Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-1304 1Rapid7 2Insightappsec Insightcloudsec Feb 25, 2025 Mar 21, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Ma...Show more An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec. Show less
CVE-2023-1250 1Otrs 1Otrs Nov 21, 2024 Mar 20, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that g...Show more Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. Show less
CVE-2023-1482 1Hkcms Project 1Hkcms Nov 21, 2024 Mar 18, 2023 N/A· v4 8.8 HIGH· v3 5.8 MEDIUM· v2 A vulnerability, which was classified as problematic, was found in HkCms 2.2.4.230206. This affects an unknown part of the file /admin.php/appcenter/local.html?type=addon of the component External Plugin Handler. The man...Show more A vulnerability, which was classified as problematic, was found in HkCms 2.2.4.230206. This affects an unknown part of the file /admin.php/appcenter/local.html?type=addon of the component External Plugin Handler. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223365 was assigned to this vulnerability.Show less
CVE-2023-0598 1Ge 1Ifix Nov 21, 2024 Mar 16, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may allow an attacker to insert malicious configuration files in the expected web serv...Show more GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may allow an attacker to insert malicious configuration files in the expected web server execution path and gain full control of the HMI software. Show less
CVE-2023-24795 1Jcgcn.com 1Jhr N916r Firmware Feb 26, 2025 Mar 16, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Command execution vulnerability was discovered in JHR-N916R router firmware version<=21.11.1.1483.
CVE-2023-25344 2Swig Templates Project Swig Project 2Swig Swig Templates Feb 27, 2025 Mar 15, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to execute arbitrary code via crafted Object.prototype anonymous function.
CVE-2023-27893 1Sap 1Solution Manager Nov 21, 2024 Mar 14, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An attacker authenticated as a user with a non-administrative role and a common remote execution authorization in SAP Solution Manager and ABAP managed systems (ST-PI) - versions 2088_1_700, 2008_1_710, 740, can use a vu...Show more An attacker authenticated as a user with a non-administrative role and a common remote execution authorization in SAP Solution Manager and ABAP managed systems (ST-PI) - versions 2088_1_700, 2008_1_710, 740, can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user or application data and can make the application unavailable. Show less
CVE-2023-1367 1Easyappointments 1Easy!appointments Nov 21, 2024 Mar 13, 2023 N/A· v4 3.8 LOW· v3 N/A· v2 Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
CVE-2023-0888 1Bbraun 1Battery Pack Sp With Wifi Firmware Nov 21, 2024 Mar 13, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 An improper neutralization of directives in dynamically evaluated code vulnerability in the WiFi Battery embedded web server in versions L90/U70 and L92/U92 can be used to gain administrative access to the WiFi communica...Show more An improper neutralization of directives in dynamically evaluated code vulnerability in the WiFi Battery embedded web server in versions L90/U70 and L92/U92 can be used to gain administrative access to the WiFi communication module. An authenticated user, having access to both the medical device WiFi network (such as a biomedical engineering staff member) and the specific B.Braun Battery Pack SP with WiFi web server credentials, could get administrative (root) access on the infusion pump communication module. This could be used as a vector to start further attacks Show less
CVE-2023-1287 13ds 1Enovia Live Collaboration Nov 21, 2024 Mar 9, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An XSL template vulnerability in ENOVIA Live Collaboration V6R2013xE allows Remote Code Execution.
CVE-2023-27986 1Gnu 1Emacs Mar 5, 2025 Mar 9, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters. It is fixed in 29.0.90.
CVE-2023-1283 2Builder Qwik 2Qwik Qwik Mar 13, 2026 Mar 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Code Injection in GitHub repository builderio/qwik prior to 0.21.0.
CVE-2023-22889 1Smartbear 1Zephyr Enterprise Mar 5, 2025 Mar 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SmartBear Zephyr Enterprise through 7.15.0 mishandles user-defined input during report generation. This could lead to remote code execution by unauthenticated users.
CVE-2023-0090 1Proofpoint 1Enterprise Protection Nov 21, 2024 Mar 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The webservices in Proofpoint Enterprise Protection (PPS/POD) contain a vulnerability that allows for an anonymous user to execute remote code through 'eval injection'. Exploitation requires network access to the webser...Show more The webservices in Proofpoint Enterprise Protection (PPS/POD) contain a vulnerability that allows for an anonymous user to execute remote code through 'eval injection'. Exploitation requires network access to the webservices API, but such access is a non-standard configuration. This affects all versions 8.20.0 and below. Show less
CVE-2023-0089 1Proofpoint 1Enterprise Protection Nov 21, 2024 Mar 8, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The webutils in Proofpoint Enterprise Protection (PPS/POD) contain a vulnerability that allows an authenticated user to execute remote code through 'eval injection'. This affects all versions 8.20.0 and below.
CVE-2023-1003 1Typora 1Typora Nov 21, 2024 Mar 7, 2023 N/A· v4 7.8 HIGH· v3 4.3 MEDIUM· v2 A vulnerability, which was classified as critical, was found in Typora up to 1.5.5 on Windows. Affected is an unknown function of the component WSH JScript Handler. The manipulation leads to code injection. An attack has...Show more A vulnerability, which was classified as critical, was found in Typora up to 1.5.5 on Windows. Affected is an unknown function of the component WSH JScript Handler. The manipulation leads to code injection. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.8 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221736.Show less
CVE-2021-36394 1Moodle 1Moodle Mar 6, 2025 Mar 6, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
CVE-2023-24776 1Funadmin 1Funadmin Mar 6, 2025 Mar 6, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Funadmin v3.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component \controller\Addon.php.
CVE-2023-26107 1Ebay 1Sketchsvg Mar 5, 2025 Mar 6, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking shell.exec without sanitization nor parametrization while concatenating the current directory as part of the command string....Show more All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking shell.exec without sanitization nor parametrization while concatenating the current directory as part of the command string. Show less
CVE-2022-45553 1Zbt 1We1626 Firmware Mar 7, 2025 Mar 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue discovered in Shenzhen Zhibotong Electronics WBT WE1626 Router v 21.06.18 allows attacker to execute arbitrary commands via serial connection to the UART port.

Previous 1...171172173...324 Next