Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,514)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-1548 1Iteachyou 1Dreamer Cms Jun 17, 2026 Feb 21, 2025 5.1 MEDIUM· v4 4.6 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was found in iteachyou Dreamer CMS 4.1.3. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/archives/edit. The manipulation of the argument editorValue/answer...Show more A vulnerability was found in iteachyou Dreamer CMS 4.1.3. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/archives/edit. The manipulation of the argument editorValue/answer/content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-13900 1Satollo 1Head, Footer, And Post Injections Jun 17, 2026 Feb 21, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level acce...Show more The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in multisite environments.Show less
CVE-2025-25675 1Tenda 1Ac10 Firmware Jun 17, 2026 Feb 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Tenda AC10 V1.0 V15.03.06.23 has a command injection vulnerablility located in the formexeCommand function. The str variable receives the cmdinput parameter from a POST request and is later assigned to the cmd_buf variab...Show more Tenda AC10 V1.0 V15.03.06.23 has a command injection vulnerablility located in the formexeCommand function. The str variable receives the cmdinput parameter from a POST request and is later assigned to the cmd_buf variable, which is directly used in the doSystemCmd function, causing an arbitrary command execution.Show less
CVE-2024-54756 - - Jun 17, 2026 Feb 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A remote code execution (RCE) vulnerability in the ZScript function of ZDoom Team GZDoom v4.13.1 allows attackers to execute arbitrary code via supplying a crafted PK3 file containing a malicious ZScript source file.
CVE-2025-24893 1Xwiki 1Xwiki Jun 17, 2026 Feb 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confident...Show more XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.Show less
CVE-2025-0161 1Ibm 1Security Verify Access Jun 17, 2026 Feb 20, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 IBM Security Verify Access Appliance 10.0.0.0 through 10.0.0.9 and 11.0.0.0 could allow a local user to execute arbitrary code due to improper restrictions on code generation.
CVE-2023-51331 1Phpjabbers 1Cleaning Business Software Jun 17, 2026 Feb 20, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 PHPJabbers Cleaning Business Software v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section...Show more PHPJabbers Cleaning Business Software v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.Show less
CVE-2023-51324 1Phpjabbers 1Shared Asset Booking System Jun 17, 2026 Feb 20, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 PHPJabbers Shared Asset Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section...Show more PHPJabbers Shared Asset Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.Show less
CVE-2023-51320 1Phpjabbers 1Night Club Booking Software Jun 17, 2026 Feb 20, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 PHPJabbers Night Club Booking Software v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section...Show more PHPJabbers Night Club Booking Software v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.Show less
CVE-2023-51317 1Phpjabbers 1Restaurant Booking System Jun 17, 2026 Feb 20, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 PHPJabbers Restaurant Booking System v3.0 is vulnerable to Multiple HTML Injection in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key, title" parameters.
CVE-2024-57401 - - Jun 17, 2026 Feb 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SQL Injection vulnerability in Uniclare Student portal v.2 and before allows a remote attacker to execute arbitrary code via the Forgot Password function.
CVE-2023-51313 1Phpjabbers 1Restaurant Booking System Jun 17, 2026 Feb 20, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 PHPJabbers Restaurant Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section L...Show more PHPJabbers Restaurant Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.Show less
CVE-2024-13792 1Exthemes 1Woocommerce Food Jun 17, 2026 Feb 20, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.2. This is due to the software allowing users to execut...Show more The WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2025-27218 - - Jun 17, 2026 Feb 20, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.
CVE-2025-25944 1Axiosys 1Bento4 Jun 17, 2026 Feb 19, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 Buffer Overflow vulnerability in Bento4 v.1.6.0-641 allows a local attacker to execute arbitrary code via the Ap4RtpAtom.cpp, specifically in AP4_RtpAtom::AP4_RtpAtom, during the execution of mp4fragment with a crafted M...Show more Buffer Overflow vulnerability in Bento4 v.1.6.0-641 allows a local attacker to execute arbitrary code via the Ap4RtpAtom.cpp, specifically in AP4_RtpAtom::AP4_RtpAtom, during the execution of mp4fragment with a crafted MP4 input file.Show less
CVE-2025-25943 1Axiosys 1Bento4 Jun 17, 2026 Feb 19, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Buffer Overflow vulnerability in Bento4 v.1.6.0-641 allows a local attacker to execute arbitrary code via the AP4_Stz2Atom::AP4_Stz2Atom component located in Ap4Stz2Atom.cpp.
CVE-2025-1465 1Lmxcms 1Lmxcms Jun 17, 2026 Feb 19, 2025 2.1 LOW· v4 6.6 MEDIUM· v3 4.3 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in lmxcms 1.41. Affected is an unknown function of the file db.inc.php of the component Maintenance. The manipulation leads to code injection. It is possibl...Show more A vulnerability, which was classified as problematic, was found in lmxcms 1.41. Affected is an unknown function of the file db.inc.php of the component Maintenance. The manipulation leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-25467 - - Jun 17, 2026 Feb 18, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file.
CVE-2024-13689 - - Jun 17, 2026 Feb 18, 2025 N/A· v4 6.3 MEDIUM· v3 N/A· v2 The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly va...Show more The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.Show less
CVE-2024-13797 1Presslayouts 1Pressmart Jun 17, 2026 Feb 18, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to...Show more The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less

Previous 1...108109110...326 Next