CVEs

Aperi'Solve is an open-source steganography analysis platform. Prior to v3.2.1, the optional password field on JPEG uploads was passed into a bash command without sanitization, giving unauthenticated root RCE in the worker container.

HRConvert2 is an open-source file conversion tool. Prior to v3.4, the character blacklist on filenames was missing the backtick character (`), tab character (\t), and newline character (\n). User input from filenames was passed into command line tools for file conversion, allowing both immediate command execution and upload of PHP webshells.