Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,504)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-45798 - - Jun 17, 2026 Sep 17, 2024 N/A· v4 9.9 CRITICAL· v3 N/A· v2 arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Co...Show more arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts.Show less
CVE-2024-44623 1Spx 1Spx Graphics Controller Jun 17, 2026 Sep 16, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in TuomoKu SPx-GC v.1.3.0 and before allows a remote attacker to execute arbitrary code via the child_process.js function.
CVE-2024-7104 1Sfs 1Winsure Jun 17, 2026 Sep 16, 2024 9.2 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows Code Injection. This issue affects ww.Winsure: before 4.6.2.
CVE-2024-8880 1Playsms 1Playsms Jun 17, 2026 Sep 16, 2024 6.3 MEDIUM· v4 9.8 CRITICAL· v3 5.1 MEDIUM· v2 A vulnerability classified as critical has been found in playSMS 1.4.4/1.4.5/1.4.6/1.4.7. Affected is an unknown function of the file /playsms/index.php?app=main&inc=core_auth&route=forgot&op=forgot of the component Temp...Show more A vulnerability classified as critical has been found in playSMS 1.4.4/1.4.5/1.4.6/1.4.7. Affected is an unknown function of the file /playsms/index.php?app=main&inc=core_auth&route=forgot&op=forgot of the component Template Handler. The manipulation of the argument username/email/captcha leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The project maintainer was informed early about the issue. Investigation shows that playSMS up to 1.4.3 contained a fix but later versions re-introduced the flaw. As long as the latest version of the playsms/tpl package is used, the software is not affected. Version >=1.4.4 shall fix this issue for sure.Show less
CVE-2024-8864 1Composio 1Composio Jun 17, 2026 Sep 15, 2024 5.1 MEDIUM· v4 8.8 HIGH· v3 5.2 MEDIUM· v2 A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calculator of the file python/composio/tools/local/mathematical/actions/calcula...Show more A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calculator of the file python/composio/tools/local/mathematical/actions/calculator.py. The manipulation leads to code injection. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-8479 1Webliberty 1Simple Spoiler Jun 17, 2026 Sep 14, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run al...Show more The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-8271 1Pluginus 1Fox Currency Switcher Professional For Woocommerce Jun 17, 2026 Sep 14, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users t...Show more The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the 'woocs_get_custom_price_html' function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-44430 1Mayurik 1Best Free Law Office Management Jun 17, 2026 Sep 13, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SQL Injection vulnerability in Best Free Law Office Management Software-v1.0 allows an attacker to execute arbitrary code and obtain sensitive information via a crafted payload to the kortex_lite/control/register_case.ph...Show more SQL Injection vulnerability in Best Free Law Office Management Software-v1.0 allows an attacker to execute arbitrary code and obtain sensitive information via a crafted payload to the kortex_lite/control/register_case.php interfaceShow less
CVE-2024-8696 1Docker 1Desktop Jun 17, 2026 Sep 12, 2024 8.9 HIGH· v4 9.8 CRITICAL· v3 N/A· v2 A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2.
CVE-2024-8695 1Docker 1Desktop Jun 17, 2026 Sep 12, 2024 9.0 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34.2.
CVE-2024-45851 1Mindsdb 1Mindsdb Jun 17, 2026 Sep 12, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoi...Show more An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.Show less
CVE-2024-45850 1Mindsdb 1Mindsdb Jun 17, 2026 Sep 12, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoi...Show more An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site column creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.Show less
CVE-2024-45849 1Mindsdb 1Mindsdb Jun 17, 2026 Sep 12, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoi...Show more An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.Show less
CVE-2024-45848 1Mindsdb 1Mindsdb Jun 17, 2026 Sep 12, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Py...Show more An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is run against a database created with the ChromaDB engine, the code will be passed to an eval function and executed on the server.Show less
CVE-2024-45847 1Mindsdb 1Mindsdb Jun 17, 2026 Sep 12, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing...Show more An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the specified integration engine, the code will be passed to an eval function and executed on the server.Show less
CVE-2024-45846 1Mindsdb 1Mindsdb Jun 17, 2026 Sep 12, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause contai...Show more An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server.Show less
CVE-2024-44466 1Comfast 1Cf Xr11 Firmware Jun 17, 2026 Sep 11, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 COMFAST CF-XR11 V2.7.2 has a command injection vulnerability in function sub_424CB4. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter iface.
CVE-2024-43469 1Microsoft 1Azure Cyclecloud Jun 17, 2026 Sep 10, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Azure CycleCloud Remote Code Execution Vulnerability
CVE-2024-8258 1Logitech 1Logi Options+ Jun 17, 2026 Sep 10, 2024 2.0 LOW· v4 7.8 HIGH· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.
CVE-2024-43393 1Phoenixcontact 36Fl Mguard 2102 Firmware Fl Mguard 2105 FirmwareFl Mguard 4102 Pci Firmware+33 more Jun 17, 2026 Sep 10, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_INCOMING.FROM_IP FW_INCOMING.IN_IP FW_...Show more A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_INCOMING.FROM_IP FW_INCOMING.IN_IP FW_OUTGOING.FROM_IP FW_OUTGOING.IN_IP FW_RULESETS.FROM_IP FW_RULESETS.IN_IP environment variable which can lead to a DoS.Show less

Previous 1...131132133...326 Next