Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,504)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-51243 1Eladmin 1Eladmin Jun 17, 2026 Oct 30, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 The eladmin v2.7 and before contains a remote code execution (RCE) vulnerability that can control all application deployment servers of this management system via DeployController.java.
CVE-2024-42041 - - Jun 17, 2026 Oct 30, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 The com.videodownload.browser.videodownloader (aka AppTool-Browser-Video All Video Downloader) application 20-30.05.24 for Android allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.Def...Show more The com.videodownload.browser.videodownloader (aka AppTool-Browser-Video All Video Downloader) application 20-30.05.24 for Android allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.DefaultBrowserActivity component.Show less
CVE-2024-51298 1Draytek 1Vigor3900 Firmware Jun 17, 2026 Oct 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doGRETunnel function.
CVE-2024-9846 1Aftabhusain 1Enable Shortcodes Inside Widgets,comments And Experts Jun 17, 2026 Oct 30, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.0. This is due to the software allowing users to...Show more The The Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-10505 1Wuzhicms 1Wuzhicms Jun 17, 2026 Oct 30, 2024 5.3 MEDIUM· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is po...Show more A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Initially two separate issues were created by the researcher for the different function calls. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-48138 - - Jun 17, 2026 Oct 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a templat...Show more A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template.Show less
CVE-2024-8923 1Servicenow 1Servicenow Jun 17, 2026 Oct 29, 2024 9.3 CRITICAL· v4 10.0 CRITICAL· v3 N/A· v2 ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform....Show more ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an update to hosted instances and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes.Show less
CVE-2024-50498 1Lubus 1Wp Query Console Jun 17, 2026 Oct 28, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in Ajit Bohra WP Query Console wp-query-console allows Code Injection.This issue affects WP Query Console: from n/a through <= 1.0.
CVE-2024-50492 1Scottpaterson 1Scottcart Jun 17, 2026 Oct 28, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart scottcart allows Code Injection.This issue affects ScottCart: from n/a through <= 1.1.
CVE-2024-50450 1Pluginus 1Wordpress Meta Data And Taxonomies Filter Jun 17, 2026 Oct 28, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows Code Injection.This issue affects MDTF: from n/a through <= 1.3.3.4.
CVE-2024-9162 - - Jun 17, 2026 Oct 28, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it po...Show more The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible.Show less
CVE-2024-50611 - - Jun 17, 2026 Oct 27, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example,...Show more CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation, rather than an implementation mistake.Show less
CVE-2024-9772 1Uiux 1Uix Shortcodes Jun 17, 2026 Oct 26, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an...Show more The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-48236 1Ofcms Project 1Ofcms Jun 17, 2026 Oct 25, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the FileOutputStream function in the write String method of the ofcms-admin\src\main\java\com\ofsoft\cms\core\uitle\FileUtils.java file
CVE-2024-48235 1Ofcms Project 1Ofcms Jun 17, 2026 Oct 25, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the save method of the TemplateController.java file.
CVE-2024-37846 1Radixiot 1Mango Jun 17, 2026 Oct 25, 2024 N/A· v4 4.6 MEDIUM· v3 N/A· v2 MangoOS before 5.2.0 was discovered to contain a Client-Side Template Injection (CSTI) vulnerability via the Platform Management Edit page.
CVE-2024-37845 1Radixiot 1Mango Jun 17, 2026 Oct 25, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 MangoOS before 5.2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Process Command feature.
CVE-2024-48700 1Kliqqi 1Kliqqi Cms Jun 17, 2026 Oct 25, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Kliqqi-CMS has a background arbitrary code execution vulnerability that attackers can exploit to implant backdoors or getShell via the edit_page.php component.
CVE-2024-48655 1Totaljs 1Total.js Jun 17, 2026 Oct 25, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file.
CVE-2024-48581 1Mayurik 1Best Courier Management System Jun 17, 2026 Oct 25, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component.

Previous 1...127128129...326 Next