Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-0944 1Sqlpad 1Sqlpad Nov 21, 2024 Mar 15, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1.
CVE-2021-25003 1Wptaskforce 1Wpcargo Track & Trace Nov 21, 2024 Mar 14, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE
CVE-2022-0921 1Microweber 1Microweber Nov 21, 2024 Mar 11, 2022 N/A· v4 6.7 MEDIUM· v3 6.5 MEDIUM· v2 Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.
CVE-2021-44618 1Nystudio107 1Seomatic Nov 21, 2024 Mar 11, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Server-side Template Injection (SSTI) vulnerability exists in Nystudio107 Seomatic 3.4.12 in src/helpers/UrlHelper.php via the host header.
CVE-2022-24915 1Ipcomm 1Ipdio Firmware Nov 21, 2024 Mar 10, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where t...Show more The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to upload, copy, download, or delete an existing configuration (Administrative Services).Show less
CVE-2022-22985 1Ipcomm 1Ipdio Firmware Nov 21, 2024 Mar 10, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web sectio...Show more The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the information is displayed. Injection can be done on specific parameters. The injected code is executed when a legitimate user attempts to review history.Show less
CVE-2022-24734 1Mybb 1Mybb Nov 21, 2024 Mar 9, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of suppo...Show more MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds.Show less
CVE-2022-24512 2Fedoraproject Microsoft 6.net .net CoreFedora+3 more May 27, 2026 Mar 9, 2022 N/A· v4 6.3 MEDIUM· v3 6.8 MEDIUM· v2 .NET and Visual Studio Remote Code Execution Vulnerability
CVE-2022-0896 1Microweber 1Microweber Nov 21, 2024 Mar 9, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.
CVE-2021-43944 1Atlassian 2Jira Data Center Jira Server Nov 21, 2024 Mar 8, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attacker...Show more This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.Show less
CVE-2022-0845 1Lightningai 1Pytorch Lightning Nov 21, 2024 Mar 5, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.
CVE-2022-22947 2Oracle Vmware 10Commerce Guided Search Communications Cloud Native Core Binding Support FunctionCommunications Cloud Native Core Console+7 more Oct 30, 2025 Mar 3, 2022 N/A· v4 10.0 CRITICAL· v3 6.8 MEDIUM· v2 In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a ma...Show more In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.Show less
CVE-2022-22909 1Digitaldruid 1Hoteldruid Nov 21, 2024 Mar 3, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.
CVE-2022-0819 1Dolibarr 1Dolibarr Erp/crm Nov 21, 2024 Mar 2, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
CVE-2021-44238 1Ayacms Project 1Ayacms Nov 21, 2024 Mar 1, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 AyaCMS 3.1.2 is vulnerable to Remote Code Execution (RCE) via /aya/module/admin/ust_tab_e.inc.php,
CVE-2022-25018 1Pluxml 1Pluxml Nov 21, 2024 Mar 1, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages.
CVE-2022-24442 1Jetbrains 1Youtrack Nov 21, 2024 Feb 25, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
CVE-2021-22395 1Huawei 3Emui HarmonyosMagic Ui Nov 21, 2024 Feb 25, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 There is a code injection vulnerability in smartphones. Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2022-23810 1Appleple 1A Blog Cms Nov 21, 2024 Feb 24, 2022 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Template injection (Improper Neutralization of Special Elements Used in a Template Engine) vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.75, Ver.2.9.x series versions prior to Ver.2.9.40, Ver.2.1...Show more Template injection (Improper Neutralization of Special Elements Used in a Template Engine) vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.75, Ver.2.9.x series versions prior to Ver.2.9.40, Ver.2.10.x series versions prior to Ver.2.10.44, Ver.2.11.x series versions prior to Ver.2.11.42, and Ver.3.0.x series versions prior to Ver.3.0.1 allows a remote authenticated attacker to obtain an arbitrary file on the server via unspecified vectors.Show less
CVE-2022-24295 1Okta 1Advanced Server Access Client For Windows Nov 21, 2024 Feb 21, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL.

Previous 1...184185186...324 Next