Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,499)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-32897 1Apple 1Macos Jun 17, 2026 Jun 10, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A memory corruption issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.5. Processing a maliciously crafted tiff file may lead to arbitrary code execution.
CVE-2024-34761 - - Jun 17, 2026 Jun 10, 2024 N/A· v4 8.5 HIGH· v3 N/A· v2 Vulnerability discovered by executing a planned security audit. Improper Control of Generation of Code ('Code Injection') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects...Show more Vulnerability discovered by executing a planned security audit. Improper Control of Generation of Code ('Code Injection') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n/a before 6.2.10.Show less
CVE-2024-36531 1Nukeviet 2Egovernment Nukeviet Jun 17, 2026 Jun 10, 2024 N/A· v4 5.7 MEDIUM· v3 N/A· v2 nukeviet v.4.5 and before and nukeviet-egov v.1.2.02 and before are vulnerable to arbitrary code execution via the /admin/extensions/upload.php component.
CVE-2024-3408 1Man 1D Tale Jun 17, 2026 Jun 6, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration...Show more man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.Show less
CVE-2024-4889 1Litellm 1Litellm Jun 17, 2026 Jun 6, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. This vulnerability requires a valid...Show more A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. This vulnerability requires a valid Google KMS configuration file to be exploitable. Specifically, by setting the `UI_LOGO_PATH` variable to a remote server address in the `get_image` function, an attacker can write a malicious Google KMS configuration file to the `cached_logo.jpg` file. This file can then be used to execute arbitrary code by assigning malicious code to the `SAVE_CONFIG_TO_DB` environment variable, leading to full system control. The vulnerability is contingent upon the use of the Google KMS feature.Show less
CVE-2024-4194 1Essentialplugin 1Album And Image Gallery Plus Lightbox Jun 17, 2026 Jun 6, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0. This is due to the software allowing users to execute an action...Show more The The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-37273 1Homebrew 1Jan Jun 17, 2026 Jun 4, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-25600 - - Jun 17, 2026 Jun 4, 2024 N/A· v4 10.0 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in Codeer Limited Bricks Builder allows Code Injection.This issue affects Bricks Builder: from n/a through 1.9.6.
CVE-2024-37061 1Lfprojects 1Mlflow Jun 17, 2026 Jun 4, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.
CVE-2024-36568 1Mayurik 1Gas Agency Management System Jun 17, 2026 Jun 3, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Sourcecodester Gas Agency Management System v1.0 is vulnerable to SQL Injection via /gasmark/editbrand.php?id=.
CVE-2024-36120 1Deobfuscate 1Javascript Deobfuscator Jun 17, 2026 May 31, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0...Show more javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature.Show less
CVE-2024-5565 - - Jun 17, 2026 May 31, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Sp...Show more The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution.Show less
CVE-2024-23692 1Rejetto 1Http File Server Jun 17, 2026 May 31, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected...Show more Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.Show less
CVE-2024-3924 - - Jun 17, 2026 May 30, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head...Show more A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.Show less
CVE-2023-6743 1Unlimited Elements 1Unlimited Elements For Elementor Jun 17, 2026 May 29, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.89 via the template import functionality. This...Show more The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.89 via the template import functionality. This makes it possible for authenticated attackers, with contributor access and above, to execute code on the server.Show less
CVE-2024-35226 - - Jun 17, 2026 May 28, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an ext...Show more Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.Show less
CVE-2024-35581 1Oretnom23 1Computer Laboratory Management System Jun 17, 2026 May 28, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Borrower Name input field.
CVE-2024-23601 1Automationdirect 6P1 540 Firmware P1 550 FirmwareP2 550 Firmware+3 more Jun 17, 2026 May 28, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A code injection vulnerability exists in the scan_lib.bin functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted scan_lib.bin can lead to arbitrary code execution. An attacker can provide a malicious fil...Show more A code injection vulnerability exists in the scan_lib.bin functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted scan_lib.bin can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.Show less
CVE-2024-28886 - - Jun 17, 2026 May 28, 2024 N/A· v4 8.4 HIGH· v3 N/A· v2 OS command injection vulnerability exists in UTAU versions prior to v0.4.19. If a user of the product opens a crafted UTAU project file (.ust file), an arbitrary OS command may be executed.
CVE-2024-5407 1Saltos 1Rhinos Jun 17, 2026 May 27, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A vulnerability in RhinOS 3.0-1190 could allow PHP code injection through the "search" parameter in /portal/search.htm. This vulnerability could allow a remote attacker to perform a reverse shell on the remote system, co...Show more A vulnerability in RhinOS 3.0-1190 could allow PHP code injection through the "search" parameter in /portal/search.htm. This vulnerability could allow a remote attacker to perform a reverse shell on the remote system, compromising the entire infrastructure.Show less

Previous 1...141142143...325 Next