Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,504)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-43392 1Phoenixcontact 30Fl Mguard Centerport Vpn 1000 Firmware Fl Mguard Core Tx FirmwareFl Mguard Core Tx Vpn Firmware+27 more Jun 17, 2026 Sep 10, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_INCOMING.FROM_IP FW_INCOMING.IN_IP FW_...Show more A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_INCOMING.FROM_IP FW_INCOMING.IN_IP FW_OUTGOING.FROM_IP FW_OUTGOING.IN_IP environment variable which can lead to a DoS.Show less
CVE-2024-43391 1Phoenixcontact 36Fl Mguard 2102 Firmware Fl Mguard 2105 FirmwareFl Mguard 4102 Pci Firmware+33 more Jun 17, 2026 Sep 10, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_PORTFORWARDING.SRC_IP environment vari...Show more A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_PORTFORWARDING.SRC_IP environment variable which can lead to a DoS.Show less
CVE-2024-43390 1Phoenixcontact 36Fl Mguard 2102 Firmware Fl Mguard 2105 FirmwareFl Mguard 4102 Pci Firmware+33 more Jun 17, 2026 Sep 10, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A low privileged remote attacker can perform configuration changes of the firewall services, including packet forwarding or NAT through the FW_NAT.IN_IP environment variable which can lead to a DoS.
CVE-2024-43389 1Phoenixcontact 36Fl Mguard 2102 Firmware Fl Mguard 2105 FirmwareFl Mguard 4102 Pci Firmware+33 more Jun 17, 2026 Sep 10, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A low privileged remote attacker can perform configuration changes of the ospf service through OSPF_INTERFACE.SIMPLE_KEY, OSPF_INTERFACE.DIGEST_KEY environment variables which can lead to a DoS.
CVE-2024-43388 1Phoenixcontact 36Fl Mguard 2102 Firmware Fl Mguard 2105 FirmwareFl Mguard 4102 Pci Firmware+33 more Jun 17, 2026 Sep 10, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A low privileged remote attacker with write permissions can reconfigure the SNMP service due to improper input validation.
CVE-2024-6596 1Endress 6Echo Curve Viewer Field Xpert Smt50 FirmwareField Xpert Smt70 Firmware+3 more Jun 17, 2026 Sep 10, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context.
CVE-2024-8478 1Ifeelweb 1Affiliate Super Assistent Jun 17, 2026 Sep 10, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes...Show more The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-8268 1Buffercode 1Frontend Dashboard Jun 17, 2026 Sep 10, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2...Show more The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to call arbitrary functions that can be leverage for privilege escalation by changing user's passwords.Show less
CVE-2024-44411 1Dlink 1Di 8300 Firmware Jun 17, 2026 Sep 9, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the msp_info_htm function.
CVE-2024-44410 1Dlink 1Di 8300 Firmware Jun 17, 2026 Sep 9, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the upgrade_filter_asp function.
CVE-2024-44724 1Autocms Project 1Autocms Jun 17, 2026 Sep 9, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 AutoCMS v5.4 was discovered to contain a PHP code injection vulnerability via the txtsite_url parameter at /admin/site_add.php. This vulnerability allows attackers to execute arbitrary PHP code via injecting a crafted va...Show more AutoCMS v5.4 was discovered to contain a PHP code injection vulnerability via the txtsite_url parameter at /admin/site_add.php. This vulnerability allows attackers to execute arbitrary PHP code via injecting a crafted value.Show less
CVE-2024-39715 - - Jun 17, 2026 Sep 7, 2024 N/A· v4 8.5 HIGH· v3 N/A· v2 A code injection vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server.
CVE-2024-39714 - - Jun 17, 2026 Sep 7, 2024 N/A· v4 9.9 CRITICAL· v3 N/A· v2 A code injection vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server.
CVE-2024-38651 - - Jun 17, 2026 Sep 7, 2024 N/A· v4 8.5 HIGH· v3 N/A· v2 A code injection vulnerability can allow a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server.
CVE-2023-39333 - - Jun 17, 2026 Sep 7, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, simila...Show more Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option.Show less
CVE-2024-8523 1Lmxcms 1Lmxcms Jun 17, 2026 Sep 7, 2024 5.1 MEDIUM· v4 7.2 HIGH· v3 5.8 MEDIUM· v2 A vulnerability was found in lmxcms up to 1.4 and classified as critical. Affected by this issue is the function formatData of the file /admin.php?m=Acquisi&a=testcj&lid=1 of the component SQL Command Execution Module. T...Show more A vulnerability was found in lmxcms up to 1.4 and classified as critical. Affected by this issue is the function formatData of the file /admin.php?m=Acquisi&a=testcj&lid=1 of the component SQL Command Execution Module. The manipulation of the argument data leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-7627 1Bitapps 1File Manager Jun 17, 2026 Sep 5, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. This is due to writing a temporary file to a publicly accessible directory before...Show more The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions.Show less
CVE-2024-45053 1Ethyca 1Fides Jun 17, 2026 Sep 4, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictio...Show more Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.Show less
CVE-2024-8411 1Abcd Community 1Abcd Jun 17, 2026 Sep 4, 2024 2.0 LOW· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was determined in ABCD ABCD2 up to 2.2.0-beta-1. Impacted is an unknown function of the file /buscar_integrada.php. Executing a manipulation of the argument Sub_Expresion can lead to cross site scripting....Show more A vulnerability was determined in ABCD ABCD2 up to 2.2.0-beta-1. Impacted is an unknown function of the file /buscar_integrada.php. Executing a manipulation of the argument Sub_Expresion can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The developer explains, that "this script has been completely redesigned after this version".Show less
CVE-2024-45507 1Apache 1Ofbiz Jun 17, 2026 Sep 4, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version...Show more Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.Show less

Previous 1...132133134...326 Next