Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-37582 1Apache 1Rocketmq Apr 23, 2025 Jul 12, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack pe...Show more The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.Show less
CVE-2023-37199 1Schneider Electric 1Struxureware Data Center Expert Nov 21, 2024 Jul 12, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored.
CVE-2023-37198 1Schneider Electric 1Struxureware Data Center Expert Nov 21, 2024 Jul 12, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages.
CVE-2023-24492 1Citrix 1Secure Access Client Nov 21, 2024 Jul 11, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability has been discovered in the Citrix Secure Access client for Ubuntu which, if exploited, could allow an attacker to remotely execute code if a victim user opens an attacker-crafted link and accepts further...Show more A vulnerability has been discovered in the Citrix Secure Access client for Ubuntu which, if exploited, could allow an attacker to remotely execute code if a victim user opens an attacker-crafted link and accepts further prompts. Show less
CVE-2023-35333 1Microsoft 1Pandocupload Nov 21, 2024 Jul 11, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 MediaWiki PandocUpload Extension Remote Code Execution Vulnerability
CVE-2023-33157 1Microsoft 1Sharepoint Server Feb 28, 2025 Jul 11, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2023-37659 1Xalpha Project 1Xalpha Nov 21, 2024 Jul 11, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 xalpha v0.11.4 is vulnerable to Remote Command Execution (RCE).
CVE-2023-27869 1Ibm 1Db2 Nov 21, 2024 Jul 10, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unchecked logger injection. By sending a spec...Show more IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unchecked logger injection. By sending a specially crafted request using the named traceFile property, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 249517.Show less
CVE-2023-27868 1Ibm 1Db2 Nov 21, 2024 Jul 10, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unchecked class instantiation when providing...Show more IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unchecked class instantiation when providing plugin classes. By sending a specially crafted request using the named pluginClassName class, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 249516.Show less
CVE-2023-27867 1Ibm 1Db2 Nov 21, 2024 Jul 10, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker to execute arbitrary code via JNDI Injection. By sending a specially crafted request using the prop...Show more IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker to execute arbitrary code via JNDI Injection. By sending a specially crafted request using the property clientRerouteServerListJNDIName, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 249514.Show less
CVE-2023-3551 1Teampass 1Teampass Nov 21, 2024 Jul 8, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
CVE-2023-36992 1Travianz Project 1Travianz Nov 21, 2024 Jul 7, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 PHP injection in TravianZ 8.3.4 and 8.3.3 in the config editor in the admin page allows remote attackers to execute PHP code.
CVE-2023-36859 1Piigab 1M Bus 900s Firmware Nov 21, 2024 Jul 6, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 PiiGAB M-Bus SoftwarePack 900S does not correctly sanitize user input, which could allow an attacker to inject arbitrary commands.
CVE-2023-29382 1Zimbra 1Collaboration Nov 21, 2024 Jul 6, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
CVE-2023-30990 1Ibm 1I Nov 21, 2024 Jul 4, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036.
CVE-2023-36258 1Langchain 1Langchain Nov 22, 2024 Jul 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used.
CVE-2023-33466 1Orthanc Server 1Orthanc Nov 26, 2024 Jun 29, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, wh...Show more Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE).Show less
CVE-2023-33570 1Webkul 1Bagisto Nov 27, 2024 Jun 28, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI).
CVE-2023-27866 1Ibm 1Informix Jdbc Driver Nov 21, 2024 Jun 28, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when driver code or the application using the driver do not verify supplied LDAP URL in Connect String. IBM X-Forc...Show more IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when driver code or the application using the driver do not verify supplied LDAP URL in Connect String. IBM X-Force ID: 249511.Show less
CVE-2023-36467 1Amazon 1Aws Dataall Nov 21, 2024 Jun 28, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python co...Show more AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. A fix for this issue is available in data.all version 1.5.2 and later. There is no recommended work around.Show less

Previous 1...165166167...324 Next