Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-1792 1Ibm 1Websphere Mq Nov 21, 2024 Nov 13, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 IBM WebSphere MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, 9.0.1 through 9.0.5, and 9.1.0.0 could allow a local user to inject code that could be executed with root privileges. IBM X-Force ID: 148947.
CVE-2018-19220 1Laobancms 1Laobancms Nov 21, 2024 Nov 12, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in LAOBANCMS 2.0. It allows remote attackers to execute arbitrary PHP code via the host parameter to the install/ URI.
CVE-2018-19196 1Xiaocms 1Xiaocms Nov 21, 2024 Nov 12, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in XiaoCms 20141229. It allows remote attackers to execute arbitrary code by using the type parameter to bypass the standard admin\controller\uploadfile.php restrictions on uploaded file types (jp...Show more An issue was discovered in XiaoCms 20141229. It allows remote attackers to execute arbitrary code by using the type parameter to bypass the standard admin\controller\uploadfile.php restrictions on uploaded file types (jpg, jpeg, bmp, png, gif), as demonstrated by an admin/index.php?c=uploadfile&a=uploadify_upload&type=php URI.Show less
CVE-2018-19180 1Yunucms 1Yunucms Nov 21, 2024 Nov 11, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 statics/app/index/controller/Install.php in YUNUCMS 1.1.5 (if install.lock is not present) allows remote attackers to execute arbitrary PHP code by placing this code in the index.php?s=index/install/setup2 DB_PREFIX fiel...Show more statics/app/index/controller/Install.php in YUNUCMS 1.1.5 (if install.lock is not present) allows remote attackers to execute arbitrary PHP code by placing this code in the index.php?s=index/install/setup2 DB_PREFIX field, which is written to database.php.Show less
CVE-2018-19127 1Phpcms 1Phpcms Nov 21, 2024 Nov 9, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via t...Show more A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.Show less
CVE-2018-19053 1Pbootcms 1Pbootcms Nov 21, 2024 Nov 7, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 PbootCMS 1.2.2 allows remote attackers to execute arbitrary PHP code by specifying a .php filename in a "SET GLOBAL general_log_file" statement, followed by a SELECT statement containing this PHP code.
CVE-2018-14667 1Redhat 2Enterprise Linux Richfaces Nov 3, 2025 Nov 6, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain o...Show more The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.Show less
CVE-2018-18903 1Vanillaforums 1Vanilla Nov 21, 2024 Nov 3, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Vanilla 2.6.x before 2.6.4 allows remote code execution.
CVE-2018-6012 1Rainmachine 1Mini 8 Firmware Nov 21, 2024 Nov 1, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The 'Weather Service' feature of the Green Electronics RainMachine Mini-8 (2nd generation) allows an attacker to inject arbitrary Python code via the 'Add new weather data source' upload function.
CVE-2018-18892 11234n 1Minicms Nov 21, 2024 Nov 1, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php.
CVE-2016-5402 1Redhat 2Cloudforms Cloudforms Management Engine Nov 21, 2024 Oct 31, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execut...Show more A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as.Show less
CVE-2018-18835 1Doccms 1Doccms Nov 21, 2024 Oct 30, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 upload_template() in system/changeskin.php in DocCms 2016.5.12 allows remote attackers to execute arbitrary PHP code via a template file.
CVE-2018-18461 1Kibokolabs 1Arigato Autoresponder And Newsletter Nov 21, 2024 Oct 18, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Arigato Autoresponder and Newsletter (aka bft-autoresponder) v2.5.1.7 plugin for WordPress allows remote attackers to execute arbitrary code via PHP code in attachments[] data to models/attachment.php.
CVE-2018-18426 1S Cms 1S Cms Nov 21, 2024 Oct 17, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 s-cms 3.0 allows remote attackers to execute arbitrary PHP code by placing this code in a crafted User-agent Disallow value in the robots.php txt parameter.
CVE-2018-18319 1Asuswrt Merlin Project 14Rt Ac1900 Firmware Rt Ac2900 FirmwareRt Ac3100 Firmware+11 more Nov 21, 2024 Oct 15, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=...Show more An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code executionShow less
CVE-2018-18258 1Bagesoft 1Bagecms Nov 21, 2024 Oct 11, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in BageCMS 3.1.3. The attacker can execute arbitrary PHP code on the web server and can read any file on the web server via an index.php?r=admini/template/updateTpl&filename= URI.
CVE-2018-7633 1Adbglobal 1Epicentro Nov 21, 2024 Oct 9, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Code injection in the /ui/login form Language parameter in Epicentro E_7.3.2+ allows attackers to execute JavaScript code by making a user issue a manipulated POST request.
CVE-2018-18083 1Comsenz 1Duomicms Nov 21, 2024 Oct 9, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in DuomiCMS 3.0. Remote PHP code execution is possible via the search.php searchword parameter because "eval" is used during "if" processing.
CVE-2015-9272 1Videowhisper 1Video Presentation Nov 21, 2024 Oct 5, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated...Show more The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code.Show less
CVE-2018-14804 1Emerson 1Ams Device Manager Nov 21, 2024 Oct 1, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script may be run that allows arbitrary remote code execution.

Previous 1...208209210...324 Next