Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,515)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-27998 - - Jun 17, 2026 May 21, 2025 N/A· v4 8.4 HIGH· v3 N/A· v2 An issue in Valvesoftware Steam Client Steam Client 1738026274 allows attackers to escalate privileges via a crafted executable or DLL.
CVE-2025-5013 1Hkcms 1Hkcms Jun 17, 2026 May 21, 2025 5.3 MEDIUM· v4 4.7 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in HkCms up to 2.3.2.240702. This affects an unknown part of the file /index.php/search/index.html of the component Search. The manipulation of the argument...Show more A vulnerability, which was classified as problematic, was found in HkCms up to 2.3.2.240702. This affects an unknown part of the file /index.php/search/index.html of the component Search. The manipulation of the argument keyword leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-5011 1Moonlightl 1Hexo Boot Jun 17, 2026 May 21, 2025 4.8 MEDIUM· v4 4.7 MEDIUM· v3 3.3 LOW· v2 A vulnerability classified as problematic was found in moonlightL hexo-boot 4.3.0. This vulnerability affects unknown code of the file /admin/home/index.html of the component Dynamic List Page. The manipulation leads to...Show more A vulnerability classified as problematic was found in moonlightL hexo-boot 4.3.0. This vulnerability affects unknown code of the file /admin/home/index.html of the component Dynamic List Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-5010 1Moonlightl 1Hexo Boot Jun 17, 2026 May 21, 2025 4.8 MEDIUM· v4 4.7 MEDIUM· v3 3.3 LOW· v2 A vulnerability classified as problematic has been found in moonlightL hexo-boot 4.3.0. This affects an unknown part of the file /admin/home/index.html of the component Blog Backend. The manipulation of the argument Desc...Show more A vulnerability classified as problematic has been found in moonlightL hexo-boot 4.3.0. This affects an unknown part of the file /admin/home/index.html of the component Blog Backend. The manipulation of the argument Description leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-5007 - - Jun 17, 2026 May 20, 2025 5.1 MEDIUM· v4 3.5 LOW· v3 4.0 MEDIUM· v2 A vulnerability was found in Part-DB up to 1.17.0. It has been declared as problematic. Affected by this vulnerability is the function handleUpload of the file src/Services/Attachments/AttachmentSubmitHandler.php of the...Show more A vulnerability was found in Part-DB up to 1.17.0. It has been declared as problematic. Affected by this vulnerability is the function handleUpload of the file src/Services/Attachments/AttachmentSubmitHandler.php of the component Profile Picture Feature. The manipulation of the argument attachment leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.17.1 is able to address this issue. The identifier of the patch is 2c4f44e808500db19c391159b30cb6142896d415. It is recommended to upgrade the affected component.Show less
CVE-2025-44881 1Wavlink 1Wl Wn579a3 Firmware Jun 17, 2026 May 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A command injection vulnerability in the component /cgi-bin/qos.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input.
CVE-2025-4996 - - Jun 17, 2026 May 20, 2025 4.8 MEDIUM· v4 2.4 LOW· v3 3.3 LOW· v2 A vulnerability, which was classified as problematic, has been found in Intelbras RF 301K 1.1.5. This issue affects some unknown processing of the component Add Static IP. The manipulation of the argument Description lea...Show more A vulnerability, which was classified as problematic, has been found in Intelbras RF 301K 1.1.5. This issue affects some unknown processing of the component Add Static IP. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.Show less
CVE-2025-46725 1Langroid 1Langroid Jun 17, 2026 May 20, 2025 8.1 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be abl...Show more Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent run malicious commands through `QueryPlan.dataframe_calc]`) compromising the host system. Langroid 0.53.15 sanitizes input to the affected function by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.Show less
CVE-2025-46724 1Langroid 1Langroid Jun 17, 2026 May 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `TableChatAgent` uses `pandas eval()`. If fed by untrusted user input, like the case of a public-facing L...Show more Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `TableChatAgent` uses `pandas eval()`. If fed by untrusted user input, like the case of a public-facing LLM application, it may be vulnerable to code injection. Langroid 0.53.15 sanitizes input to `TableChatAgent` by default to tackle the most common attack vectors, and added several warnings about the risky behavior in the project documentation.Show less
