Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-0788 1Phpmyfaq 1Phpmyfaq Mar 21, 2025 Feb 12, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
CVE-2022-45699 1Apsystems 1Ecu R Firmware Jun 17, 2025 Feb 10, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.
CVE-2023-23912 1Ui 10Er 10x Firmware Er 12 FirmwareEr 12p Firmware+7 more Mar 24, 2025 Feb 9, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows...Show more A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability.Show less
CVE-2023-0575 1Yugabyte 1Yugabytedb Nov 21, 2024 Feb 9, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java...Show more External Control of Critical State Data, Improper Control of Generation of Code ('Code Injection') vulnerability in YugaByte, Inc. Yugabyte DB on Windows, Linux, MacOS, iOS (DevopsBase.Java:execCommand, TableManager.Java:runCommand modules) allows API Manipulation, Privilege Abuse. This vulnerability is associated with program files backup.Py. This issue affects Yugabyte DB: Lesser then 2.2.0.0 Show less
CVE-2023-0671 1Froxlor 1Froxlor Nov 21, 2024 Feb 4, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.
CVE-2023-24576 1Dell 1Emc Networker Nov 21, 2024 Feb 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution vulnerability in the NetWorker Client execution service (nsrexecd) irrespective of any auth used.
CVE-2023-23477 1Ibm 1Websphere Application Server Nov 21, 2024 Feb 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. IBM X-Force ID: 245513.
CVE-2021-36424 1Phpwcms 1Phpwcms Mar 26, 2025 Feb 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation.
CVE-2022-48093 1Seacms 1Seacms Mar 27, 2025 Feb 1, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Seacms v12.7 was discovered to contain a remote code execution (RCE) vulnerability via the ip parameter at admin_ ip.php.
CVE-2022-27537 1Hp 327Dragonfly Folio G3 2 In 1 Firmware Elite Dragonfly FirmwareElite Dragonfly G2 Firmware+324 more Mar 27, 2025 Feb 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure. HP is relea...Show more Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure. HP is releasing BIOS updates to mitigate these potential vulnerabilities.Show less
CVE-2022-48175 1Rukovoditel 1Rukovoditel Mar 28, 2025 Jan 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.
CVE-2022-25967 1Eta.js 1Eta Mar 27, 2025 Jan 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exp...Show more Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data. Show less
CVE-2021-4315 1Psiturk 1Psiturk Nov 21, 2024 Jan 28, 2023 N/A· v4 8.8 HIGH· v3 5.2 MEDIUM· v2 A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper...Show more A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of special elements used in a template engine. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.1 is able to address this issue. The name of the patch is 47787e15cecd66f2aa87687bf852ae0194a4335f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-219676.Show less
CVE-2022-48116 1Ayacms Project 1Ayacms Mar 28, 2025 Jan 27, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 AyaCMS v3.1.2 was discovered to contain a remote code execution (RCE) vulnerability via the component /admin/tpl_edit.inc.php.
CVE-2023-23619 1Lfprojects 1Modelina Nov 21, 2024 Jan 26, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Modelina is a library for generating data models based on inputs such as AsyncAPI, OpenAPI, or JSON Schema documents. Versions prior to 1.0.0 are vulnerable to Code injection. This issue affects anyone who is using the d...Show more Modelina is a library for generating data models based on inputs such as AsyncAPI, OpenAPI, or JSON Schema documents. Versions prior to 1.0.0 are vulnerable to Code injection. This issue affects anyone who is using the default presets and/or does not handle the functionality themself. This issue has been partially mitigated in version 1.0.0, with the maintainer's GitHub Security Advisory (GHSA) noting "It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue. Further similar situations are NOT seen as a security issue, but intended behavior." The suggested workaround from the maintainers is "Fully custom presets that change the entire rendering process which can then escape the user input."Show less
CVE-2022-25894 1Uflo Project 1Uflo Apr 1, 2025 Jan 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to imprope...Show more All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation.Show less
CVE-2022-25860 1Simple Git Project 1Simple Git Apr 1, 2025 Jan 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due t...Show more Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221). Show less
CVE-2023-24059 1Rockstargames 1Grand Theft Auto V Apr 2, 2025 Jan 22, 2023 N/A· v4 7.3 HIGH· v3 N/A· v2 Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023.
CVE-2020-36655 1Yiiframework 1Gii Apr 2, 2025 Jan 21, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.
CVE-2021-37774 1Tp Link 1Tl Wdr7660 Firmware Apr 4, 2025 Jan 19, 2023 N/A· v4 8.0 HIGH· v3 N/A· v2 An issue was discovered in function httpProcDataSrv in TL-WDR7660 2.0.30 that allows attackers to execute arbitrary code.

Previous 1...173174175...324 Next