Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-46958 1Lmxcms 1Lmxcms Jun 17, 2026 Nov 2, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in lmxcms v.1.41 allows a remote attacker to execute arbitrary code via a crafted script to the admin.php file.
CVE-2023-20063 1Cisco 2Firepower Threat Defense Secure Firewall Management Center Jun 17, 2026 Nov 1, 2023 N/A· v4 8.2 HIGH· v3 N/A· v2 A vulnerability in the inter-device communication mechanisms between devices that are running Cisco Firepower Threat Defense (FTD) Software and devices that are running Cisco Firepower Management (FMC) Software could all...Show more A vulnerability in the inter-device communication mechanisms between devices that are running Cisco Firepower Threat Defense (FTD) Software and devices that are running Cisco Firepower Management (FMC) Software could allow an authenticated, local attacker to execute arbitrary commands with root permissions on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by accessing the expert mode of an affected device and submitting specific commands to a connected system. A successful exploit could allow the attacker to execute arbitrary code in the context of an FMC device if the attacker has administrative privileges on an associated FTD device. Alternatively, a successful exploit could allow the attacker to execute arbitrary code in the context of an FTD device if the attacker has administrative privileges on an associated FMC device.Show less
CVE-2023-42658 1Chef 1Inspec Jun 17, 2026 Oct 31, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow local command execution via maliciously crafted profile.
CVE-2023-40050 1Chef 1Automate Jun 17, 2026 Oct 31, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution.
CVE-2023-43792 1Basercms 1Basercms Jun 17, 2026 Oct 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. As of time of publication, no known patched versions are available.
CVE-2020-36767 1Vareille 1Tinyfiledialogs Jun 17, 2026 Oct 30, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 tinyfiledialogs (aka tiny file dialogs) before 3.8.0 allows shell metacharacters in titles, messages, and other input data.
CVE-2023-5843 1Datafeedr 1Ads By Datafeedr.com Jun 17, 2026 Oct 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Ads by datafeedr.com plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 1.1.3 via the 'dfads_ajax_load_ads' function. This allows unauthenticated attackers to execute code o...Show more The Ads by datafeedr.com plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 1.1.3 via the 'dfads_ajax_load_ads' function. This allows unauthenticated attackers to execute code on the server. The parameters of the callable function are limited, they cannot be specified arbitrarily.Show less
CVE-2023-44141 1Inkdrop 1Inkdrop Jun 17, 2026 Oct 30, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Inkdrop prior to v5.6.0 allows a local attacker to conduct a code injection attack by having a legitimate user open a specially crafted markdown file.
CVE-2023-46865 1Craterapp 1Crater Jun 17, 2026 Oct 30, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 /api/v1/company/upload-logo in CompanyController.php in crater through 6.0.6 allows a superadmin to execute arbitrary PHP code by placing this code into an image/png IDAT chunk of a Company Logo image.
CVE-2021-33636 1Openeuler 1Isula Jun 17, 2026 Oct 29, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 When the isula load command is used to load malicious images, attackers can execute arbitrary code.
CVE-2021-33635 1Openeuler 1Isula Jun 17, 2026 Oct 29, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 When malicious images are pulled by isula pull, attackers can execute arbitrary code.
CVE-2023-46509 1Contec 1Solarview Compact Firmware Jun 17, 2026 Oct 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Contec SolarView Compact v.6.0 and before allows an attacker to execute arbitrary code via the texteditor.php component.
CVE-2023-46818 1Ispconfig 1Ispconfig Jun 17, 2026 Oct 27, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
CVE-2023-46816 1Sugarcrm 1Sugarcrm Jun 17, 2026 Oct 27, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code c...Show more An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via the GetControl action because of missing input validation. An attacker with regular user privileges can exploit this.Show less
CVE-2023-43352 1Cmsmadesimple 1Cms Made Simple Jun 17, 2026 Oct 26, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component.
CVE-2023-5623 1Tenable 1Nessus Network Monitor Jun 17, 2026 Oct 26, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 NNM failed to properly set ACLs on its installation directory, which could allow a low privileged user to run arbitrary code with SYSTEM privileges where NNM is installed to a non-standard location
CVE-2023-5044 1Kubernetes 1Ingress Nginx Jun 17, 2026 Oct 25, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
CVE-2023-46010 1Seacms 1Seacms Jun 17, 2026 Oct 25, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary commands via the admin_safe.php component.
CVE-2023-37909 1Xwiki 1Xwiki Jun 17, 2026 Oct 25, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.1-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, any user who can edit their own user prof...Show more XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.1-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This has been patched in XWiki 14.10.8 and 15.3-rc-1 by adding proper escaping. As a workaround, the patch can be manually applied to the document `Menu.UIExtensionSheet`; only three lines need to be changed.Show less
CVE-2023-30912 1Hpe 1Oneview Jun 17, 2026 Oct 25, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A remote code execution issue exists in HPE OneView.

Previous 1...158159160...324 Next