Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-33440 1Faculty Evaluation System Project 1Faculty Evaluation System Jan 14, 2025 May 26, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.
CVE-2023-30145 1Tuzitio 1Camaleon Cms Jan 16, 2025 May 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.
CVE-2023-33246 1Apache 1Rocketmq Oct 23, 2025 May 24, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and...Show more For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .Show less
CVE-2023-2859 1Teampass 1Teampass Nov 21, 2024 May 24, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
CVE-2023-32697 1Sqlite Jdbc Project 1Sqlite Jdbc Nov 21, 2024 May 23, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has...Show more SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2. Show less
CVE-2023-25953 1Worksmobile 1Drive Explorer Jan 17, 2025 May 23, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Code injection vulnerability in Drive Explorer for macOS versions 3.5.4 and earlier allows an attacker who can login to the client where the affected product is installed to inject arbitrary code while processing the pro...Show more Code injection vulnerability in Drive Explorer for macOS versions 3.5.4 and earlier allows an attacker who can login to the client where the affected product is installed to inject arbitrary code while processing the product execution. Since a full disk access privilege is required to execute LINE WORKS Drive Explorer, the attacker may be able to read and/or write to arbitrary files without the access privileges.Show less
CVE-2023-29861 1Flir 1Dvtel Camera Firmware Jan 31, 2025 May 15, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue found in FLIR-DVTEL version not specified allows a remote attacker to execute arbitrary code via a crafted request to the management page of the device.
CVE-2023-29862 1Agasio Camera Project 1Agasio Camera Firmware Jan 23, 2025 May 15, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue found in Agasio-Camera device version not specified allows a remote attacker to execute arbitrary code via the check and authLevel parameters.
CVE-2022-47879 1Jedox 2Jedox Jedox Cloud Nov 6, 2025 May 12, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that...Show more A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that the vulnerability affects installations running version 22.5 or earlier. The issue was resolved with version 23.2 and later versions are not affected.Show less
CVE-2023-30130 1Craftcms 1Craft Cms Jan 24, 2025 May 12, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.
CVE-2023-29400 1Golang 1Go Jan 24, 2025 May 11, 2023 N/A· v4 7.3 HIGH· v3 N/A· v2 Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of...Show more Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.Show less
CVE-2023-24539 1Golang 1Go Jan 24, 2025 May 11, 2023 N/A· v4 7.3 HIGH· v3 N/A· v2 Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allow...Show more Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.Show less
CVE-2022-47129 1Phpok 1Phpok Jan 27, 2025 May 11, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 PHPOK v6.3 was discovered to contain a remote code execution (RCE) vulnerability.
CVE-2023-24955 1Microsoft 2Sharepoint Enterprise Server Sharepoint Server Oct 28, 2025 May 9, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2023-2583 1Jsreport 1Jsreport Nov 21, 2024 May 8, 2023 N/A· v4 10.0 CRITICAL· v3 N/A· v2 Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3.
CVE-2023-29963 1S Cms 1S Cms Jan 29, 2025 May 5, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 S-CMS v5.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /admin/ajax.php.
CVE-2023-31415 1Elastic 1Kibana Jan 29, 2025 May 4, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the a...Show more Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.Show less
CVE-2023-31414 1Elastic 1Kibana Jan 29, 2025 May 4, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. T...Show more Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.Show less
CVE-2023-1178 1Gitlab 1Gitlab Nov 21, 2024 May 3, 2023 N/A· v4 5.7 MEDIUM· v3 N/A· v2 An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromi...Show more An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit.Show less
CVE-2023-26546 1Echa.europa 1Iuclid Jan 30, 2025 May 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection (SSTI) with a crafted template file. The attacker must have template manager p...Show more European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection (SSTI) with a crafted template file. The attacker must have template manager permission.Show less

Previous 1...168169170...324 Next