Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,499)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-37124 - - Jun 17, 2026 Jun 19, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file in the PC where the product is installed.
CVE-2024-37821 1Dolibarr 1Dolibarr Erp/crm Jun 17, 2026 Jun 18, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.
CVE-2024-36575 - - Jun 17, 2026 Jun 17, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor.
CVE-2024-36581 - - Jun 17, 2026 Jun 17, 2024 N/A· v4 7.6 HIGH· v3 N/A· v2 A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.
CVE-2024-38396 1Iterm2 1Iterm2 Jun 17, 2026 Jun 16, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature (enabled by default), allows an attacker to i...Show more An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature (enabled by default), allows an attacker to inject arbitrary code into the terminal, a different vulnerability than CVE-2024-38395.Show less
CVE-2024-38458 1Xenforo 1Xenforo Jun 17, 2026 Jun 16, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Xenforo before 2.2.16 allows code injection.
CVE-2024-38448 - - Jun 17, 2026 Jun 16, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 htags in GNU Global through 6.6.12 allows code execution in situations where dbpath (aka -d) is untrusted, because shell metacharacters may be used.
CVE-2024-38395 1Iterm2 1Iterm2 Jun 17, 2026 Jun 16, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution might occur but "is not trivially exploitable."
CVE-2024-6006 1Zkteco 1Zkbiosecurity V5000 Jun 17, 2026 Jun 15, 2024 2.0 LOW· v4 3.5 LOW· v3 4.0 MEDIUM· v2 A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The manipulation of the a...Show more A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The manipulation of the argument Schedule Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor explains, "that ZKBio Security V5000 has been withdrawn from the market and [is] recommended for upgrading to the ZKBio CVSecurity latest version." This vulnerability only affects products that are no longer supported by the maintainer.Show less
CVE-2024-6005 1Zkteco 1Zkbiosecurity V5000 Jun 17, 2026 Jun 15, 2024 2.0 LOW· v4 3.5 LOW· v3 4.0 MEDIUM· v2 A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. The manipulation of t...Show more A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. The manipulation of the argument Department Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor explains, "that ZKBio Security V5000 has been withdrawn from the market and [is] recommended for upgrading to the ZKBio CVSecurity latest version." This vulnerability only affects products that are no longer supported by the maintainer.Show less
CVE-2024-3105 - - Jun 17, 2026 Jun 15, 2024 N/A· v4 9.9 CRITICAL· v3 N/A· v2 The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the...Show more The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.Show less
CVE-2024-36598 - - Jun 17, 2026 Jun 14, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted image file.
CVE-2024-37885 1Nextcloud 1Desktop Jun 17, 2026 Jun 14, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DY...Show more The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.Show less
CVE-2024-32925 1Google 1Android Jun 17, 2026 Jun 13, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 In dhd_prot_txstatus_process of dhd_msgbuf.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interacti...Show more In dhd_prot_txstatus_process of dhd_msgbuf.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
CVE-2024-37849 1Itsourcecode 1Billing System Jun 17, 2026 Jun 13, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A SQL Injection vulnerability in itsourcecode Billing System 1.0 allows a local attacker to execute arbitrary code in process.php via the username parameter.
CVE-2024-1577 1Megabip 1Megabip Jun 17, 2026 Jun 12, 2024 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue a...Show more Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue affects MegaBIP software versions through 5.11.2.Show less
CVE-2024-5834 2Fedoraproject Google 2Chrome Fedora Jun 17, 2026 Jun 11, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Inappropriate implementation in Dawn in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
CVE-2024-34405 - - Jun 17, 2026 Jun 11, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Improper deep link validation in McAfee Security: Antivirus VPN for Android before 8.3.0 could allow an attacker to launch an arbitrary URL within the app.
CVE-2024-27857 1Apple 5Ipados Iphone OsMacos+2 more Jun 17, 2026 Jun 10, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5, visionOS 1.2. A remote attacker may be able to cause unexpected ap...Show more An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5, visionOS 1.2. A remote attacker may be able to cause unexpected app termination or arbitrary code execution.Show less
CVE-2024-37014 1Langflow 1Langflow Jun 17, 2026 Jun 10, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.

Previous 1...140141142...325 Next