Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,505)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-11078 1Anisha 1Job Recruitment Jun 17, 2026 Nov 11, 2024 5.3 MEDIUM· v4 5.4 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /register.php. The manipulation of the argument e/...Show more A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /register.php. The manipulation of the argument e/role leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-11070 1Publiccms 1Publiccms Jun 17, 2026 Nov 11, 2024 5.3 MEDIUM· v4 5.4 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS 5.202406.d. This issue affects some unknown processing of the file /admin/cmsTagType/save of the component Tag Type Handler. The m...Show more A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS 5.202406.d. This issue affects some unknown processing of the file /admin/cmsTagType/save of the component Tag Type Handler. The manipulation of the argument name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-10958 1Wppa 1Wp Photo Album Plus Jun 17, 2026 Nov 10, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the softwar...Show more The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-11050 1Amttgroup 1Hibos Jun 17, 2026 Nov 10, 2024 5.3 MEDIUM· v4 5.4 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was found in AMTT Hotel Broadband Operation System up to 3.0.3.151204 and classified as problematic. This issue affects some unknown processing of the file /language.php. The manipulation of the argument...Show more A vulnerability was found in AMTT Hotel Broadband Operation System up to 3.0.3.151204 and classified as problematic. This issue affects some unknown processing of the file /language.php. The manipulation of the argument LangID/LangName/LangEName leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-10640 - - Jun 17, 2026 Nov 9, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users t...Show more The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-10261 1Cozmoslabs 1Membership & Content Restriction Paid Member Subscriptions Jun 17, 2026 Nov 9, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. T...Show more The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-50808 1Seacms 1Seacms Jun 17, 2026 Nov 8, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 SeaCms 13.1 is vulnerable to code injection in the notification module of the member message notification module in the backend user module, due to unsafe handling of the "notify" variable in admin_notify.php.
CVE-2024-46961 - - Jun 17, 2026 Nov 7, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 The Inshot com.downloader.privatebrowser (aka Video Downloader - XDownloader) application through 1.3.5 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.privatebrowser.activity.P...Show more The Inshot com.downloader.privatebrowser (aka Video Downloader - XDownloader) application through 1.3.5 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.privatebrowser.activity.PrivateMainActivity component.Show less
CVE-2024-46960 - - Jun 17, 2026 Nov 7, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The ASD com.rocks.video.downloader (aka HD Video Downloader All Format) application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivi...Show more The ASD com.rocks.video.downloader (aka HD Video Downloader All Format) application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivity component.Show less
CVE-2024-43425 1Moodle 1Moodle Jun 17, 2026 Nov 7, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
CVE-2024-51757 - - Jun 17, 2026 Nov 6, 2024 9.3 CRITICAL· v4 N/A· v3 N/A· v2 happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user co...Show more happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability.Show less
CVE-2024-10263 1Tickera 1Tickera Jun 17, 2026 Nov 5, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.4. This is due to the software allowing users to execute an action t...Show more The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-48061 1Langflow 1Langflow Jun 17, 2026 Nov 4, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox.
CVE-2024-48050 1Modelscope 1Agentscope Jun 17, 2026 Nov 4, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user...Show more In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user-provided commands.Show less
CVE-2024-51329 1Idrsdev 1Agile Board Jun 17, 2026 Nov 4, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A Host header injection vulnerability in Agile-Board 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link.
CVE-2024-10035 1Bg Tek 1Coslat Jun 17, 2026 Nov 4, 2024 9.2 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Comma...Show more Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security Technologies CoslatV3 allows Command Injection, Privilege Escalation. This issue affects CoslatV3: through 3.1069. NOTE: The vendor was contacted and it was learned that the product is not supported.Show less
CVE-2024-10761 1Umbraco 1Umbraco Cms Jun 17, 2026 Nov 4, 2024 6.9 MEDIUM· v4 5.4 MEDIUM· v3 5.0 MEDIUM· v2 A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard...Show more A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.8.8, 13.5.3, 14.3.2 and 15.1.2 is able to address this issue. It is recommended to upgrade the affected component.Show less
CVE-2024-48359 1Qualitor 1Qualitor Jun 17, 2026 Oct 31, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Qualitor v8.24 was discovered to contain a remote code execution (RCE) vulnerability via the gridValoresPopHidden parameter.
CVE-2024-21537 - - Jun 17, 2026 Oct 31, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by pass...Show more Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function.Show less
CVE-2024-51427 - - Jun 17, 2026 Oct 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. NOTE: this is disputed by third parties because the impac...Show more An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. NOTE: this is disputed by third parties because the impact is limited to function calls.Show less

Previous 1...126127128...326 Next