Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,511)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-0557 - - Jun 17, 2026 Jan 18, 2025 6.9 MEDIUM· v4 4.3 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability classified as problematic has been found in Hyland Alfresco Community Edition and Alfresco Enterprise Edition up to 6.2.2. This affects an unknown part of the file /share/s/ of the component URL Handler....Show more A vulnerability classified as problematic has been found in Hyland Alfresco Community Edition and Alfresco Enterprise Edition up to 6.2.2. This affects an unknown part of the file /share/s/ of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0 is able to address this issue. It is recommended to upgrade the affected component.Show less
CVE-2025-23209 1Craftcms 1Craft Cms Jun 17, 2026 Jan 18, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has a...Show more Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.Show less
CVE-2025-0538 1Fabian 1Tourism Management System Jun 17, 2026 Jan 17, 2025 5.3 MEDIUM· v4 4.8 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in code-projects Tourism Management System 1.0. Affected is an unknown function of the file /admin/manage-pages.php. The manipulation of the argument pgedet...Show more A vulnerability, which was classified as problematic, was found in code-projects Tourism Management System 1.0. Affected is an unknown function of the file /admin/manage-pages.php. The manipulation of the argument pgedetails leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-0537 1Fabian 1Online Car Rental System Jun 17, 2026 Jan 17, 2025 5.1 MEDIUM· v4 4.8 MEDIUM· v3 3.3 LOW· v2 A vulnerability, which was classified as problematic, has been found in code-projects Car Rental Management System 1.0. This issue affects some unknown processing of the file /admin/manage-pages.php. The manipulation of...Show more A vulnerability, which was classified as problematic, has been found in code-projects Car Rental Management System 1.0. This issue affects some unknown processing of the file /admin/manage-pages.php. The manipulation of the argument pgdetails leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-0530 1Anisha 1Job Recruitment Jun 17, 2026 Jan 17, 2025 5.3 MEDIUM· v4 8.2 HIGH· v3 4.0 MEDIUM· v2 A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. This vulnerability affects unknown code of the file /_parse/_feedback_system.php. The manipulation of the argument type l...Show more A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. This vulnerability affects unknown code of the file /_parse/_feedback_system.php. The manipulation of the argument type leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-22906 1Edimax 1Re11s Firmware Jun 17, 2026 Jan 16, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 RE11S v1.11 was discovered to contain a command injection vulnerability via the L2TPUserName parameter at /goform/setWAN.
CVE-2025-22905 1Edimax 1Re11s Firmware Jun 17, 2026 Jan 16, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 RE11S v1.11 was discovered to contain a command injection vulnerability via the command parameter at /goform/mp.
CVE-2024-10970 1Stylemixthemes 1Motors Car Dealer, Classifieds & Listing Jun 17, 2026 Jan 16, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute a...Show more The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.Show less
CVE-2025-0485 1Fanli2012 1Native Php Cms Jun 17, 2026 Jan 15, 2025 5.3 MEDIUM· v4 6.1 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was found in Fanli2012 native-php-cms 1.0. It has been classified as problematic. Affected is an unknown function of the file /fladmin/sysconfig_doedit.php. The manipulation of the argument info leads to...Show more A vulnerability was found in Fanli2012 native-php-cms 1.0. It has been classified as problematic. Affected is an unknown function of the file /fladmin/sysconfig_doedit.php. The manipulation of the argument info leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-0483 1Native Php Cms Project 1Native Php Cms Jun 17, 2026 Jan 15, 2025 5.3 MEDIUM· v4 4.6 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability has been found in Fanli2012 native-php-cms 1.0 and classified as problematic. This vulnerability affects unknown code of the file /fladmin/jump.php. The manipulation of the argument message/error leads to...Show more A vulnerability has been found in Fanli2012 native-php-cms 1.0 and classified as problematic. This vulnerability affects unknown code of the file /fladmin/jump.php. The manipulation of the argument message/error leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-27856 1Apple 7Ipados Iphone OsMacos+4 more Jun 17, 2026 Jan 15, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 The issue was addressed with improved checks. This issue is fixed in Safari 17.5, iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5, visionOS 1.2, watchOS 10.5. Processing a file may le...Show more The issue was addressed with improved checks. This issue is fixed in Safari 17.5, iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5, visionOS 1.2, watchOS 10.5. Processing a file may lead to unexpected app termination or arbitrary code execution.Show less
CVE-2025-22968 1Dlink 1Dwr M972v Firmware Jun 17, 2026 Jan 15, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in D-Link DWR-M972V 1.05SSG allows a remote attacker to execute arbitrary code via SSH using root account without restrictions
CVE-2025-23061 1Mongoosejs 1Mongoose Jun 17, 2026 Jan 15, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
CVE-2024-42911 - - Jun 17, 2026 Jan 14, 2025 N/A· v4 7.4 HIGH· v3 N/A· v2 ECOVACS Robotics Deebot T20 OMNI and T20e OMNI before 1.24.0 was discovered to contain a WiFi Remote Code Execution vulnerability.
CVE-2024-49375 - - Jun 17, 2026 Jan 14, 2025 N/A· v4 9.0 CRITICAL· v3 N/A· v2 Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Ex...Show more Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API must be enabled on the Rasa instance eg with `--enable-api`. This is not the default configuration. 2. For unauthenticated RCE to be exploitable, the user must not have configured any authentication or other security controls recommended in our documentation. 3. For authenticated RCE, the attacker must posses a valid authentication token or JWT to interact with the Rasa API. This issue has been addressed in rasa version 3.6.21 and all users are advised to upgrade. Users unable to upgrade should ensure that they require authentication and that only trusted users are given access.Show less
CVE-2025-23051 - - Jun 17, 2026 Jan 14, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 An authenticated parameter injection vulnerability exists in the web-based management interface of the AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated user to leverage parameter i...Show more An authenticated parameter injection vulnerability exists in the web-based management interface of the AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated user to leverage parameter injection to overwrite arbitrary system files.Show less
CVE-2025-21292 1Microsoft 10Windows 10 1809 Windows 10 21h2Windows 10 22h2+7 more Jun 17, 2026 Jan 14, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Windows Search Service Elevation of Privilege Vulnerability
CVE-2025-21187 1Microsoft 1Power Automate For Desktop Jun 17, 2026 Jan 14, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 Microsoft Power Automate Remote Code Execution Vulnerability
CVE-2025-0464 1Oretnom23 1Task Reminder System Jun 17, 2026 Jan 14, 2025 5.1 MEDIUM· v4 4.8 MEDIUM· v3 3.3 LOW· v2 A vulnerability was found in SourceCodester Task Reminder System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Maintenance Section. The manipulation...Show more A vulnerability was found in SourceCodester Task Reminder System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Maintenance Section. The manipulation of the argument System Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-53561 - - Jun 17, 2026 Jan 14, 2025 N/A· v4 8.7 HIGH· v3 N/A· v2 A remote code execution (RCE) vulnerability in Arcadyan Meteor 2 CPE FG360 Firmware ETV2.10 allows attackers to execute arbitrary code via a crafted request.

Previous 1...113114115...326 Next