Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,470)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-10835 1Nippon Antenna 1Scr02hd Firmware May 13, 2026 Aug 29, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 "Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows authenticated attackers to conduct code injection attacks via unspecified vectors.
CVE-2014-8872 1Avm 2Fritz!box 6810 Lte Firmware Fritz!box 6840 Lte Firmware May 13, 2026 Aug 29, 2017 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 Improper Verification of Cryptographic Signature in AVM FRITZ!Box 6810 LTE after firmware 5.22, FRITZ!Box 6840 LTE after firmware 5.23, and other models with firmware 5.50.
CVE-2017-6782 1Cisco 1Prime Infrastructure May 13, 2026 Aug 17, 2017 N/A· v4 5.4 MEDIUM· v3 4.9 MEDIUM· v2 A vulnerability in the administrative web interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to modify a page in the web interface of the affected application. The vulnerability is due...Show more A vulnerability in the administrative web interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to modify a page in the web interface of the affected application. The vulnerability is due to improper sanitization of parameter values by the affected application. An attacker could exploit this vulnerability by injecting malicious code into an affected parameter and persuading a user to access a web page that triggers the rendering of the injected code. Cisco Bug IDs: CSCve47074. Known Affected Releases: 3.2(0.0).Show less
CVE-2011-0469 1Suse 1Opensuse May 13, 2026 Aug 17, 2017 N/A· v4 9.8 CRITICAL· v3 9.0 HIGH· v2 Code injection in openSUSE when running some source services used in the open build service 2.1 before March 11 2011.
CVE-2017-1469 1Ibm 1Infosphere Information Server May 13, 2026 Aug 14, 2017 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a local user to gain elevated privileges by placing arbitrary files in installation directories. IBM X-Force ID: 128468.
CVE-2017-3753 1Lenovo 11163 Firmware H50 30g FirmwareIdeacentre 300 20ish Firmware+108 more May 13, 2026 Aug 10, 2017 N/A· v4 6.8 MEDIUM· v3 7.2 HIGH· v2 A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI). With this vulnerability, conditions exist where an attacker with administrative privileg...Show more A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI). With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V.Show less
CVE-2017-11760 1Projeqtor 1Projeqtor May 13, 2026 Jul 31, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP code by uploading a .php file composed of concatenated image data and script data, as demonstrated by uploading as an i...Show more uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP code by uploading a .php file composed of concatenated image data and script data, as demonstrated by uploading as an image within the description text area.Show less
CVE-2017-11715 1Metinfo Project 1Metinfo May 13, 2026 Jul 28, 2017 N/A· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain...Show more job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php.Show less
CVE-2017-11675 1Zen Cart 1Zen Cart May 13, 2026 Jul 27, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer.php in ZenCart 1.5.5e mishandles key strings, which allows remote authenticated users to execute arbitrary PHP code by placing that...Show more The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer.php in ZenCart 1.5.5e mishandles key strings, which allows remote authenticated users to execute arbitrary PHP code by placing that code into an invalid array index of the admin_name array parameter to admin_dir/login.php, if there is an export of an error-log entry for that invalid array index.Show less
CVE-2017-11459 1Sap 1Trex May 13, 2026 Jul 25, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592.
CVE-2017-11585 1Finecms 1Finecms May 13, 2026 Jul 24, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection.
CVE-2015-3640 1Phpmybackuppro 1Phpmybackuppro May 13, 2026 Jul 21, 2017 N/A· v4 7.5 HIGH· v3 6.0 MEDIUM· v2 phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system...Show more phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts.Show less
CVE-2015-3638 1Phpmybackuppro 1Phpmybackuppro May 13, 2026 Jul 21, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and ma...Show more phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable.Show less
CVE-2017-9822 1Dnnsoftware 1Dotnetnuke Apr 21, 2026 Jul 20, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
CVE-2017-11421 1Gnome Exe Thumbnailer Project 1Gnome Exe Thumbnailer May 13, 2026 Jul 18, 2017 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection when generating thumbnails for MSI files, aka the "Bad Taste" issue. There is a local attack if the victim uses the GNOME Files file manager, and naviga...Show more gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection when generating thumbnails for MSI files, aka the "Bad Taste" issue. There is a local attack if the victim uses the GNOME Files file manager, and navigates to a directory containing a .msi file with VBScript code in its filename.Show less
CVE-2015-0249 1Apache 1Roller May 13, 2026 Jul 17, 2017 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka VTL).
CVE-2017-11167 1Finecms Project 1Finecms May 13, 2026 Jul 12, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the ',phpinfo() input value.
CVE-2017-10968 1Finecms Project 1Finecms May 13, 2026 Jul 7, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after "<?php" in a route=template request.
CVE-2017-9841 2Oracle Phpunit Project 2Communications Diameter Signaling Router Phpunit Apr 21, 2026 Jun 27, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site w...Show more Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.Show less
CVE-2017-6325 1Symantec 1Messaging Gateway May 13, 2026 Jun 26, 2017 N/A· v4 6.6 MEDIUM· v3 6.0 MEDIUM· v2 The Symantec Messaging Gateway can encounter a file inclusion vulnerability, which is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused...Show more The Symantec Messaging Gateway can encounter a file inclusion vulnerability, which is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. This file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application.Show less

Previous 1...217218219...324 Next