Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-5677 1Axis 11M3024 Lve Firmware M3025 Ve FirmwareM7014 Firmware+8 more Jun 17, 2026 Feb 5, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Brandon Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be...Show more Brandon Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Please refer to the Axis security advisory for more information and solution.Show less
CVE-2024-25089 1Malwarebytes 1Binisoft Windows Firewall Control Jun 17, 2026 Feb 4, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Malwarebytes Binisoft Windows Firewall Control before 6.9.9.2 allows remote attackers to execute arbitrary code via gRPC named pipes.
CVE-2023-51820 1Blurams 1Lumi Security Camera A31c Firmware Jun 17, 2026 Feb 2, 2024 N/A· v4 6.8 MEDIUM· v3 N/A· v2 An issue in Blurams Lumi Security Camera (A31C) v.2.3.38.12558 allows a physically proximate attackers to execute arbitrary code.
CVE-2023-50488 1Blurams 1Lumi Security Camera A31c Firmware Jun 17, 2026 Feb 2, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Blurams Lumi Security Camera (A31C) v23.0406.435.4120 allows attackers to execute arbitrary code.
CVE-2021-22282 1Br Automation 1Automation Studio Jun 17, 2026 Feb 2, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in B&R Industrial Automation Automation Studio allows Local Execution of Code.This issue affects Automation Studio: from 4.0 through 4.12.
CVE-2024-22533 1Xiandafu 1Beetl Jun 17, 2026 Feb 2, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Beca...Show more Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution.Show less
CVE-2024-23746 1Miro 1Miro Jun 17, 2026 Feb 2, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.ap...Show more Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents).Show less
CVE-2024-22899 1Vinchin 1Vinchin Backup And Recovery Jun 17, 2026 Feb 2, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.
CVE-2024-0325 1Perforce 1Helix Sync Jun 17, 2026 Feb 1, 2024 N/A· v4 7.8 HIGH· v3 N/A· v2 In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins.
CVE-2023-47257 1Connectwise 2Automate Screenconnect Jun 17, 2026 Feb 1, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages.
CVE-2024-1117 1Openbi 1Openbi Jun 17, 2026 Jan 31, 2024 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in openBI up to 1.0.8. It has been declared as critical. Affected by this vulnerability is the function index of the file /application/index/controller/Screen.php. The manipulation of the argume...Show more A vulnerability was found in openBI up to 1.0.8. It has been declared as critical. Affected by this vulnerability is the function index of the file /application/index/controller/Screen.php. The manipulation of the argument fileurl leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252475.Show less
CVE-2024-21649 1Vantage6 1Vantage6 Jun 17, 2026 Jan 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm env...Show more The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is patched in 4.2.0.Show less
CVE-2023-37518 1Hcltech 1Bigfix Servicenow Data Flow Jun 17, 2026 Jan 30, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 HCL BigFix ServiceNow is vulnerable to arbitrary code injection. A malicious authorized attacker could inject arbitrary code and execute within the context of the running user.
CVE-2024-1015 1Se Elektronic 1E Ddc3.3 Firmware Jun 17, 2026 Jan 29, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration f...Show more Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device.Show less
CVE-2024-23742 1Loom 1Loom Jun 17, 2026 Jan 28, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Loom on macOS version 0.196.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. NOTE: the vendor disputes this because it requires loc...Show more An issue in Loom on macOS version 0.196.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. NOTE: the vendor disputes this because it requires local access to a victim's machine.Show less
CVE-2024-23741 1Vercel 1Hyper Jun 17, 2026 Jan 28, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.
CVE-2023-52251 1Provectus 1Ui Jun 17, 2026 Jan 25, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
CVE-2023-24676 1Processwire 1Processwire Jun 17, 2026 Jan 24, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module. NOTE: this is disputed because exploitation re...Show more An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an admin; however, a ProcessWire admin is intentionally allowed to install any module that contains any arbitrary code.Show less
CVE-2023-31037 1Nvidia 1Bluefield Bmc Jun 17, 2026 Jan 24, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a vulnerability in ipmitool, where a root user may cause code injection by a network call. A successful exploit of this vulnerability may lead to code execution on the...Show more NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a vulnerability in ipmitool, where a root user may cause code injection by a network call. A successful exploit of this vulnerability may lead to code execution on the OS. Show less
CVE-2023-36177 1Badaix 1Snapcast Jun 17, 2026 Jan 23, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.

Previous 1...151152153...324 Next