Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-11593 1Adblockplus 1Adblock Plus Nov 21, 2024 Apr 29, 2019 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 In Adblock Plus before 3.5.2, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and th...Show more In Adblock Plus before 3.5.2, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect.Show less
CVE-2011-1830 1Ekiga 1Ekiga Nov 21, 2024 Apr 22, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Ekiga versions before 3.3.0 attempted to load a module from /tmp/ekiga_test.so.
CVE-2019-11376 1Brassica 1Soy Cms Nov 21, 2024 Apr 20, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SOY CMS v3.0.2 allows remote attackers to execute arbitrary PHP code via a <?php substring in the second text box. NOTE: the vendor indicates that there was an assumption that the content is "made editable on its own.
CVE-2019-10633 1Zyxel 1Nas326 Firmware Nov 21, 2024 Apr 9, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An eval injection vulnerability in the Python web server routing on the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to execute arbitrary code via the tjp6jp6y4, simZysh, and ck6fup6 APIs.
CVE-2019-10863 1Combodo 1Teemip Nov 21, 2024 Apr 4, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A command injection vulnerability exists in TeemIp versions before 2.4.0. The new_config parameter of exec.php allows one to create a new PHP file with the exception of config information. The malicious PHP code sent is...Show more A command injection vulnerability exists in TeemIp versions before 2.4.0. The new_config parameter of exec.php allows one to create a new PHP file with the exception of config information. The malicious PHP code sent is executed instantaneously and is not saved on the server.Show less
CVE-2019-10842 1Getbootstrap 1Bootstrap Sass Nov 21, 2024 Apr 4, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be...Show more Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare.Show less
CVE-2019-10684 174cms 174cms Nov 21, 2024 Apr 1, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Application/Admin/Controller/ConfigController.class.php in 74cms v5.0.1 allows remote attackers to execute arbitrary PHP code via the index.php?m=Admin&c=config&a=edit site_domain parameter.
CVE-2017-18108 1Atlassian 1Crowd Nov 21, 2024 Mar 29, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection.
CVE-2018-19641 1Microfocus 1Solutions Business Manager Nov 21, 2024 Mar 27, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Unauthenticated remote code execution issue in Micro Focus Solutions Business Manager (SBM) (formerly Serena Business Manager (SBM)) versions prior to 11.5.
CVE-2014-5401 1Hospira 1Mednet Nov 3, 2025 Mar 26, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Hospira MedNet software version 5.8 and prior uses vulnerable versions of the JBoss Enterprise Application Platform software that may allow unauthenticated users to execute arbitrary code on the target system. Hospira ha...Show more Hospira MedNet software version 5.8 and prior uses vulnerable versions of the JBoss Enterprise Application Platform software that may allow unauthenticated users to execute arbitrary code on the target system. Hospira has developed a new version of the MedNet software, MedNet 6.1. Existing versions of MedNet can be upgraded to MedNet 6.1.Show less
CVE-2019-7610 1Elastic 1Kibana Nov 21, 2024 Mar 25, 2019 N/A· v4 9.0 CRITICAL· v3 9.3 HIGH· v2 Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that wil...Show more Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.Show less
CVE-2019-7609 2Elastic Redhat 2Kibana Openshift Container Platform Nov 7, 2025 Mar 25, 2019 N/A· v4 10.0 CRITICAL· v3 10.0 HIGH· v2 Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascrip...Show more Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.Show less
CVE-2019-10015 1Baigo 1Baigo Sso Nov 21, 2024 Mar 24, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 baigoStudio baigoSSO v3.0.1 allows remote attackers to execute arbitrary PHP code via the first form field of a configuration screen, because this code is written to the BG_SITE_NAME field in the opt_base.inc.php file.
CVE-2019-5413 1Morgan Project 1Morgan Nov 21, 2024 Mar 21, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.
CVE-2019-9651 1Sdcms 1Sdcms Nov 21, 2024 Mar 11, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in SDCMS V1.7. In the \app\admin\controller\themecontroller.php file, the check_bad() function's filtering is not strict, resulting in PHP code execution. This occurs because some dangerous PHP fu...Show more An issue was discovered in SDCMS V1.7. In the \app\admin\controller\themecontroller.php file, the check_bad() function's filtering is not strict, resulting in PHP code execution. This occurs because some dangerous PHP functions (such as "eval") are blocked but others (such as "system") are not, and because ".php" is blocked but ".PHP" is not blocked.Show less
CVE-2013-7468 1Simplemachines 1Simple Machines Forum Nov 21, 2024 Mar 7, 2019 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the index.php?action=admin;area=languages;sa=editlang dictionary parameter.
CVE-2019-9227 1Baigo 1Baigo Cms Nov 21, 2024 Feb 28, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in baigo CMS 2.1.1. There is a vulnerability that allows remote attackers to execute arbitrary code. A BG_SITE_NAME parameter with malicious code can be written into the opt_base.inc.php file.
CVE-2019-9115 1Irisnet 1Irisnet Crypto Nov 21, 2024 Feb 25, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In irisnet-crypto before 1.1.7 for IRISnet, the util/utils.js file allows code execution because of unsafe eval usage.
CVE-2019-9082 3Opensourcebms ThinkphpZzzcms 3Open Source Background Management System ThinkphpZzzphp Dec 9, 2025 Feb 24, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed...Show more ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.Show less
CVE-2018-3700 1Intel 1Usb 3.0 Extensible Host Controller Driver Nov 21, 2024 Feb 18, 2019 N/A· v4 6.7 MEDIUM· v3 4.6 MEDIUM· v2 Code injection vulnerability in the installer for Intel(R) USB 3.0 eXtensible Host Controller Driver for Microsoft Windows 7 before version 5.0.4.43v2 may allow a user to potentially enable escalation of privilege via lo...Show more Code injection vulnerability in the installer for Intel(R) USB 3.0 eXtensible Host Controller Driver for Microsoft Windows 7 before version 5.0.4.43v2 may allow a user to potentially enable escalation of privilege via local access.Show less

Previous 1...205206207...324 Next