Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-17132 1Vbulletin 1Vbulletin Nov 21, 2024 Oct 4, 2019 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 vBulletin through 5.5.4 mishandles custom avatars.
CVE-2019-10431 1Jenkins 1Script Security Nov 21, 2024 Oct 1, 2019 N/A· v4 9.9 CRITICAL· v3 6.5 MEDIUM· v2 A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.
CVE-2019-16759 1Vbulletin 1Vbulletin Nov 7, 2025 Sep 24, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.
CVE-2019-16645 1Embedthis 1Goahead Nov 21, 2024 Sep 20, 2019 N/A· v4 8.6 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. Thi...Show more An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack.Show less
CVE-2019-15087 1Prise 1Adas Nov 21, 2024 Sep 20, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in PRiSE adAS 1.7.0. An authenticated user can change the function used to hash passwords to any function, leading to remote code execution.
CVE-2019-15001 1Atlassian 2Jira Data Center Jira Server Nov 21, 2024 Sep 19, 2019 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0...Show more The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request.Show less
CVE-2019-13558 1Advantech 1Webaccess Nov 21, 2024 Sep 18, 2019 N/A· v4 9.8 CRITICAL· v3 9.0 HIGH· v2 In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash.
CVE-2019-3759 1Dell 2Rsa Identity Governance And Lifecycle Rsa Via Lifecycle And Governance Nov 21, 2024 Sep 11, 2019 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit...Show more The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to run custom Groovy scripts to gain limited access to view or modify information on the Workflow system.Show less
CVE-2019-0355 1Sap 1Netweaver Application Server Java Nov 21, 2024 Sep 10, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed...Show more SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.Show less
CVE-2019-15873 1Metagauss 1Profilegrid Nov 21, 2024 Sep 3, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The profilegrid-user-profiles-groups-and-communities plugin before 2.8.6 for WordPress has remote code execution via an wp-admin/admin-ajax.php request with the action=pm_template_preview&html=<?php substring followed by...Show more The profilegrid-user-profiles-groups-and-communities plugin before 2.8.6 for WordPress has remote code execution via an wp-admin/admin-ajax.php request with the action=pm_template_preview&html=<?php substring followed by PHP code.Show less
CVE-2019-2390 1Mongodb 1Mongodb Feb 23, 2026 Aug 30, 2019 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user runnin...Show more An unprivileged user or program on Microsoft Windows which can create OpenSSL configuration files in a fixed location may cause utility programs shipped with MongoDB server to run attacker defined code as the user running the utility. This issue MongoDB Server v4.0 versions prior to 4.0.11; MongoDB Server v3.6 versions prior to 3.6.14 and MongoDB Server v3.4 prior to 3.4.22.Show less
CVE-2019-15647 1Groundhogg 1Groundhogg Nov 21, 2024 Aug 27, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution.
CVE-2018-21005 1Bbpress Move Topics Project 1Bbpress Move Topics Nov 21, 2024 Aug 27, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The bbp-move-topics plugin before 1.1.6 for WordPress has code injection.
CVE-2019-15642 1Webmin 1Webmin Nov 21, 2024 Aug 26, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used t...Show more rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."Show less
CVE-2018-20988 1Google Forms Project 1Google Forms Nov 21, 2024 Aug 22, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The wpgform plugin before 0.94 for WordPress has eval injection in the CAPTCHA calculation.
CVE-2018-18573 1Oscommerce 1Oscommerce Nov 21, 2024 Aug 22, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrar...Show more osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI.Show less
CVE-2019-15318 1Yikesinc 1Easy Forms For Mailchimp Nov 21, 2024 Aug 22, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPress has code injection via the admin input field.
CVE-2019-15224 1Rest Client Project 1Rest Client Nov 21, 2024 Aug 19, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The rest-client gem 1.6.10 through 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions <=1.6.9 and >=1.6.14 are unaffected.
CVE-2019-1194 1Microsoft 1Internet Explorer Feb 20, 2026 Aug 14, 2019 N/A· v4 7.5 HIGH· v3 7.6 HIGH· v2 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitr...Show more A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.Show less
CVE-2019-1157 1Microsoft 8Windows 10 Windows 7Windows 8.1+5 more Feb 20, 2026 Aug 14, 2019 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim s...Show more A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.Show less

Previous 1...202203204...324 Next