CVE-2025-4939 1Phpgurukul 1Credit Card Application Management System Jun 17, 2026 May 19, 2025 5.3 MEDIUM· v4 6.1 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability classified as problematic was found in PHPGurukul Credit Card Application Management System 1.0. This vulnerability affects unknown code of the file /admin/new-ccapplication.php. The manipulation leads to...Show more A vulnerability classified as problematic was found in PHPGurukul Credit Card Application Management System 1.0. This vulnerability affects unknown code of the file /admin/new-ccapplication.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-26621 1Citeum 1Opencti Jun 17, 2026 May 19, 2025 N/A· v4 6.8 MEDIUM· v3 N/A· v2 OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascrip...Show more OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype pollution, making the node js server running the OpenCTI frontend become unavailable. Version 6.5.2 fixes the issue.Show less
CVE-2025-4866 1Weibo 1Rill Flow Jun 17, 2026 May 18, 2025 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was found in weibocom rill-flow 0.1.18. It has been classified as critical. Affected is an unknown function of the component Management Console. The manipulation leads to code injection. It is possible to...Show more A vulnerability was found in weibocom rill-flow 0.1.18. It has been classified as critical. Affected is an unknown function of the component Management Console. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4862 1Phpgurukul 1Directory Management System Jun 17, 2026 May 18, 2025 5.3 MEDIUM· v4 6.1 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability, which was classified as problematic, has been found in PHPGurukul Directory Management System 2.0. Affected by this issue is some unknown functionality of the file /searchdata.php. The manipulation of th...Show more A vulnerability, which was classified as problematic, has been found in PHPGurukul Directory Management System 2.0. Affected by this issue is some unknown functionality of the file /searchdata.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4860 1Dlink 1Dap 2695 Firmware Jun 17, 2026 May 18, 2025 4.8 MEDIUM· v4 4.8 MEDIUM· v3 3.3 LOW· v2 A vulnerability classified as problematic has been found in D-Link DAP-2695 120b36r137_ALL_en_20210528. Affected is an unknown function of the file /adv_dhcps.php of the component Static Pool Settings Page. The manipulat...Show more A vulnerability classified as problematic has been found in D-Link DAP-2695 120b36r137_ALL_en_20210528. Affected is an unknown function of the file /adv_dhcps.php of the component Static Pool Settings Page. The manipulation of the argument f_mac leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. This vulnerability only affects products that are no longer supported by the maintainer.Show less
CVE-2025-4859 1Dlink 1Dap 2695 Firmware Jun 17, 2026 May 18, 2025 4.8 MEDIUM· v4 4.8 MEDIUM· v3 3.3 LOW· v2 A vulnerability was found in D-Link DAP-2695 120b36r137_ALL_en_20210528. It has been rated as problematic. This issue affects some unknown processing of the file /adv_macbypass.php of the component MAC Bypass Settings Pa...Show more A vulnerability was found in D-Link DAP-2695 120b36r137_ALL_en_20210528. It has been rated as problematic. This issue affects some unknown processing of the file /adv_macbypass.php of the component MAC Bypass Settings Page. The manipulation of the argument f_mac leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. This vulnerability only affects products that are no longer supported by the maintainer.Show less
CVE-2025-4858 1Dlink 1Dap 2695 Firmware Jun 17, 2026 May 18, 2025 4.8 MEDIUM· v4 4.8 MEDIUM· v3 3.3 LOW· v2 A vulnerability was found in D-Link DAP-2695 120b36r137_ALL_en_20210528. It has been declared as problematic. This vulnerability affects unknown code of the file /adv_arpspoofing.php of the component ARP Spoofing Prevent...Show more A vulnerability was found in D-Link DAP-2695 120b36r137_ALL_en_20210528. It has been declared as problematic. This vulnerability affects unknown code of the file /adv_arpspoofing.php of the component ARP Spoofing Prevention Page. The manipulation of the argument harp_mac leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. This vulnerability only affects products that are no longer supported by the maintainer.Show less
CVE-2025-4852 1Totolink 1A3002r Firmware Jun 17, 2026 May 18, 2025 4.8 MEDIUM· v4 3.4 LOW· v3 3.3 LOW· v2 A vulnerability, which was classified as problematic, has been found in TOTOLINK A3002R 2.1.1-B20230720.1011. This issue affects some unknown processing of the component VPN Page. The manipulation of the argument Comment...Show more A vulnerability, which was classified as problematic, has been found in TOTOLINK A3002R 2.1.1-B20230720.1011. This issue affects some unknown processing of the component VPN Page. The manipulation of the argument Comment leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-48120 - - Jun 17, 2026 May 16, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Code Injection.This issue affects MapSVG: from n/a through <= 8.6.9.
CVE-2025-48119 - - Jun 17, 2026 May 16, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in RS WP THEMES RS WP Book Showcase rs-wp-books-showcase allows Code Injection.This issue affects RS WP Book Showcase: from n/a through <= 6.7.59.
CVE-2025-47562 - - Jun 17, 2026 May 16, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG mapsvg allows Code Injection.This issue affects MapSVG: from n/a through <= 8.5.34.

Previous 1...909192...326 Next