Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-48217 1Statamic 1Statamic Jun 17, 2026 Nov 14, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules....Show more Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.Show less
CVE-2023-36437 1Microsoft 1Azure Pipelines Agent Jun 17, 2026 Nov 14, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Azure DevOps Server Remote Code Execution Vulnerability
CVE-2023-6131 1Salesagility 1Suitecrm Jun 17, 2026 Nov 14, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVE-2023-6126 1Salesagility 1Suitecrm Jun 17, 2026 Nov 14, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVE-2023-6125 1Salesagility 1Suitecrm Jun 17, 2026 Nov 14, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVE-2023-45560 1Memberscard Project 1Memberscard Jun 17, 2026 Nov 14, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
CVE-2023-36014 1Microsoft 1Edge Chromium Jun 17, 2026 Nov 10, 2023 N/A· v4 7.3 HIGH· v3 N/A· v2 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVE-2023-5550 2Fedoraproject Moodle 3Extra Packages For Enterprise Linux FedoraMoodle Jun 17, 2026 Nov 9, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file inc...Show more In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.Show less
CVE-2023-5540 2Fedoraproject Moodle 3Extra Packages For Enterprise Linux FedoraMoodle Jun 17, 2026 Nov 9, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.
CVE-2023-5539 2Fedoraproject Moodle 3Extra Packages For Enterprise Linux FedoraMoodle Jun 17, 2026 Nov 9, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.
CVE-2023-47397 1Webidsupport 1Webid Jun 17, 2026 Nov 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php.
CVE-2023-45849 1Perforce 1Helix Core Jun 17, 2026 Nov 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner.
CVE-2023-46243 1Xwiki 1Xwiki Jun 17, 2026 Nov 7, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's conte...Show more XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. Users are advised to update. There are no known workarounds for this issue. Show less
CVE-2023-46242 1Xwiki 1Xwiki Jun 17, 2026 Nov 7, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must h...Show more XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users are advised to upgrade. There are no known workarounds for for this vulnerability.Show less
CVE-2023-46845 1Ec Cube 1Ec Cube Jun 17, 2026 Nov 7, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig include...Show more EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.Show less
CVE-2023-46731 1Xwiki 1Xwiki Jun 17, 2026 Nov 6, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sect...Show more XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document `XWiki.AdminSheet` (by default, everyone including unauthenticated users) to execute code including Groovy code. This impacts the confidentiality, integrity and availability of the whole XWiki instance. This vulnerability has been patched in XWiki 14.10.14, 15.6 RC1 and 15.5.1. Users are advised to upgrade. Users unablr to upgrade may apply the fix in commit `fec8e0e53f9` manually. Alternatively, to protect against attacks from unauthenticated users, view right for guests can be removed from this document (it is only needed for space and wiki admins).Show less
CVE-2023-46980 1Mayurik 1Best Courier Management System Jun 17, 2026 Nov 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Best Courier Management System v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the userID parameter.
CVE-2023-46404 1Utoronto 1Pcrs Jun 17, 2026 Nov 3, 2023 N/A· v4 9.9 CRITICAL· v3 N/A· v2 PCRS <= 3.11 (d0de1e) “Questions” page and “Code editor” page are vulnerable to remote code execution (RCE) by escaping Python sandboxing.
CVE-2023-46947 1Intelliants 1Subrion Jun 17, 2026 Nov 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Subrion 4.2.1 has a remote command execution vulnerability in the backend.
CVE-2023-36022 1Microsoft 1Edge Chromium Jun 17, 2026 Nov 3, 2023 N/A· v4 6.6 MEDIUM· v3 N/A· v2 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Previous 1...157158159...324 Next