arbitrary code execution or information disclosure. Recommendations Update to a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Docudepot PDF Reader: PDF Viewer APP version 1.0.34 Description A flaw exists in Docudepot PDF Reader: PDF Viewer APP version 1.0.34 that allows attackers to overwrite critical internal files through the file import process. Successful exploitation of this issue could lead to arbitrary code execution or information exposure. Recommendations Update Docudepot PDF Reader: PDF Viewer APP to a newer version that addresses this issue. As a temporary workaround, avoid importing untrusted files.

Name of the Vulnerable Software and Affected Versions Ora Tools PDF Reader versions 4.3.5 Description A flaw exists in Ora Tools PDF Reader that allows overwriting critical internal files through the file import process. This could lead to arbitrary code execution or information disclosure. Recommendations Update to a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Tinybeans Private Family Album App version 5.9.5-prod Description A file overwrite issue exists in Tinybeans Private Family Album App version 5.9.5-prod. Attackers can overwrite critical internal files through the file import process, potentially leading to arbitrary code execution or information disclosure. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DSAI-Cline (affected versions not specified) **Description** The command auto-approval module in DSAI-Cline has a critical OS command injection issue that bypasses its whitelist security. The system uses string-based parsing for command validation, blocking operators like ;, &&, ||, |, and command substitution, but it does not handle newline characters within the input. An attacker can embed a newline character between a permitted command and malicious code (for example, `git log malicious command`). DSAI-Cline incorrectly identifies this as a safe operation and automatically approves it. The PowerShell interpreter then executes both commands sequentially, leading to Remote Code Execution without user interaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ridvay Code (affected versions not specified) **Description** The command auto-approval module contains a critical OS command injection issue that bypasses its whitelist security mechanism. The system uses regular expressions to parse commands, but these expressions are insufficient to prevent exploitation through Shell command substitution using `$(...)` and backticks (`...`). An attacker can inject malicious code within arguments, such as in a `git log --grep="$(malicious command)"` command, which the system incorrectly identifies as safe. This allows for Remote Code Execution without user interaction. The `git log` API endpoint is vulnerable, specifically with the `grep` parameter. The vulnerable variable is `malicious command`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions DeftPDF Document Translator version 54.0 Description A flaw exists in DeftPDF Document Translator v54.0 that allows attackers to overwrite critical internal files through the file import process. This can lead to arbitrary code execution or information exposure. The vulnerability requires no authentication and can be exploited remotely. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions MaruNuri LLC version 2.0.23 Description A flaw exists in MaruNuri LLC version 2.0.23 that allows overwriting critical internal files through the file import process. This can lead to arbitrary code execution or information exposure. The issue does not require authentication. Recommendations Update to a newer version that contains a fix for this vulnerability.

An arbitrary file overwrite vulnerability in UXGROUP LLC Voice Recorder v10.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

**Name of the Vulnerable Software and Affected Versions** Sixth (affected versions not specified) **Description** The software features automatic terminal command execution with two modes: 'Execute safe commands' and 'Execute all commands'. The 'Execute safe commands' mode is designed to automatically run commands deemed safe by the model, requiring user approval for potentially destructive commands. However, this design is prone to prompt injection attacks. An attacker can use a template to disguise malicious commands as 'safe' commands, bypassing the approval requirement and enabling arbitrary command execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** InfCode (affected versions not specified) **Description** The terminal auto-execution module in InfCode has a critical command filtering issue that makes its blacklist ineffective. The blacklist does not include native high-risk commands in Windows PowerShell, such as `powershell`. The matching algorithm cannot recognize string concatenation, variable assignment, or double-quote interpolation in Shell syntax, preventing dynamic semantic parsing. Attackers can bypass interception using simple syntax obfuscation. A malicious file containing instructions for remote code injection can be created. When a user imports and views this file in the IDE, the Agent executes dangerous PowerShell commands outside the blacklist without user confirmation, potentially leading to arbitrary command execution or sensitive data leakage. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ridvay Code (affected versions not specified) **Description** The command auto-approval module in Ridvay Code has a critical OS command injection issue that bypasses its whitelist security. The system uses weak regular expressions to analyze commands, failing to prevent Shell command substitution using `$(...)` and backticks (`...`). An attacker can inject malicious code into commands, such as `git log --grep="$(malicious command)"`, which the system incorrectly identifies as safe, leading to Remote Code Execution without user interaction. The `whitelist` security mechanism is ineffective. The vulnerable component relies on fragile regular expressions to parse command structures. The underlying Shell prioritizes the execution of the malicious code injected within the arguments. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

An arbitrary file overwrite vulnerability in PEAKSEL D.O.O. NIS Animal Sounds and Ringtones v1.3.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

An arbitrary file overwrite vulnerability in Funambol, Inc. Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

An arbitrary file overwrite vulnerability in RAREPROB SOLUTIONS PRIVATE LIMITED Video player Play All Videos v1.0.135 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure.

An arbitrary file overwrite vulnerability in Zora: Post, Trade, Earn Crypto v2.60.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

An arbitrary file overwrite vulnerability in InTouch Contacts & Caller ID APP v6.38.1 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

An arbitrary file overwrite vulnerability in PDF Reader App : TA/UTAX Mobile Print v3.7.2.251001 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

An arbitrary file overwrite vulnerability in Squareapps LLC My Location Travel Timeline v11.80 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure.

**Name of the Vulnerable Software and Affected Versions** Roo Code (affected versions not specified) **Description** The command auto-approval module in Roo Code has a critical operating system command injection flaw that bypasses its whitelist security. The system uses weak regular expressions to analyze commands and fails to account for Shell command substitution using `$(...)` and backticks. An attacker can inject malicious code into commands, such as `git log --grep="$(malicious command)"`, which the system incorrectly identifies as safe, leading to automatic approval and Remote Code Execution without user interaction. The underlying Shell prioritizes the execution of the injected malicious code within the arguments. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.