Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-15806 1Zetacomponents 1Mail May 13, 2026 Nov 15, 2017 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to exec...Show more The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."Show less
CVE-2014-4000 1Cacti 1Cacti May 13, 2026 Nov 15, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).
CVE-2017-16783 1Cmsmadesimple 1Cms Made Simple May 13, 2026 Nov 10, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter.
CVE-2017-7411 1Enalean 1Tuleap May 13, 2026 Oct 30, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily...Show more An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users through the REST API interface, and this can be exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks (including but not limited to Remote Code Execution).Show less
CVE-2017-15935 1Artica 1Pandora Fms May 13, 2026 Oct 27, 2017 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file.
CVE-2017-15376 1Mobatek 1Mobaxterm May 13, 2026 Oct 16, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The TELNET service in Mobatek MobaXterm 10.4 does not require authentication, which allows remote attackers to execute arbitrary commands via TCP port 23.
CVE-2017-14353 1Hp 1Ucmdb Foundation Software May 13, 2026 Oct 5, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A remote code execution vulnerability in HP UCMDB Foundation Software versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, and 10.33, could be remotely exploited to allow code execution.
CVE-2015-6576 1Atlassian 1Bamboo May 13, 2026 Oct 3, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
CVE-2017-13676 1Norton 1Remove & Reinstall May 13, 2026 Sep 28, 2017 N/A· v4 7.0 HIGH· v3 4.4 MEDIUM· v2 Norton Remove & Reinstall can be susceptible to a DLL preloading vulnerability. These types of issues occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead. D...Show more Norton Remove & Reinstall can be susceptible to a DLL preloading vulnerability. These types of issues occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead. Depending on how the application is configured, it will generally follow a specific search path to locate the DLL. The vulnerability can be exploited by a simple file write (or potentially an over-write) which results in a foreign DLL running under the context of the application. A Norton Remove & Reinstall update, version 4.4.0.58, has been released which addresses the aforementioned vulnerability.Show less
CVE-2017-14764 1Genixcms 1Genixcms May 13, 2026 Sep 27, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In the Upload Modules page in GeniXCMS 1.1.4, remote authenticated users can execute arbitrary PHP code via a .php file in a ZIP archive of a module.
CVE-2014-9463 1Vbseo 1Vbseo May 13, 2026 Sep 15, 2017 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
CVE-2017-2809 1Ansible Vault Project 1Ansible Vault May 13, 2026 Sep 14, 2017 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert...Show more An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.Show less
CVE-2017-8759 1Microsoft 1.net Framework Apr 22, 2026 Sep 13, 2017 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka ".NET Framework Remote Code Execution Vulnerability."
CVE-2015-9227 1Alegrocart 1Alegrocart May 13, 2026 Sep 11, 2017 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 PHP remote file inclusion vulnerability in the get_file function in upload/admin2/controller/report_logs.php in AlegroCart 1.2.8 allows remote administrators to execute arbitrary PHP code via a URL in the file_path param...Show more PHP remote file inclusion vulnerability in the get_file function in upload/admin2/controller/report_logs.php in AlegroCart 1.2.8 allows remote administrators to execute arbitrary PHP code via a URL in the file_path parameter to upload/admin2.Show less
CVE-2015-8351 1Gwolle Guestbook Project 1Gwolle Guestbook May 13, 2026 Sep 11, 2017 N/A· v4 9.0 CRITICAL· v3 6.8 MEDIUM· v2 PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspa...Show more PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.Show less
CVE-2017-14146 1Helpdezk 1Helpdezk May 13, 2026 Sep 5, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 HelpDEZk 1.1.1 allows remote authenticated users to execute arbitrary PHP code by uploading a .php attachment and then requesting it in the helpdezk\app\uploads\helpdezk\attachments\ directory.
CVE-2017-3897 1Mcafee 2Livesafe Security Scan Plus May 13, 2026 Sep 1, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Code Injection vulnerability in the non-certificate-based authentication mechanism in McAfee Live Safe versions prior to 16.0.3 and McAfee Security Scan Plus (MSS+) versions prior to 3.11.599.3 allows network attackers...Show more A Code Injection vulnerability in the non-certificate-based authentication mechanism in McAfee Live Safe versions prior to 16.0.3 and McAfee Security Scan Plus (MSS+) versions prior to 3.11.599.3 allows network attackers to perform a malicious file execution via a HTTP backend-response.Show less
CVE-2014-8677 1Soplanning 1Soplanning May 13, 2026 Aug 31, 2017 N/A· v4 5.3 MEDIUM· v3 3.5 LOW· v2 The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, o...Show more The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and smarty/templates_c is not writable to execute arbitrary php code via a crafted database name.Show less
CVE-2017-0899 3Debian RedhatRubygems 8Debian Linux Enterprise Linux DesktopEnterprise Linux Server+5 more May 13, 2026 Aug 31, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
CVE-2017-1440 1Ibm 1Emptoris Services Procurement May 13, 2026 Aug 30, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 IBM Emptoris Services Procurement 10.0.0.5 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL to specify a malicious file from a remote system, which could allo...Show more IBM Emptoris Services Procurement 10.0.0.5 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server. IBM X-Force ID: 128105.Show less

Previous 1...216217218...324 Next