From DHS/US-CERT's National Vulnerability Database
PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=state product_id parameter.
PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter.
Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.
In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.
In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.