Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-28699 - - Jun 17, 2026 Apr 22, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 A buffer overflow vulnerability in pdf2json v0.70 allows a local attacker to execute arbitrary code via the GString::copy() and ImgOutputDev::ImgOutputDev function.
CVE-2024-29991 1Microsoft 1Edge Chromium Jun 17, 2026 Apr 19, 2024 N/A· v4 5.0 MEDIUM· v3 N/A· v2 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
CVE-2023-51797 2Fedoraproject Ffmpeg 2Fedora Ffmpeg Jun 17, 2026 Apr 19, 2024 N/A· v4 6.7 MEDIUM· v3 N/A· v2 Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/avf_showwaves.c:722:24 in showwaves_filter_frame
CVE-2023-50260 1Wazuh 1Wazuh Jun 17, 2026 Apr 19, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Wazuh is a free and open source platform used for threat prevention, detection, and response. A wrong validation in the `host_deny` script allows to write any string in the `hosts.deny` file, which can end in an arbitrar...Show more Wazuh is a free and open source platform used for threat prevention, detection, and response. A wrong validation in the `host_deny` script allows to write any string in the `hosts.deny` file, which can end in an arbitrary command execution on the target system. This vulnerability is part of the active response feature, which can automatically triggers actions in response to alerts. By default, active responses are limited to a set of pre defined executables. This is enforced by only allowing executables stored under `/var/ossec/active-response/bin` to be run as an active response. However, the `/var/ossec/active-response/bin/host_deny` can be exploited. `host_deny` is used to add IP address to the `/etc/hosts.deny` file to block incoming connections on a service level by using TCP wrappers. Attacker can inject arbitrary command into the `/etc/hosts.deny` file and execute arbitrary command by using the spawn directive. The active response can be triggered by writing events either to the local `execd` queue on server or to the `ar` queue which forwards the events to agents. So, it can leads to LPE on server as root and RCE on agent as root. This vulnerability is fixed in 4.7.2.Show less
CVE-2024-30923 1Derbynet 1Derbynet Jun 17, 2026 Apr 18, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SQL Injection vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the where Clause in Racer Document Rendering
CVE-2024-32599 - - Jun 17, 2026 Apr 18, 2024 N/A· v4 10.0 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in Deepak anand WP Dummy Content Generator wp-dummy-content-generator.This issue affects WP Dummy Content Generator: from n/a through <= 3.2.1.
CVE-2024-3931 1Totara 1Totara Jun 17, 2026 Apr 18, 2024 2.0 LOW· v4 5.4 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was found in Totara LMS up to 18.7. It has been rated as problematic. Affected by this issue is some unknown functionality of the file admin/roles/check.php of the component User Selector. The manipulatio...Show more A vulnerability was found in Totara LMS up to 18.7. It has been rated as problematic. Affected by this issue is some unknown functionality of the file admin/roles/check.php of the component User Selector. The manipulation of the argument ID Number leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 13.46, 14.38, 15.33, 16.27, 17.21 and 18.8 is able to address this issue. It is recommended to upgrade the affected component.Show less
CVE-2024-3660 1Keras 1Keras Jun 17, 2026 Apr 16, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespectiv...Show more A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application.Show less
CVE-2024-30567 - - Jun 17, 2026 Apr 16, 2024 N/A· v4 6.3 MEDIUM· v3 N/A· v2 An issue in JNT Telecom JNT Liftcom UMS V1.J Core Version JM-V15 allows a remote attacker to execute arbitrary code via the Network Troubleshooting functionality.
CVE-2024-31648 1Munyweki 1Insurance Management System Jun 17, 2026 Apr 15, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross Site Scripting (XSS) in Insurance Management System v1.0, allows remote attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter at /core/new_category2.
CVE-2024-3786 1Whitebearsolutions 1Wbsairback Jun 17, 2026 Apr 15, 2024 N/A· v4 6.6 MEDIUM· v3 N/A· v2 Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through Device Synchronizations (/admin/DeviceReplication). Exploitation of this vulnerability could allow a rem...Show more Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through Device Synchronizations (/admin/DeviceReplication). Exploitation of this vulnerability could allow a remote user to execute arbitrary code.Show less
CVE-2024-3785 1Whitebearsolutions 1Wbsairback Jun 17, 2026 Apr 15, 2024 N/A· v4 6.6 MEDIUM· v3 N/A· v2 Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through Device NAS shared section (/admin/DeviceNAS). Exploitation of this vulnerability could allow a remote us...Show more Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through Device NAS shared section (/admin/DeviceNAS). Exploitation of this vulnerability could allow a remote user to execute arbitrary code.Show less
CVE-2024-3784 1Whitebearsolutions 1Wbsairback Jun 17, 2026 Apr 15, 2024 N/A· v4 6.6 MEDIUM· v3 N/A· v2 Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through S3 Accounts (/admin/CloudAccounts). Exploitation of this vulnerability could allow a remote user to exec...Show more Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through S3 Accounts (/admin/CloudAccounts). Exploitation of this vulnerability could allow a remote user to execute arbitrary code.Show less
CVE-2023-6494 1Wpclever 1Wpc Smart Quick View For Woocommerce Jun 17, 2026 Apr 13, 2024 N/A· v4 4.4 MEDIUM· v3 N/A· v2 The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.2 due to insufficient input sanitization and output...Show more The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.Show less
CVE-2024-30845 1Rainbow External Link Network Disk Project 1Rainbow External Link Network Disk Jun 17, 2026 Apr 12, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in Rainbow external link network disk v.5.5 allows a remote attacker to execute arbitrary code via the validation component of the input parameters.
CVE-2023-44857 1Cobham 1Sailor 600 Vsat Ku Firmware Jun 17, 2026 Apr 12, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 An issue in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the sub_21D24 function in the acu_web component.
CVE-2023-44853 1Cobham 1Sailor 600 Vsat Ku Firmware Jun 17, 2026 Apr 12, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 \An issue was discovered in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the sub_219C4 function in the acu_web file.
CVE-2024-25376 1Thesycon 1Tusbaudio Jun 17, 2026 Apr 11, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue discovered in Thesycon Software Solutions Gmbh & Co. KG TUSBAudio MSI-based installers before 5.68.0 allows a local attacker to execute arbitrary code via the msiexec.exe repair mode.
CVE-2024-22722 1Formtools 1Form Tools Jun 17, 2026 Apr 11, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Server Side Template Injection (SSTI) vulnerability in Form Tools 3.1.1 allows attackers to run arbitrary commands via the Group Name field under the add forms section of the application.
CVE-2024-29399 1Gnu 1Savane Jun 17, 2026 Apr 11, 2024 N/A· v4 7.6 HIGH· v3 N/A· v2 An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component.

Previous 1...144145146...324 Next