Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-49004 1Dlink 1Dir 850l Firmware Jun 17, 2026 Dec 19, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in D-Link DIR-850L v.B1_FW223WWb01 allows a remote attacker to execute arbitrary code via a crafted script to the en parameter.
CVE-2023-6691 1Cambiumnetworks 1Epmp Force 300 25 Firmware Jun 17, 2026 Dec 18, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a code injection vulnerability that could allow an attacker to perform remote code execution and gain root privileges.
CVE-2023-32728 1Zabbix 1Zabbix Agent2 Jun 17, 2026 Dec 18, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.
CVE-2023-6899 1Rmountjoy92 1Dashmachine Jun 17, 2026 Dec 17, 2023 N/A· v4 9.8 CRITICAL· v3 4.7 MEDIUM· v2 A vulnerability classified as problematic was found in rmountjoy92 DashMachine 0.5-4. Affected by this vulnerability is an unknown functionality of the file /settings/save_config of the component Config Handler. The mani...Show more A vulnerability classified as problematic was found in rmountjoy92 DashMachine 0.5-4. Affected by this vulnerability is an unknown functionality of the file /settings/save_config of the component Config Handler. The manipulation of the argument value_template leads to code injection. The exploit has been disclosed to the public and may be used. The identifier VDB-248257 was assigned to this vulnerability.Show less
CVE-2023-6886 1Wang.market 1Wangmarket Jun 17, 2026 Dec 17, 2023 N/A· v4 9.8 CRITICAL· v3 5.8 MEDIUM· v2 A vulnerability was found in xnx3 wangmarket 6.1. It has been rated as critical. Affected by this issue is some unknown functionality of the component Role Management Page. The manipulation leads to code injection. The a...Show more A vulnerability was found in xnx3 wangmarket 6.1. It has been rated as critical. Affected by this issue is some unknown functionality of the component Role Management Page. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-248246 is the identifier assigned to this vulnerability.Show less
CVE-2023-6851 1Kodcloud 1Kodexplorer Jun 17, 2026 Dec 16, 2023 N/A· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability was found in kalcaddle KodExplorer up to 4.51.03. It has been rated as critical. This issue affects the function unzipList of the file plugins/zipView/app.php of the component ZIP Archive Handler. The man...Show more A vulnerability was found in kalcaddle KodExplorer up to 4.51.03. It has been rated as critical. This issue affects the function unzipList of the file plugins/zipView/app.php of the component ZIP Archive Handler. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.52.01 is able to address this issue. The patch is named 5cf233f7556b442100cf67b5e92d57ceabb126c6. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-248219.Show less
CVE-2023-50723 1Xwiki 1Xwiki Jun 17, 2026 Dec 15, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through sev...Show more XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the administration interface. This impacts the confidentiality, integrity and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile so this should be exploitable by all users of the XWiki instance. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patches can be manually applied to the `XWiki.ConfigurableClassMacros` and `XWiki.ConfigurableClass` pages.Show less
CVE-2023-50721 1Xwiki 1Xwiki Jun 17, 2026 Dec 15, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the search administration interface doesn't properly escape the id and label of search user interface...Show more XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user. The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1. As a workaround, the patch can be applied manually applied to the page `XWiki.SearchAdmin`.Show less
CVE-2023-6051 1Gitlab 1Gitlab Jun 17, 2026 Dec 15, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when sour...Show more An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when source code or installation packages are pulled from a specific tag.Show less
CVE-2023-5512 1Gitlab 1Gitlab Jun 17, 2026 Dec 15, 2023 N/A· v4 5.7 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised...Show more An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect representation in the UI.Show less
CVE-2023-6553 1Backupbliss 1Backup Migration Jun 17, 2026 Dec 15, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the v...Show more The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.Show less
CVE-2023-48390 1Multisuns 1Easylog Web+ Firmware Jun 17, 2026 Dec 15, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Multisuns EasyLog web+ has a code injection vulnerability. An unauthenticated remote attacker can exploit this vulnerability to inject code and access the system to perform arbitrary system operations or disrupt service...Show more Multisuns EasyLog web+ has a code injection vulnerability. An unauthenticated remote attacker can exploit this vulnerability to inject code and access the system to perform arbitrary system operations or disrupt service.Show less
CVE-2023-50710 1Hono 1Hono Jun 17, 2026 Dec 14, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privilege...Show more Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. Version 3.11.7 includes the change to fix this issue. As a workaround, avoid using TrieRouter directly.Show less
CVE-2023-48085 1Nagios 1Nagios Xi Jun 17, 2026 Dec 14, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php.
CVE-2023-43364 1Arjunsharda 1Searchor Jun 17, 2026 Dec 12, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution.
CVE-2023-42890 1Apple 6Ipados Iphone OsMacos+3 more Jun 17, 2026 Dec 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, watchOS 10.2, iOS 17.2 and iPadOS 17.2, tvOS 17.2. Processing web content may lead to arbitrary code execution...Show more The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, watchOS 10.2, iOS 17.2 and iPadOS 17.2, tvOS 17.2. Processing web content may lead to arbitrary code execution.Show less
CVE-2023-5500 1Frauscher 1Frauscher Diagnostic System 102 Jun 17, 2026 Dec 11, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 This vulnerability allows an remote attacker with low privileges to misuse Improper Control of Generation of Code ('Code Injection') to gain full control of the affected device.
CVE-2023-43301 1Linecorp 1Line Jun 17, 2026 Dec 7, 2023 N/A· v4 8.2 HIGH· v3 N/A· v2 An issue in DARTS SHOP MAXIM mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.
CVE-2023-6288 1Devolutions 1Remote Desktop Manager Jun 17, 2026 Dec 6, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Code injection in Remote Desktop Manager 2023.3.9.3 and earlier on macOS allows an attacker to execute code via the DYLIB_INSERT_LIBRARIES environment variable.
CVE-2023-49070 1Apache 1Ofbiz Jun 17, 2026 Dec 5, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10

Previous 1...155156157...324 Next