Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-33442 1Flusity 1Flusity Jun 17, 2026 May 1, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the add_post.php component.
CVE-2024-28893 1Hp 1Softpaqs Jun 17, 2026 May 1, 2024 N/A· v4 7.7 HIGH· v3 N/A· v2 Certain HP software packages (SoftPaqs) are potentially vulnerable to arbitrary code execution when the SoftPaq configuration file has been modified after extraction. HP has released updated software packages (SoftPaqs).
CVE-2024-33443 1Onethink 1Onethink Jun 17, 2026 Apr 29, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 An issue in onethink v.1.1 allows a remote attacker to execute arbitrary code via a crafted script to the AddonsController.class.php component.
CVE-2024-31823 1Ecommerce Codeigniter Bootstrap Project 1Ecommerce Codeigniter Bootstrap Jun 17, 2026 Apr 29, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the removeSecondaryImage method of the Publish.php component.
CVE-2024-31822 1Ecommerce Codeigniter Bootstrap Project 1Ecommerce Codeigniter Bootstrap Jun 17, 2026 Apr 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the saveLanguageFiles method of the Languages.php component.
CVE-2024-33445 1Hisiphp 1Hisiphp Jun 17, 2026 Apr 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in hisiphp v2.0.111 allows a remote attacker to execute arbitrary code via a crafted script to the SystemPlugins::mkInfo parameter in the SystemPlugins.php component.
CVE-2024-32492 1Znuny 1Znuny Jun 17, 2026 Apr 29, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail view in the customer front allows the execution of external JavaScript.
CVE-2024-32491 1Znuny 1Znuny Jun 17, 2026 Apr 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing...Show more An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server.Show less
CVE-2024-31621 1Flowiseai 1Flowise Jun 17, 2026 Apr 29, 2024 N/A· v4 7.6 HIGH· v3 N/A· v2 An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component.
CVE-2024-32404 1Inducer 1Relate Jun 17, 2026 Apr 26, 2024 N/A· v4 6.0 MEDIUM· v3 N/A· v2 Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1, allows remote attackers to execute arbitrary code via a crafted payload to the Markup Sandbox feature.
CVE-2024-22633 - - Jun 17, 2026 Apr 26, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hprinter parameter. This vulnerability is triggered via a crafted POST re...Show more Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hprinter parameter. This vulnerability is triggered via a crafted POST request.Show less
CVE-2024-22632 - - Jun 17, 2026 Apr 26, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hmsg parameter. This vulnerability is triggered via a crafted POST reques...Show more Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hmsg parameter. This vulnerability is triggered via a crafted POST request.Show less
CVE-2024-32358 1Jpress 1Jpress Jun 17, 2026 Apr 25, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in Jpress v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the custom plug-in module function, a different vulnerability than CVE-2024-43033.
CVE-2024-25624 1Dfir Iris 1Iris Jun 17, 2026 Apr 25, 2024 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. Due to an improper setup of Jinja2 environment, reports generation in `iris-web` is prone to a Serv...Show more Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. Due to an improper setup of Jinja2 environment, reports generation in `iris-web` is prone to a Server Side Template Injection (SSTI). Successful exploitation of the vulnerability can lead to an arbitrary Remote Code Execution. An authenticated administrator has to upload a crafted report template containing the payload. Upon generation of a report based on the weaponized report, any user can trigger the vulnerability. The vulnerability is patched in IRIS v2.4.6. No workaround is available. It is recommended to update as soon as possible. Until patching, review the report templates and keep the administrative privileges that include the upload of report templates limited to dedicated users. Show less
CVE-2024-31266 - - Jun 17, 2026 Apr 25, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in AlgolPlus Advanced Order Export For WooCommerce allows Code Injection.This issue affects Advanced Order Export For WooCommerce: from n/a through...Show more Improper Control of Generation of Code ('Code Injection') vulnerability in AlgolPlus Advanced Order Export For WooCommerce allows Code Injection.This issue affects Advanced Order Export For WooCommerce: from n/a through 3.4.4.Show less
CVE-2024-22144 - - Jun 17, 2026 Apr 25, 2024 N/A· v4 9.0 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows Code Injection.This issue affects Anti-Malware Security and Brute-Force...Show more Improper Control of Generation of Code ('Code Injection') vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows Code Injection.This issue affects Anti-Malware Security and Brute-Force Firewall: from n/a through 4.21.96.Show less
CVE-2024-20359 1Cisco 2Adaptive Security Appliance Software Firepower Threat Defense Jun 17, 2026 Apr 24, 2024 N/A· v4 6.0 MEDIUM· v3 N/A· v2 A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)...Show more A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.Show less
CVE-2024-21511 - - Jun 17, 2026 Apr 23, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time functio...Show more Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.Show less
CVE-2024-4040 1Crushftp 1Crushftp Jun 17, 2026 Apr 22, 2024 N/A· v4 10.0 CRITICAL· v3 N/A· v2 A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, b...Show more A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.Show less
CVE-2024-31666 1Flusity 1Flusity Jun 17, 2026 Apr 22, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via a crafted script to the edit_addon_post.php component.

Previous 1...143144145...324 Next