Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-40606 1Kanbanwp 1Kanban Boards For Wordpress Jun 17, 2026 Dec 29, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in Kanban for WordPress Kanban Boards for WordPress.This issue affects Kanban Boards for WordPress: from n/a through 2.5.21.
CVE-2023-32095 1Milandinic 1Rename Media Files Jun 17, 2026 Dec 29, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in Milan Dinić Rename Media Files.This issue affects Rename Media Files: from n/a through 1.0.1.
CVE-2023-25054 1Carrcommunications 1Rsvpmaker Jun 17, 2026 Dec 29, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in David F. Carr RSVPMaker.This issue affects RSVPMaker: from n/a through 10.6.6.
CVE-2023-22677 1Binarystash 1Wp Booklet Jun 17, 2026 Dec 29, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Control of Generation of Code ('Code Injection') vulnerability in BinaryStash WP Booklet.This issue affects WP Booklet: from n/a through 2.1.8.
CVE-2023-31296 1Sesami 1Cash Point & Transport Optimizer Jun 17, 2026 Dec 29, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows attackers to obtain sensitive information via the User Name field.
CVE-2023-7148 1Shifuml 1Shifu Jun 17, 2026 Dec 29, 2023 N/A· v4 8.1 HIGH· v3 5.1 MEDIUM· v2 A vulnerability has been found in ShifuML shifu 0.12.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/ml/shifu/shifu/core/DataPurifier.java of the compone...Show more A vulnerability has been found in ShifuML shifu 0.12.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/ml/shifu/shifu/core/DataPurifier.java of the component Java Expression Language Handler. The manipulation of the argument FilterExpression leads to code injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249151.Show less
CVE-2023-46987 1Seacms 1Seacms Jun 17, 2026 Dec 28, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 SeaCMS v12.9 was discovered to contain a remote code execution (RCE) vulnerability via the component /augap/adminip.php.
CVE-2023-49001 1Indibrowser 1Indi Browser Jun 17, 2026 Dec 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an attacker to bypass intended access restrictions via interaction with the com.example.gurry.kvbrowswer.webview component.
CVE-2023-49000 1Artistscope 1Artisbrowser Jun 17, 2026 Dec 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an attacker to bypass intended access restrictions via interaction with the com.artis.browser.IntentReceiverActivity component. NOTE: this is disputed by th...Show more An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an attacker to bypass intended access restrictions via interaction with the com.artis.browser.IntentReceiverActivity component. NOTE: this is disputed by the vendor, who indicates that ArtisBrowser 34 does not support CSS3.Show less
CVE-2023-47883 1Vladymix 1Tv Browser Jun 17, 2026 Dec 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity.
CVE-2023-43955 1Fedirtsapana 1Tv Bro Jun 17, 2026 Dec 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary download...Show more The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData.Show less
CVE-2023-43481 1Tcl 1Browser Tv Web Browsehere Jun 17, 2026 Dec 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the com.tcl.browser.portal.browse.activity.BrowsePage...Show more An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the com.tcl.browser.portal.browse.activity.BrowsePageActivity component.Show less
CVE-2023-7101 3Debian FedoraprojectJmcnamara 3Debian Linux FedoraSpreadsheet\ Jun 17, 2026 Dec 24, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file in...Show more Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.Show less
CVE-2023-51387 1Apache 1Hertzbeat Jun 17, 2026 Dec 22, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Hertzbeat is an open source, real-time monitoring system. Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be some simple expressions. However, due to improper sanitizatio...Show more Hertzbeat is an open source, real-time monitoring system. Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be some simple expressions. However, due to improper sanitization for alert expressions in version prior to 1.4.1, a malicious user can use a crafted alert expression to execute any command on hertzbeat server. A malicious user who has access to alert define function can execute any command in hertzbeat instance. This issue is fixed in version 1.4.1.Show less
CVE-2023-51018 1Totolink 1Ex1800t Firmware Jun 17, 2026 Dec 22, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘opmode’ parameter of the setWiFiApConfig interface of the cstecgi .cgi.
CVE-2023-51015 1Totolink 1Ex1800t Firmware Jun 17, 2026 Dec 22, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINX EX1800T v9.1.0cu.2112_B20220316 is vulnerable to arbitrary command execution in the ‘enable parameter’ of the setDmzCfg interface of the cstecgi .cgi
CVE-2023-51026 1Totolink 1Ex1800t Firmware Jun 17, 2026 Dec 22, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOlink EX1800T V9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘hour’ parameter of the setRebootScheCfg interface of the cstecgi .cgi.
CVE-2023-49391 1Free5gc 1Free5gc Jun 17, 2026 Dec 22, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in free5GC version 3.3.0, allows remote attackers to execute arbitrary code and cause a denial of service (DoS) on AMF component via crafted NGAP message.
CVE-2023-7035 1Automad 1Automad Jun 17, 2026 Dec 21, 2023 1.9 LOW· v4 5.4 MEDIUM· v3 3.3 LOW· v2 A vulnerability was found in automad up to 1.10.9 and classified as problematic. Affected by this issue is some unknown functionality of the file packages\standard\templates\post.php of the component Setting Handler. The...Show more A vulnerability was found in automad up to 1.10.9 and classified as problematic. Affected by this issue is some unknown functionality of the file packages\standard\templates\post.php of the component Setting Handler. The manipulation of the argument sitename leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-49032 1Ltb Project 1Self Service Password Jun 17, 2026 Dec 21, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in LTB Self Service Password before v.1.5.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via hijack of the SMS verification code function to arbitrary phone.

Previous 1...154155156...324 Next