Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-52381 1Huawei 2Emui Harmonyos Jun 17, 2026 Feb 18, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Script injection vulnerability in the email module.Successful exploitation of this vulnerability may affect service confidentiality, integrity, and availability.
CVE-2024-25298 1Redaxo 1Redaxo Jun 17, 2026 Feb 17, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An issue was discovered in REDAXO version 5.15.1, allows attackers to execute arbitrary code and obtain sensitive information via modules.modules.php.
CVE-2024-25415 1Phoenixcart 1Ce Phoenix Cart Jun 17, 2026 Feb 16, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 A remote code execution (RCE) vulnerability in /admin/define_language.php of CE Phoenix v1.0.8.20 allows attackers to execute arbitrary PHP code via injecting a crafted payload into the file english.php.
CVE-2024-25502 1Flusity 1Flusity Jun 17, 2026 Feb 15, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Directory Traversal vulnerability in flusity CMS v.2.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via the download_backup.php component.
CVE-2022-23088 1Freebsd 1Freebsd Jun 17, 2026 Feb 15, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSI...Show more The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.Show less
CVE-2024-25301 1Redaxo 1Redaxo Jun 17, 2026 Feb 14, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Redaxo v5.15.1 was discovered to contain a remote code execution (RCE) vulnerability via the component /pages/templates.php.
CVE-2024-21378 1Microsoft 4365 Apps OfficeOffice Long Term Servicing Channel+1 more Jun 17, 2026 Feb 13, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Microsoft Outlook Remote Code Execution Vulnerability
CVE-2024-21351 1Microsoft 12Windows 10 1507 Windows 10 1607Windows 10 1809+9 more Jun 17, 2026 Feb 13, 2024 N/A· v4 7.6 HIGH· v3 N/A· v2 Windows SmartScreen Security Feature Bypass Vulnerability
CVE-2023-50808 1Zimbra 1Collaboration Jun 17, 2026 Feb 13, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Zimbra Collaboration before Kepler 9.0.0 Patch 38 GA allows DOM-based JavaScript injection in the Modern UI.
CVE-2024-22131 1Sap 1Abap Platform Jun 17, 2026 Feb 13, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attack...Show more In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user/business data and can make the entire system unavailable. Show less
CVE-2023-42374 1Mystenlabs 1Sui Jun 17, 2026 Feb 13, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in mystenlabs Sui Blockchain before v.1.6.3 allow a remote attacker to execute arbitrary code and cause a denial of service via a crafted compressed script to the Sui node component.
CVE-2024-25110 1Microsoft 1Azure Uamqp Jun 17, 2026 Feb 12, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get_offered_capabilities, a memory allocation may fail causing a use-after-free issue and if a client called it during connection communication...Show more The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get_offered_capabilities, a memory allocation may fail causing a use-after-free issue and if a client called it during connection communication it may cause a remote code execution. Users are advised to update the submodule with commit `30865c9c`. There are no known workarounds for this vulnerability.Show less
CVE-2024-24091 1Yealink 1Yealink Meeting Server Jun 17, 2026 Feb 8, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface.
CVE-2023-45735 1Westermo 1L206 F2g Firmware Jun 17, 2026 Feb 6, 2024 N/A· v4 8.0 HIGH· v3 N/A· v2 A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device.
CVE-2024-22514 1Ispyconnect 1Agent Dvr Jun 17, 2026 Feb 6, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue discovered in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to run arbitrary files by restoring a crafted backup file.
CVE-2023-6996 1Vegacorp 1Display Custom Fields In The Frontend Post And User Profile Fields Jun 17, 2026 Feb 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and including, 1.2.1 due to...Show more The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and including, 1.2.1 due to insufficient input validation and restriction on access to that shortcode. This makes it possible for authenticated attackers with contributor-level and above permissions to call arbitrary functions and execute code.Show less
CVE-2023-6846 1Filemanagerpro 1File Manager Jun 17, 2026 Feb 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mk_check_filemanager_php_syntax AJAX function. This makes it possible for authenticated...Show more The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mk_check_filemanager_php_syntax AJAX function. This makes it possible for authenticated attackers, with subscriber access and above, to execute code on the server. Version 8.3.5 introduces a capability check that prevents users lower than admin from executing this function.Show less
CVE-2024-24396 1Stimulsoft 1Dashboard.js Jun 17, 2026 Feb 5, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the search bar component.
CVE-2024-24469 1Flusity 1Flusity Jun 17, 2026 Feb 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the delete_post .php.
CVE-2023-5800 1Axis 3Axis Os Axis Os 2020Axis Os 2022 Jun 17, 2026 Feb 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited...Show more Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.Show less

Previous 1...150151152...324 Next