Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,504)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-8254 1Icegram 1Email Subscribers & Newsletters Jun 17, 2026 Oct 2, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5....Show more The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.Show less
CVE-2024-45186 - - Jun 17, 2026 Oct 2, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials.
CVE-2024-46080 1Scriptcase 1Scriptcase Jun 17, 2026 Oct 1, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 Scriptcase v9.10.023 and before is vulnerable to Remote Code Execution (RCE) via the nm_zip function.
CVE-2024-44744 - - Jun 17, 2026 Oct 1, 2024 N/A· v4 5.7 MEDIUM· v3 N/A· v2 An issue in Malwarebytes Premium Security v5.0.0.883 allows attackers to execute arbitrary code via placing crafted binaries into unspecified directories. NOTE: Malwarebytes argues that this issue requires admin privileg...Show more An issue in Malwarebytes Premium Security v5.0.0.883 allows attackers to execute arbitrary code via placing crafted binaries into unspecified directories. NOTE: Malwarebytes argues that this issue requires admin privileges and that the contents cannot be altered by non-admin users.Show less
CVE-2024-28811 1Nokia 1Hit 7300 Firmware Jun 17, 2026 Sep 30, 2024 N/A· v4 3.3 LOW· v3 N/A· v2 An issue was discovered in Infinera hiT 7300 5.60.50. A web application allows a remote privileged attacker to execute applications contained in a specific OS directory via HTTP invocations.
CVE-2024-45200 - - Jun 17, 2026 Sep 30, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 In Nintendo Mario Kart 8 Deluxe before 3.0.3, the LAN/LDN local multiplayer implementation allows a remote attacker to exploit a stack-based buffer overflow upon deserialization of session information via a malformed bro...Show more In Nintendo Mario Kart 8 Deluxe before 3.0.3, the LAN/LDN local multiplayer implementation allows a remote attacker to exploit a stack-based buffer overflow upon deserialization of session information via a malformed browse-reply packet, aka KartLANPwn. The victim is not required to join a game session with an attacker. The victim must open the "Wireless Play" (or "LAN Play") menu from the game's title screen, and an attacker nearby (LDN) or on the same LAN network as the victim can send a crafted reply packet to the victim's console. This enables a remote attacker to obtain complete denial-of-service on the game's process, or potentially, remote code execution on the victim's console. The issue is caused by incorrect use of the Nintendo Pia library,Show less
CVE-2024-9324 1Intelbras 1Incontrol Web Jun 17, 2026 Sep 29, 2024 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was found in Intelbras InControl up to 2.21.57. It has been rated as critical. Affected by this issue is some unknown functionality of the file /v1/operador/ of the component Relatório de Operadores Page....Show more A vulnerability was found in Intelbras InControl up to 2.21.57. It has been rated as critical. Affected by this issue is some unknown functionality of the file /v1/operador/ of the component Relatório de Operadores Page. The manipulation of the argument fields leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.21.58 is able to address this issue. It is recommended to upgrade the affected component. The vendor was informed early on 2024-07-19 about this issue. The release of a fixed version 2.21.58 was announced for the end of August 2024 but then was postponed until 2024-09-20.Show less
CVE-2024-6983 1Mudler 1Localai Jun 17, 2026 Sep 27, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the localai backend receives inputs not only from the configuration file but also from other inputs, allowing an atta...Show more mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the localai backend receives inputs not only from the configuration file but also from other inputs, allowing an attacker to upload a binary file and execute malicious code. This can lead to the attacker gaining full control over the system.Show less
CVE-2024-46489 1Ferrislucas 1Promptr Jun 17, 2026 Sep 25, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A remote command execution (RCE) vulnerability in promptr v6.0.7 allows attackers to execute arbitrary commands via a crafted URL.
CVE-2024-8481 1Simplelib 1Special Text Boxes Jun 17, 2026 Sep 25, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.4. This is due to the plugin adding the filter add_filter('comment_text', 'do_short...Show more The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.4. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-8623 1Pluginus 1Wordpress Meta Data And Taxonomies Filter Jun 17, 2026 Sep 24, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.3.3.3. This is due to the software allowing users to execute an a...Show more The The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.3.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-46639 - - Jun 17, 2026 Sep 23, 2024 N/A· v4 7.6 HIGH· v3 N/A· v2 A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field of Custom Fields message box.
CVE-2024-37779 - - Jun 17, 2026 Sep 23, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 WoodWing Elvis DAM v6.98.1 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the Apache Ant script functionality.
CVE-2024-0004 1Purestorage 1Purity//fa Jun 17, 2026 Sep 23, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A condition exists in FlashArray Purity whereby an user with array admin role can execute arbitrary commands remotely to escalate privilege on the array.
CVE-2024-40442 - - Jun 17, 2026 Sep 23, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An issue in Doccano Open source annotation tools for machine learning practitioners v.1.8.4 and Doccano Auto Labeling Pipeline module to annotate a document automatically v.0.1.23 allows a remote attacker to escalate pri...Show more An issue in Doccano Open source annotation tools for machine learning practitioners v.1.8.4 and Doccano Auto Labeling Pipeline module to annotate a document automatically v.0.1.23 allows a remote attacker to escalate privileges via a crafted REST Request.Show less
CVE-2024-47219 1Vesoft 1Nebulagraph Database Jun 17, 2026 Sep 22, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in vesoft NebulaGraph through 3.8.0. It allows shell command injection.
CVE-2024-46640 1Seacms 1Seacms Jun 17, 2026 Sep 20, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SeaCMS 13.2 has a remote code execution vulnerability located in the file sql.class.chp. Although the system has a check function, the check function is not executed during execution, allowing remote code execution by wr...Show more SeaCMS 13.2 has a remote code execution vulnerability located in the file sql.class.chp. Although the system has a check function, the check function is not executed during execution, allowing remote code execution by writing to the file through the MySQL slow query method.Show less
CVE-2024-46103 1Sem Cms 1Semcms Jun 17, 2026 Sep 20, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SEMCMS 4.8 is vulnerable to SQL Injection via SEMCMS_Main.php.
CVE-2024-9006 1Jeanmarc77 1123solar Jun 17, 2026 Sep 19, 2024 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was found in jeanmarc77 123solar 1.8.4.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file config/config_invt1.php. The manipulation of the argument PASSOx l...Show more A vulnerability was found in jeanmarc77 123solar 1.8.4.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file config/config_invt1.php. The manipulation of the argument PASSOx leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The patch is identified as f4a8c748ec436e5a79f91ccb6a6f73752b336aa5. It is recommended to apply a patch to fix this issue.Show less
CVE-2024-35515 - - Jun 17, 2026 Sep 18, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.

Previous 1...130131132...326 Next