Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,536)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-9595 1Itsourcecode 1Student Information Management System Jun 17, 2026 Aug 29, 2025 2.1 LOW· v4 6.1 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was found in code-projects Student Information Management System 1.0. The impacted element is an unknown function of the file /login.php. The manipulation of the argument uname results in cross site scrip...Show more A vulnerability was found in code-projects Student Information Management System 1.0. The impacted element is an unknown function of the file /login.php. The manipulation of the argument uname results in cross site scripting. The attack may be performed from a remote location. The exploit has been made public and could be used.Show less
CVE-2025-9591 - - Jun 17, 2026 Aug 28, 2025 1.9 LOW· v4 2.4 LOW· v3 3.3 LOW· v2 A security vulnerability has been detected in ZrLog up to 3.1.5. This vulnerability affects unknown code of the file /api/admin/template/config of the component Theme Configuration Form. Such manipulation of the argument...Show more A security vulnerability has been detected in ZrLog up to 3.1.5. This vulnerability affects unknown code of the file /api/admin/template/config of the component Theme Configuration Form. Such manipulation of the argument footerLink leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-9590 - - Jun 17, 2026 Aug 28, 2025 2.0 LOW· v4 3.5 LOW· v3 4.0 MEDIUM· v2 A vulnerability was identified in Weaver E-Mobile Mobile Management Platform up to 20250813. Affected by this vulnerability is an unknown functionality. The manipulation of the argument gohome leads to cross site scripti...Show more A vulnerability was identified in Weaver E-Mobile Mobile Management Platform up to 20250813. Affected by this vulnerability is an unknown functionality. The manipulation of the argument gohome leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-48908 - - Jun 17, 2026 Aug 28, 2025 6.9 MEDIUM· v4 N/A· v3 N/A· v2 lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite acti...Show more lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2.Show less
CVE-2025-54731 - - Jun 17, 2026 Aug 28, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Object Injection.This issue affects YouTube Showcase: from n/a through <= 3.5.1.
CVE-2025-48100 - - Jun 17, 2026 Aug 28, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Remote Code Inclusion.This issue affects bidorbuy Store Integrator: from n/a...Show more Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Remote Code Inclusion.This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0.Show less
CVE-2025-5101 1Gitlab 1Gitlab Jun 17, 2026 Aug 27, 2025 N/A· v4 5.0 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malic...Show more An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.Show less
CVE-2024-37777 1Zoneland 1O2oa Jun 17, 2026 Aug 27, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 O2OA v9.0.3 was discovered to contain a remote code execution (RCE) vulnerability via the mainOutput() function.
CVE-2025-34159 1Coollabs 1Coolify Jun 17, 2026 Aug 27, 2025 9.4 CRITICAL· v4 8.8 HIGH· v3 N/A· v2 Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to in...Show more Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server.Show less
CVE-2025-52122 1Solspace 1Freeform Jun 17, 2026 Aug 27, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission...Show more Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title).Show less
CVE-2025-30057 - - Jun 17, 2026 Aug 27, 2025 9.4 CRITICAL· v4 N/A· v3 N/A· v2 In UHCRTFDoc, the filename parameter can be exploited to execute arbitrary code via command injection into the system() call in the ConvertToPDF function.
CVE-2025-30056 - - Jun 17, 2026 Aug 27, 2025 9.4 CRITICAL· v4 N/A· v3 N/A· v2 The RunCommand function accepts any parameter, which is then passed for execution in the shell. This allows an attacker to execute arbitrary code on the system.
CVE-2025-30055 - - Jun 17, 2026 Aug 27, 2025 9.0 CRITICAL· v4 N/A· v3 N/A· v2 The "system" function receives untrusted input from the user. If the "EnableJSCaching" option is enabled, it is possible to execute arbitrary code provided as the "Module" parameter.
CVE-2025-2313 - - Jun 17, 2026 Aug 27, 2025 9.4 CRITICAL· v4 N/A· v3 N/A· v2 In the Print.pl service, the "uhcPrintServerPrint" function allows execution of arbitrary code via the "CopyCounter" parameter.
CVE-2025-23315 1Nvidia 1Nemo Jun 17, 2026 Aug 26, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 NVIDIA NeMo Framework for all platforms contains a vulnerability in the export and deploy component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerabil...Show more NVIDIA NeMo Framework for all platforms contains a vulnerability in the export and deploy component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.Show less
CVE-2025-23314 1Nvidia 1Nemo Jun 17, 2026 Aug 26, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead...Show more NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.Show less
CVE-2025-23313 1Nvidia 1Nemo Jun 17, 2026 Aug 26, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead...Show more NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.Show less
CVE-2025-23312 1Nvidia 1Nemo Jun 17, 2026 Aug 26, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 NVIDIA NeMo Framework for all platforms contains a vulnerability in the retrieval services component, where malicious data created by an attacker could cause a code injection. A successful exploit of this vulnerability m...Show more NVIDIA NeMo Framework for all platforms contains a vulnerability in the retrieval services component, where malicious data created by an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.Show less
CVE-2025-23307 1Nvidia 1Nemo Curator Jun 17, 2026 Aug 26, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 NVIDIA NeMo Curator for all platforms contains a vulnerability where a malicious file created by an attacker could allow code injection. A successful exploit of this vulnerability might lead to code execution, escalation...Show more NVIDIA NeMo Curator for all platforms contains a vulnerability where a malicious file created by an attacker could allow code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.Show less
CVE-2025-52218 1Selectzero 1Selectzero Jun 17, 2026 Aug 26, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 SelectZero Data Observability Platform before 2025.5.2 is vulnerable to Content Spoofing / Text Injection. Improper sanitization of unspecified parameters allows attackers to inject arbitrary text or limited HTML into th...Show more SelectZero Data Observability Platform before 2025.5.2 is vulnerable to Content Spoofing / Text Injection. Improper sanitization of unspecified parameters allows attackers to inject arbitrary text or limited HTML into the login page.Show less

Previous 1...707172...327 Next