Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,515)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-28203 1Govicture 1Rx1800 Firmware Jun 17, 2026 May 9, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Victure RX1800 EN_V1.0.0_r12_110933 was discovered to contain a command injection vulnerability.
CVE-2025-1087 - - Jun 17, 2026 May 9, 2025 9.3 CRITICAL· v4 N/A· v3 N/A· v2 Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input...Show more Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript execution in the context of the application.Show less
CVE-2025-4470 1Senior Walter 1Online Student Clearance System Jun 17, 2026 May 9, 2025 4.8 MEDIUM· v4 5.4 MEDIUM· v3 3.3 LOW· v2 A vulnerability classified as problematic was found in SourceCodester Online Student Clearance System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add-student.php. The manipulation o...Show more A vulnerability classified as problematic was found in SourceCodester Online Student Clearance System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add-student.php. The manipulation of the argument Fullname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.Show less
CVE-2025-4469 1Senior Walter 1Online Student Clearance System Jun 17, 2026 May 9, 2025 4.8 MEDIUM· v4 5.4 MEDIUM· v3 3.3 LOW· v2 A vulnerability classified as problematic has been found in SourceCodester Online Student Clearance System 1.0. Affected is an unknown function of the file /admin/add-admin.php. The manipulation of the argument txtuserna...Show more A vulnerability classified as problematic has been found in SourceCodester Online Student Clearance System 1.0. Affected is an unknown function of the file /admin/add-admin.php. The manipulation of the argument txtusername/txtfullname/txtpassword/txtpassword2 leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4461 1Totolink 1N150rt Firmware Jun 17, 2026 May 9, 2025 4.8 MEDIUM· v4 5.4 MEDIUM· v3 3.3 LOW· v2 A vulnerability classified as problematic was found in TOTOLINK N150RT 3.4.0-B20190525. This vulnerability affects unknown code of the component Virtual Server Page. The manipulation leads to cross site scripting. The at...Show more A vulnerability classified as problematic was found in TOTOLINK N150RT 3.4.0-B20190525. This vulnerability affects unknown code of the component Virtual Server Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4460 1Totolink 1N150rt Firmware Jun 17, 2026 May 9, 2025 4.8 MEDIUM· v4 4.8 MEDIUM· v3 3.3 LOW· v2 A vulnerability classified as problematic has been found in TOTOLINK N150RT 3.4.0-B20190525. This affects an unknown part of the component URL Filtering Page. The manipulation leads to cross site scripting. It is possibl...Show more A vulnerability classified as problematic has been found in TOTOLINK N150RT 3.4.0-B20190525. This affects an unknown part of the component URL Filtering Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-26845 1Znuny 1Znuny Jun 17, 2026 May 8, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An Eval Injection issue was discovered in Znuny through 7.1.3. A user with write access to the configuration file can use this to execute a command executed by the user running the backup.pl script.
CVE-2025-4208 1Basixonline 1Nex Forms Jun 17, 2026 May 8, 2025 N/A· v4 6.3 MEDIUM· v3 N/A· v2 The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due...Show more The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).Show less
CVE-2024-13793 1D Themes 1Wolmart Jun 17, 2026 May 8, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 The Wolmart \| Multi-Vendor Marketplace WooCommerce Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.8.11. This is due to the software allowing users to exec...Show more The Wolmart \| Multi-Vendor Marketplace WooCommerce Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.8.11. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2023-7303 - - Jun 17, 2026 May 7, 2025 5.1 MEDIUM· v4 3.5 LOW· v3 4.0 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in q2apro q2apro-on-site-notifications up to 1.4.6. This affects the function process_request of the file q2apro-onsitenotifications-page.php. The manipulat...Show more A vulnerability, which was classified as problematic, was found in q2apro q2apro-on-site-notifications up to 1.4.6. This affects the function process_request of the file q2apro-onsitenotifications-page.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.4.8 is able to address this issue. The patch is named 0ca85ca02f8aceb661e9b71fd229c45d388ea5b5. It is recommended to upgrade the affected component.Show less
CVE-2025-47691 - - Jun 17, 2026 May 7, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member ultimate-member allows Code Injection.This issue affects Ultimate Member: from n/a through <= 2.10.3.
