Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-23389 1Totaljs 1Total.js Nov 21, 2024 Jul 12, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
CVE-2021-1585 1Cisco 1Adaptive Security Device Manager Nov 21, 2024 Jul 8, 2021 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 A vulnerability in the Cisco Adaptive Security Device Manager (ASDM) Launcher could allow an unauthenticated, remote attacker to execute arbitrary code on a user's operating system. This vulnerability is due to a lack of...Show more A vulnerability in the Cisco Adaptive Security Device Manager (ASDM) Launcher could allow an unauthenticated, remote attacker to execute arbitrary code on a user's operating system. This vulnerability is due to a lack of proper signature verification for specific code exchanged between the ASDM and the Launcher. An attacker could exploit this vulnerability by leveraging a man-in-the-middle position on the network to intercept the traffic between the Launcher and the ASDM and then inject arbitrary code. A successful exploit could allow the attacker to execute arbitrary code on the user's operating system with the level of privileges assigned to the ASDM Launcher. A successful exploit may require the attacker to perform a social engineering attack to persuade the user to initiate communication from the Launcher to the ASDM.Show less
CVE-2020-23219 1Monstra 1Monstra Cms Nov 21, 2024 Jul 1, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Monstra CMS 3.0.4 allows attackers to execute arbitrary code via a crafted payload entered into the "Snippet content" field under the "Edit Snippet" module.
CVE-2021-35514 1Narou Project 1Narou Nov 21, 2024 Jun 28, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel.
CVE-2020-21784 1Phpwcms 1Phpwcms Nov 21, 2024 Jun 24, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 phpwcms 1.9.13 is vulnerable to Code Injection via /phpwcms/setup/setup.php.
CVE-2020-22201 1Phpcms 1Phpcms Nov 21, 2024 Jun 16, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 phpCMS 2008 sp4 allowas remote malicious users to execute arbitrary php commands via the pagesize parameter to yp/product.php.
CVE-2021-25416 1Google 1Android Nov 21, 2024 Jun 11, 2021 N/A· v4 6.5 MEDIUM· v3 2.1 LOW· v2 Assuming EL1 is compromised, an improper address validation in RKP prior to SMR JUN-2021 Release 1 allows local attackers to create executable kernel page outside code area.
CVE-2021-25415 1Google 1Android Nov 21, 2024 Jun 11, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Assuming EL1 is compromised, an improper address validation in RKP prior to SMR JUN-2021 Release 1 allows local attackers to remap EL2 memory as writable.
CVE-2021-25411 1Google 1Android Nov 21, 2024 Jun 11, 2021 N/A· v4 4.4 MEDIUM· v3 2.1 LOW· v2 Improper address validation vulnerability in RKP api prior to SMR JUN-2021 Release 1 allows root privileged local attackers to write read-only kernel memory.
CVE-2021-25393 1Google 1Android Nov 21, 2024 Jun 11, 2021 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 Improper sanitization of incoming intent in SecSettings prior to SMR MAY-2021 Release 1 allows local attackers to get permissions to access system uid data.
CVE-2021-31949 1Microsoft 3365 Apps OfficeOutlook Feb 28, 2025 Jun 8, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 Microsoft Outlook Remote Code Execution Vulnerability
CVE-2021-32673 1Reg Keygen Git Hash Project 1Reg Keygen Git Hash Nov 21, 2024 Jun 8, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 reg-keygen-git-hash-plugin is a reg-suit plugin to detect the snapshot key to be compare with using Git commit hash. reg-keygen-git-hash-plugin through and including 0.10.15 allow remote attackers to execute of arbitrary...Show more reg-keygen-git-hash-plugin is a reg-suit plugin to detect the snapshot key to be compare with using Git commit hash. reg-keygen-git-hash-plugin through and including 0.10.15 allow remote attackers to execute of arbitrary commands. Upgrade to version 0.10.16 or later to resolve this issue.Show less
CVE-2021-22336 1Huawei 2Emui Magic Ui Nov 21, 2024 Jun 3, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 There is an Improper Control of Generation of Code vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may cause denial of security services on a rooted device.
CVE-2021-32924 1Invisioncommunity 1Ips Community Suite Nov 21, 2024 Jun 1, 2021 N/A· v4 8.8 HIGH· v3 6.0 MEDIUM· v2 Invision Community (aka IPS Community Suite) before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\_builder::previewBlock method interacts unsafely with the IPS\_Theme::...Show more Invision Community (aka IPS Community Suite) before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\_builder::previewBlock method interacts unsafely with the IPS\_Theme::runProcessFunction method.Show less
CVE-2021-24312 1Automattic 1Wp Super Cache Nov 21, 2024 Jun 1, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they...Show more The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of '$' and '\n'. This is due to an incomplete fix of CVE-2021-24209.Show less
CVE-2021-30461 1Voipmonitor 1Voipmonitor Nov 21, 2024 May 29, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configurati...Show more A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.Show less
CVE-2021-32621 1Xwiki 1Xwiki Nov 21, 2024 May 28, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requi...Show more XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard. The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.Show less
CVE-2021-29505 5Debian FedoraprojectNetapp+2 more 17Banking Cash Management Banking Corporate Lending Process ManagementBanking Credit Facilities Process Management+14 more May 30, 2025 May 28, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipu...Show more XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.Show less
CVE-2021-22900 2Ivanti Pulsesecure 2Connect Secure Pulse Connect Secure Dec 18, 2025 May 27, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the admi...Show more A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.Show less
CVE-2021-22894 1Ivanti 1Connect Secure Dec 18, 2025 May 27, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.

Previous 1...191192193...324 Next