Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,467)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2015-2252 1Huawei 1Oceanstor Uds Firmware May 13, 2026 Jun 8, 2017 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 Huawei OceanStor UDS devices with software before V100R002C01SPC102 might allow remote attackers to execute arbitrary code with root privileges via a crafted UDS patch with shell scripts.
CVE-2017-9442 1Bigtreecms 1Bigtree Cms May 13, 2026 Jun 5, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/...Show more BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files.Show less
CVE-2015-6531 1Paloaltonetworks 1Pan Os May 13, 2026 Jun 1, 2017 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 might allow remote attackers to execute arbitrary Python code via a crafted firmware image file.
CVE-2017-8402 1Pivotx 1Pivotx May 13, 2026 May 31, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 PivotX 2.3.11 allows remote authenticated users to execute arbitrary PHP code via vectors involving an upload of a .htaccess file.
CVE-2017-7494 2Debian Samba 2Debian Linux Samba Apr 21, 2026 May 30, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to...Show more Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.Show less
CVE-2017-8912 1Cmsmadesimple 1Cms Made Simple May 13, 2026 May 12, 2017 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: th...Show more CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is "a feature, not a bug.Show less
CVE-2017-7911 1Cybervision 1Kaa Iot Platform May 13, 2026 May 6, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A Code Injection issue was discovered in CyberVision Kaa IoT Platform, Version 0.7.4. An insufficient-encapsulation vulnerability has been identified, which may allow remote code execution.
CVE-2017-8284 1Qemu 1Qemu May 13, 2026 Apr 26, 2017 N/A· v4 7.0 HIGH· v3 6.9 MEDIUM· v2 The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a...Show more The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes.Show less
CVE-2016-4895 1Setucocms Project 1Setucocms May 13, 2026 Apr 12, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SetsucoCMS all versions allows remote authenticated attackers to conduct code injection attacks via unspecified vectors.
CVE-2017-7694 1Getsymphony 1Symphony May 13, 2026 Apr 11, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. The attacker must be...Show more Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. The attacker must be authenticated and enter PHP code in the datasource editor or event editor.Show less
CVE-2017-7691 1Sap 1Trex May 13, 2026 Apr 11, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A code injection vulnerability exists in SAP TREX / Business Warehouse Accelerator (BWA). The vendor response is SAP Security Note 2419592.
CVE-2017-7625 1Fiyo 1Fiyo Cms May 13, 2026 Apr 10, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the content parameter to "/dapur/apps/app_theme/libs/save_file.php" and then execute code.
CVE-2016-5072 1Oxidforge 1Oxid Eshop May 13, 2026 Apr 10, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition...Show more OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition v4.8.12, Professional Edition v4.9.9, Community Edition v4.8.12, Community Edition v4.9.9.Show less
CVE-2017-7570 1Pivotx 1Pivotx May 13, 2026 Apr 7, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 PivotX 2.3.11 allows remote authenticated Advanced users to execute arbitrary PHP code by performing an upload with a safe file extension (such as .jpg) and then invoking the duplicate function to change to the .php exte...Show more PivotX 2.3.11 allows remote authenticated Advanced users to execute arbitrary PHP code by performing an upload with a safe file extension (such as .jpg) and then invoking the duplicate function to change to the .php extension.Show less
CVE-2017-4964 1Cloudfoundry 1Bosh Azure Cpi May 13, 2026 Apr 6, 2017 N/A· v4 8.8 HIGH· v3 4.6 MEDIUM· v2 Cloud Foundry Foundation BOSH Azure CPI v22 could potentially allow a maliciously crafted stemcell to execute arbitrary code on VMs created by the director, aka a "CPI code injection vulnerability."
CVE-2017-7402 1Lucidcrew 1Pixie May 13, 2026 Apr 3, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php fi...Show more Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/jpeg.Show less
CVE-2014-3927 1Mrlg4php Project 1Mrlg4php May 13, 2026 Apr 3, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 mrlg-lib.php in mrlg4php before 1.0.8 allows remote attackers to execute arbitrary shell code.
CVE-2017-7324 1Modx 1Modx Revolution May 13, 2026 Mar 30, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter.
CVE-2017-7321 1Modx 1Modx Revolution May 13, 2026 Mar 30, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI.
CVE-2014-3582 1Apache 1Ambari May 13, 2026 Mar 29, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster.

Previous 1...218219220...324 Next