CVE-2025-47481 - - Jun 17, 2026 May 7, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in GS Plugins GS Testimonial Slider gs-testimonial allows Code Injection.This issue affects GS Testimonial Slider: from n/a through <= 3.2.9.
CVE-2025-4326 1Mrcms 1Mrcms Jun 17, 2026 May 6, 2025 4.8 MEDIUM· v4 5.4 MEDIUM· v3 3.3 LOW· v2 A vulnerability was found in MRCMS 3.1.2 and classified as problematic. This issue affects some unknown processing of the file /admin/chip/add.do of the component Add Fragment Page. The manipulation leads to cross site s...Show more A vulnerability was found in MRCMS 3.1.2 and classified as problematic. This issue affects some unknown processing of the file /admin/chip/add.do of the component Add Fragment Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4325 1Mrcms 1Mrcms Jun 17, 2026 May 6, 2025 4.8 MEDIUM· v4 2.4 LOW· v3 3.3 LOW· v2 A vulnerability has been found in MRCMS 3.1.2 and classified as problematic. This vulnerability affects unknown code of the file /admin/category/add.do of the component Category Management Page. The manipulation of the a...Show more A vulnerability has been found in MRCMS 3.1.2 and classified as problematic. This vulnerability affects unknown code of the file /admin/category/add.do of the component Category Management Page. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4324 1Mrcms 1Mrcms Jun 17, 2026 May 6, 2025 4.8 MEDIUM· v4 5.4 MEDIUM· v3 3.3 LOW· v2 A vulnerability, which was classified as problematic, was found in MRCMS 3.1.2. This affects an unknown part of the file /admin/link/edit.do of the component External Link Management Page. The manipulation leads to cross...Show more A vulnerability, which was classified as problematic, was found in MRCMS 3.1.2. This affects an unknown part of the file /admin/link/edit.do of the component External Link Management Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4323 1Mrcms 1Mrcms Jun 17, 2026 May 6, 2025 4.8 MEDIUM· v4 5.4 MEDIUM· v3 3.3 LOW· v2 A vulnerability, which was classified as problematic, has been found in MRCMS 3.1.2. Affected by this issue is some unknown functionality of the component Edit Article Page. The manipulation of the argument Title leads t...Show more A vulnerability, which was classified as problematic, has been found in MRCMS 3.1.2. Affected by this issue is some unknown functionality of the component Edit Article Page. The manipulation of the argument Title leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-2802 - - Jun 17, 2026 May 6, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 The LayoutBoxx plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.3.1. This is due to the software allowing users to execute an action that does not properly valid...Show more The LayoutBoxx plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.3.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2025-4293 1Mrcms 1Mrcms Jun 17, 2026 May 5, 2025 4.8 MEDIUM· v4 5.4 MEDIUM· v3 3.3 LOW· v2 A vulnerability was found in MRCMS 3.1.3 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/group/edit.do of the component Group Edit Page. The manipulation leads to cr...Show more A vulnerability was found in MRCMS 3.1.3 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/group/edit.do of the component Group Edit Page. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-4292 1Mrcms 1Mrcms Jun 17, 2026 May 5, 2025 4.8 MEDIUM· v4 5.4 MEDIUM· v3 3.3 LOW· v2 A vulnerability has been found in MRCMS 3.1.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/user/edit.do of the component Edit User Page. The manipulation of...Show more A vulnerability has been found in MRCMS 3.1.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/user/edit.do of the component Edit User Page. The manipulation of the argument Username leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-44071 1Seacms 1Seacms Jun 17, 2026 May 5, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component phomebak.php. This vulnerability allows attackers to execute arbitrary code via a crafted request.

Previous 1...929394...326 Next